ENISA, the European Network and Information Security Agency, has produced a new report: Appstore security – 5 lines of defence against malware. Its purpose is to help the burgeoning app store market protect against infiltration from malapps (not a widely used word yet, but watch it grow); smartphone apps pretending to be apps but really just plain malware.
The five lines of defence range from the bleeding-obvious through good-idea-but-don’t-hold-your-breath to illustrations of the-conflict-between-security-and-liberty. They are
- App review – bleeding obvious but not foolproof
- Reputation – not foolproof
- Kill switch – hang on a bit
- Sandboxed apps – bleeding obvious
- jailing – hang on a bit more
App reviews should obviously be done. But they’re not foolproof and are time-consuming and costly. New app stores will minimise them in order to reduce their own costs and speed the population of the store. Even where they are performed, with or without the help of automated testing, there is no guarantee against false negatives.
Reputations can be manipulated. Cyber criminals have shown that they are willing to play the long game. With enough time and resources it would be easy enough to release a few genuine and good apps before slipping in, backed by a good reputation, the bad one.
Kill switch. I don’t want one. And they don’t necessarily work. If I buy something, it is mine (I’m sick of the industry selling me something and then revealing later or in the small print that I only rented it). If I buy it, it’s mine. Therefore only I should be able to remove it. Not the software developer, not the app store, not the device manufacturer, not law enforcement and not the government. And anyway, they don’t work. DroidDream foiled the Android kill switch by simply operating outside of the sandbox. Here’s a good security principle: if something can be set up by software, it can be taken down by software. And another thing:
in a military setting, apps may be mission-critical and the app revocation mechanism may need to be turned off.
I’m not sure that I like being told that only the military has mission critical apps. My apps are critical to me.
Sandboxing. Now that is a good idea. It probably has more to do with the OS developer than the app store provider, but it’s still a good idea. It may not work nor be possible in all cases; but it’s still a good idea.
Jailing. Again, this has more to do with the OS developer and the hardware manufacturer than the app store itself. And again, if something is mine, I don’t want a third party telling me what I can do with it. It may be good security but it infringes my rights as a human being.
You may think I’m being overly critical and a bit frivolous, but I’m not. This report will make not one iota of difference to the app market. I wish ENISA and all the myriad other European agencies would spend the time and money we spend on them on something more worthwhile. Especially when the solution to malapps is easy: make the app stores liable. Make them liable for any losses incurred through malapps bought or downloaded from them. And where there is no measurable loss, simply fine the pants off them. That will stop malapps from app stores in their tracks.
Commenting on an article in Computerworld, Phil Lieberman, President and CEO of Lieberman Software, agrees that Android’s upcoming m-wallet (mobile phone wallet) is ‘a disaster waiting to happen’. The original article by Ira Winkler comments:
A smartphone’s operating system controls the exchange of data between programs, input/output devices and all of the other hardware components. If malicious software ends up on your phone, it can easily capture your PIN every time you enter it to pay for something. Even if you assume that the credit card is completely secure when it is on the special chip, it is still vulnerable when you are entering the data and every time you access the data when you make a payment.
Mobile payment systems: A disaster waiting to happen
Phil adds to this
Ira’s comments are bang on the money. Whilst it’s great to hear that m-wallet solutions will be Visa PayWave or MasterCard PayPass-compatible – meaning that the wireless data transmissions are encrypted – the problem comes if the smartphone itself in less than secure.
But are the doom-mongers correct? Well, yes they are – but any use of any computer for any purpose is a disaster waiting to happen. Since m-wallets will happen (they’re cool and useful, the two primary drivers for any commodity), the real question is whether the m-wallet is significantly less secure than any other method of payment. And I’m not at all sure this is true. Like everything else in security, it is user-behaviour that makes something more or less secure.
Phil comments that
…with large numbers of Apple iPhone users jailbreaking their handsets to escape network locks, it looks like that most flavours of smartphones will be susceptible to security faux pas for some time to come.
That’s what I mean about user behaviour. Using a jailbroken iPhone as an m-wallet is like walking through a crowded mall with an open bag and a visible purse/wallet: it is the user rather than the wallet that is at fault. So what are the alternatives to the m-wallet, especially since cheques are being phased out by the banks (and we can expect them to do the same with cash over the next couple of decades)?
