Security Considerations for Mobile and Mobile Web
When people think of mobile technology, security is not usually the first thing that comes to mind. Usually people think of downloading some streaming tunes or contributing to their favorite social network; maybe responding to a quick email. Almost all of these applications have few, if any security concerns.
Over the last couple of years, however, there has been an increasing trend towards mobile in the enterprise to the extent that there is widespread acceptance and use of mobile devices. This sea change has been causing endless frustration among corporate IT departments who now have to deal with a wide variety of device specifications. in the financial sector, for instance, banks have been trailblazing for the rest of the Internet by introducing apps that require a higher than normal tier of security. Popular consumer apps allow users to perform sensitive transactions such as transferring money, scanning checks and trading stocks. This is an enterprise-level IT governance concern, as security, deployment and usage policies need to be determined across an ever growing array of application and device platforms, and each app needs to be carefully scrutinized to determine what policies may be required. The purpose of this article is to discuss the known solutions to security across mobile and desktop devices.
Simply put, across all devices and platforms, the only data you are guaranteed is the IP address. With the advent of Apple’s iOS5, they’ve deprecated the UDID unique device identifier. In android you can access the user’s phone number, but the device ID has always been an iffy bet. Various applications have attempted, to little avail, to use these identifiers to control access to their systems. As of yet, however, there is no better technological solution than simple IP filtering.
IP filtering alone, however is not good enough. IP address spoofing (http://en.wikipedia.org/wiki/IP_address_spoofing) [essentially a computer lying about its IP address] is so well known that any 11-year old script-kiddy with some basic knowledge of Linux can easily fool any web server. Packet filtering can counter a spoofed IP address, but that won’t help you if you want your site to be internet accessible. Enter multi-channel authentication…
Multi-channel authentication is the "best possible bad solution" to the internet identity crisis. The process basically works as follows. Depending on the device platform being used, the client device sends as much identifying information as possible. and if this information matches registration information (or a previous challenge), the user is permitted access to the application. If not, one of the following channels is used to prove identity:
- Text message
- Phone call
- Secret question display
Pretty much all of these channels are susceptible to man-in-the-middle attacks (http://en.wikipedia.org/wiki/Man-in-the-middle_attack) or social engineering http://en.wikipedia.org/wiki/Social_engineering_(security). Certainly stealing someone’s phone is an easy way to compromise his identity. Yet, even for major banks, this multi-channel authentication is the "best possible bad solution".
Whenever someone asks me about internet security, my advice is the following. If your data is more sensitive than a bank's data – DON’T PUT IT ON THE INTERNET. If it is equally as sensitive, use multi-channel authentication and common sense. If it is less sensitive, consider a simple username + password combination with a ‘forgot your password’ feature. Assuming a high level of security is needed, I recommend the security workflow depicted below. (And, if security and mobile are important concerns to you, contact us at DOOR3 to build and design your app!)