Blog - Cryptomathic

Secure Mobile Transactions – Fact or Fiction? Part 1 of 2

Written by Guillaume Forget | 28. January 2014

With mobile devices being used for more credentialing based activities, the question of mobile security is becoming increasingly important. The mobile security landscape, however, is still immature, so how can service providers successfully deliver secure mobile services today?

Smart card-based technology is at the heart of mobile devices, thanks to the SIM cards that have been installed in them for the past 15-plus years. As mobile phones have become smarter, so too have SIM cards. Today, the combination of phone and card is giving businesses many opportunities to 'go mobile'.

Banks and other organisations, including governments and airlines, are taking advantage of the ubiquity offered by smartphone devices by developing their own applications (apps). This means that the smartphone can also double as a form of ID or a key card. Some of these store users' credentials and other sensitive data in the SIM card or secure element of the phone in order to allow the smartphone owner to carry out a variety of credentialing, payments and transactions activities.

Operating in a secure manner in the mobile space, however, is perhaps still considered by many to be adventurous. Yet there is more than simple optimism driving this surge: the homogeneity of platforms affords an easy distribution channel for software, with a low entry barrier, presenting significant savings to both app developers and hardware manufacturers.

Today, most app developers have directed their attention towards the user experience, but - as is often the case - few have placed emphasis on security. This is partially due to the commercial priorities of the mobile community, but also a lack of knowledge and industry fragmentation as markets come together for the first time to develop security standards. In other words, despite the widespread adoption of smartphones, operating systems (OSs) still remain relatively immature when it comes to security.

To tackle this, technologies such as the Trusted Execution Environment (TEE) - a secure area within a mobile device that is comprised of software and hardware to ensure that sensitive data is stored, processed and protected in a trusted environment - are emerging. It could be some time, however, before the average user will actually benefit from the security these technologies offer when making a transaction with their preferred apps.

So, should organisations that want to deploy mobile-based credentials refrain from using mobile devices until the security standards and frameworks are fully defined and agreed? Or, is there a security strategy that they can adopt to mitigate the risks and safely deliver mobile services today?

The threats

Currently malware has some presence on Android, but is much less prevalent on iOS. Nearly all malware operates within the bounds of requested permissions, where the user clicks and agrees to grant the app the permission it needs to perform malicious acts. Therefore, the primary attack channel is to disguise the malware as a legitimate app and advertise it in the official app store, where it is installed by consent.

For example, an attacker can reverse engineer existing apps, thereby adding malware to the app and then resubmitting it to the app store under a similar name. The same attacker might submit 50-100 new apps to the marketplace, which look and feel the same as genuine apps. Alternatively, rather than create its own apps, a malicious attacker might steal from a legitimate but lapsing developer to launch the attack. Typical malware functionality includes concealed sending of SMS messages and calling of premium rate numbers, click diversion (for stealing advertising revenue) and a little keylogging/SMS interception for harvesting credentials and SMS-based one-time-passwords (OTPs).

A key challenge for the mobile community is to contain the cost of manufacturing apps to encourage legitimate developers to participate, yet successfully recognise the 'fake' apps.

Anti-virus and permision control

Companies looking to expand their anti-virus and protection software suites to mobile platforms have been seen to deliberately raise fears, uncertainty and point towards an extremely fast rate of malware development. The same view, however, is not held by other stakeholders within the industry. Unlike anti-virus vendors that are playing catch-up on PC malware, mobile security researchers are very active and surging ahead of the criminal community. While there is some evidence of adoption of research ideas by hackers, it is the general view of the industry that malware within mobile security is not that advanced. In reality, the malware development rate is comparable to the growth rate of the platform itself.

In addition to this, the trend towards more similar, closed and regulated platforms - such as Android and iOS - is assisting manufacturers with security as it enables them to focus their efforts more effectively.

It therefore appears that the OSs controls are effectively preventing apps from exceeding their authorised permissions today. The major problem is the persistent challenge of educating users to make cautious decisions regarding which apps to install. While user error is a threat for deploying mobile authentication in general, it does mean that users who exclusively install legitimate apps are not threatened by general malware.

Part 2

--------------------------------------------------------------------------------------------------------------

See full Cryptomathic article in eID Credentials or download the Secure Mobile Transactions white paper.