For now we have cash in a purse. Well, that’s less secure than a smartphone. Most people realise that they have lost their phone within minutes, and can switch it off remotely in an instant. The cash in the m-wallet cannot be used.
Bank cards? Well, they’re hardly secure are they? They can be stolen/lost and cloned. Cambridge university has demonstrated a device able to trick the system into accepting any PIN number on any valid card. And contactless cards really are a disaster waiting to happen.
Mobile banking on a laptop? Just as easily lost or stolen; and just as easily hacked. Zeus/SpyEye anyone?
Personally I can see our entire lives migrating to smartphones. Our front door key, car key, kicking the house into action before we get home, e-government and proof of identity. Trying to stop this happening will be like standing in front of a bulldozer. The requirement is not to prevent it, but for the security industry to improve security, and for users to improve behaviour.
Which will leave me with a problem: I don’t have a smartphone; and won’t have one until they invent one that won’t fry my brains – or worse if it’s in my pocket.
I’ve been thinking about this smartphone business. I want the functionality that’s on these new phones. I want, for example, that free Nuance app that would let me have a great idea while out walking the dogs on Dartmoor and just speak it into my phone while watching the sun disappear behind Bowerman’s Nose. Nuance would then convert my spoken idea into text for me – and I could take it from there.
But at this rate I’m never going to be able to do that. The carriers have got the market sewn up. If I want a smartphone, I need to take an extortionate contract with one of them. But I don’t want a smartphone to make phone calls. I believe mobile phones are dangerous. I absolutely believe that without the shadow of a doubt, holding a mobile phone to the side of your head will slowly (but not slowly enough) fry, scramble or otherwise cook your brains.
But holding a smartphone 2.5 feet away from my head, using the touchscreen and looking at the images does not worry me nearly so much. What I need is a legally jailbroken smartphone (I’m not technical enough to do it myself). I had hoped that Google and Android would do this for me – but it appears not. Google seems to be backing away at a rate of knots from this suggestion.
How shortsighted! Sooner or later someone is going to come along and say, look carriers, we don’t actually need your contract. I’ve got this very small PC – and hey, it even looks like a smartphone. But it’s not. It’s a PC. And I can plug in your internet dongle, and I can plug in a headset, and I can run Skype (or other VoIP) and I’ve got voice as well as internet without your extortionate smartphone contract and without frying my brains.
OK, when someone does this, the carriers will, surprise, surprise stop selling their internet dongles. But sooner or later, one of them will break ranks and do it anyway. And that’s when I’ll get my PC that looks like a smartphone, or my actual genuine real-life honest-to-goodness smartphone.
Meanwhile, Mr OfCom, if you’ve still got a job, why don’t you look at the carriers and smartphones and the word ‘CARTEL’? Or, having charged them so much for their licenses, do you now have to protect their market? At my expense?
Radware is warning companies to beware the growing security threat from increased use of smartphones. It highlights three particular concerns:
- Battery drain – a form of DoS that sends packets to a mobile device preventing it from going into sleep mode, and thus draining the battery.
- Malware spread – malware can infect a user’s smartphone from the public mobile network, and then spread to the corporate network, bypassing perimeter security measures.
- Misuse of smartphone resources – smartphones are an easy recruitment target into botnets.
A combination of security technologies must be deployed across the corporate network to mitigate application attacks caused when mobile devices are ‘opened up’ to threats from social networking sites, sending/receiving emails, or searching the Internet. By 2011-12, we expect organizations will implement a mix of standard signature, IP and website reputation feeds and behavioral-based real-time signature technologies, based on adaptive expert systems, to fight emerging mobile threats.
Avi Chesla, Vice President, Security and Management Products, Radware
Radware recommends a solution of signature detection technology coupled with network behavioral analysis (NBA) technologies. By pairing these two technologies, IT organizations can ward off malware and botnet attacks based on action and user profile; without the need for millions of signatures to block every instance of malware that exists out in the mobile network.
