A Security Perspective on the Cross-platform Mobile Space

The August Vancouvermobile.net meetup focused on mobile application security and covered some basics tips on how developers might go about securing data within their applications.  Specifically looking at a couple of encryption methods to secure data from prying eyes.

In preparing for the meetup I did some research on the security of the mobile platform to understand the scope of the problem and where the vulnerabilities lie.  There are a number of reports published by well respected technology companies that review this area, a handful that were reviewed are:

• CISCO 2014 Annual Security Report
• Verizon's 2014 Data Breach Investigations
• Deloittes report Mobile devices – Secure or Security Risk

The statistics and positions referred to in this post borrow from these reports.

The discussion starts from a fundamental premise – data has value.  Data can be viewed as the online currency, with different types of data having different degrees of value.  Not surprisingly the greater the value of the data the greater the risk of malicious actors trying to attack it.  In trying to generalize the value of different data types, here is an interpretation of three types of data-value classification:

1. Personal Data – this is data that identifies an individual; however, having this data does not necessarily enable a malicious actor to do any harm.  An example of personal data might be e-mail addresses, telephone numbers or even a home address.   Things get interesting when you combine several pieces of personal data, the correlation of this data might lead to information that is more sensitive.  Personal data may be subject to regulatory control depending on the geography that you are in.  For example here in Canada there is the Personal Information Protection and Electronic Documents Act (PIPEDA) .  The act establishes rules for the management of personal information by organizations involved in commercial activities.
2. Sensitive Data – this is data that an individual would want to keep private.  Examples of sensitive data might be credit card numbers, social insurance numbers, passwords or PIN numbers.  This type of data is likely to be subject to local legislation such as PIPEDA but may also have specific additional regulatory legislation in place.  For example PCI compliance is required when dealing with financial data.
3. Business Data – this post is really talking about personal and sensitive information but it is important to remember that a device may be used for business purposes and business data has a different type of value.  The presence of business data may increase the risk of a mobile device being targeted.

This establishes a foundation where there is an understanding that data on a mobile device has value, not only to the user who will want it protected but to malicious actors who may want to gain from stealing that data.  Malicious actors who want to obtain personal and sensitive data for financial gain often use tools that fall under the generic heading of crimeware.  This term is used to define a sub-set of malware which is used to facilitate cybercrime, such as identify theft.

One of the most popular crimeware platforms highlighted by the Verizon report is Zitmo (Zeus in the Mobile).  Zitmo is a variant of the Zeus malware targeted specifically at mobile platforms.

There are a few themes that run through all of the reports that highlight the importance for software developers to secure their apps to protect data.

• The mobile platform is seeing increased interest from malicious actors as a platform worth attacking.  Although the amount of malware targeting mobile devices specifically is still small the trend is showing that this is rapidly growing.
• Android currently appears to be the largest target for malware, CISCO reports that Android users make up 71% of the encounters with web-delivered malware with iOS coming in second place at 14%
• Physical theft of mobile devices still presents a real threat.  The easiest way to reduce the risk of data theft from a stolen device is to use encryption on mobile devices.
• To be most effective security should be considered from the start of a development not as an afterthought to be layered into a product after completion.
• Mobile devices only make up one aspect of a service, security needs to be considered within the device, across the network and into the cloud service that may be supporting the mobile application.

What can mobile app developers do?  There were a few things that came out of the meet-up, this is by no means a comprehensive list, but a summary of the topics discussed within the time we had available on the night:

• Consider the types of data being used within your mobile app:
• What is the value of that data to the user?
• How should the data be appropriately secured?
• Use the right method to secure data depending on the data type and it's sensitivity:  
• Use encryption where it is necessary to store and retrieve data and consider the right type of encryption for the type of data being stored.  
• Use hashing for data such as passwords and PIN numbers where there is no requirement to de-crypt the data in the future.
• Consider the use of shared services, like OAuth, so that sensitive data need not be stored within your app.

To finish off, there is a great quote that puts a good perspective on IT security:

"Security in IT is like locking your house or car - it doesn't stop the bad guys, but if it's good enough they may move on to an easier target." - Paul Herbka