Signature detection technology has been in the industry for nearly 20-years, and were designed to detect attacks that exploit known application vulnerabilities but not zero-minute malware and application misuse attacks. Therefore, adding a complementary behavioral analysis system allows IT departments to have greater control of their network domain.
To answer my own question in the title: both. Our mobile devices are generally not adequately protected; and yes, vendors are leaping on the bandwagon because that’s what they do – it’s called business.
Either way, there has been a positive flurry of security warnings and concerns about the increasing business reliance on mobile devices: smartphones, netbooks, tablets and so on. Earlier today I reported on a McAfee survey showing Mobile device security a growing concern. Yesterday I discussed a Credant Technologies survey that found that 58% of mobile users are worried about the security of the data that they carry around with them, while “66% of laptops will be unencrypted and 51% left totally insecure without even a password for protection”.
Today there are two more concerned companies. Firstly, Fortify Software has picked up on the DefCon hack of cellular networks that showed that cellular transmissions from mobile phones can be subverted and users’ mobiles fooled into logging into a rogue GSM station – so allowing calls to be eavesdropped and falsified. Fortify’s concern is that the designers of the GSM standard never envisaged the current and growing need for ultra-high levels of security on mobile calls.
When the GSM standard was formulated more than 20 years ago, the developers were required to design a digital successor to the analogue cellular standards of the day. As a result, security was only added after the basic standard was developed. Security was not built into the standard from day one, but essentially added as an afterthought. And that is why we have today’s crackers able to subvert the technology using an `evil twin’ methodology that is widely used when hacking WiFi networks.
The really bad news about this hack is that it exploits a structural flaw in the GSM standard that is difficult to fix retrospectively, as there are hundreds of millions of existing standard phones in regular usage.
Barmak Meftah, Fortify Software’s chief products officer
Fortify, of course, is all about developing secure code; and the implication is that if you don’t want to risk similar problems in the future, get your developing code checked with Fortify’s products today.
And now ISACA has released a new whitepaper detailing how the increasing popularity of mobile devices poses a significant threat of leaking confidential enterprise information and intellectual property: Securing Mobile Devices.
Ironically, many of the risks associated with mobile devices exist because of their biggest benefit: portability. To help their company meet its goals of protecting intellectual property and sustaining competitive advantage, information security managers need to create an easily understood and executable policy that protects against risks related to leaking confidential data and malware.
Mark Lobel, CISA, CISM, CISSP, and principal, PricewaterhouseCoopers
ISACA believes that a governance framework such as COBIT or Risk IT will help businesses ensure that process and policy changes are implemented and understood, and that appropriate levels of security are applied to prevent data loss; and goes on to advocate that the following issues be considered when designing a mobile device strategy:
- Define allowable device types (enterprise-issued only vs. personal devices).
- Define the nature of services accessible through the devices.
- Identify the way employees use the devices, taking into account the organization’s corporate culture, as well as human factors. (For example, one in 10 Americans who use a mobile work device plan to use it for holiday shopping.*)
- Integrate all enterprise-issued devices into an asset management program.
- Describe the type of authentication and encryption that must be present on devices.
- Clarify how data should be securely stored and transmitted.
The moral of all this? Don’t be Cnut trying to stop this wave of mobile computing, but bring it on in a controlled fashion.
A new survey from McAfee and Trust Digital shows that the migration to mobile applications is underway – 76% of companies are planning, in the next six to 12 months, to mobilize internal applications other than email for employee use.
Device security and management continue to be major concerns as organizations look to roll out mobility initiatives. The survey also showed that a large percent of these organizations currently use or support BlackBerry devices and 45 percent are planning to support the iPhone and Android smartphones as enterprise devices due to employee demand. Users are no longer satisfied with carrying two devices (personal and work) or having one device that will only make calls, enable texting and support e-mail functionality.
The coming wave of enterprise mobility is all about the ‘app phone’ – devices like the iPhone or Android that provide laptop-like support for apps, not just email. As the proliferation of these consumer technologies into the enterprise continues, the ability to manage and support the rollout of mobile applications that enable greater productivity will continue to be a huge priority for CIOs.
Todd Gebhart, executive VP of Consumer, Mobile and Small Business, McAfee