Opinion: Equip Mobile Applications with Anti-Tamper Technology
Application providers should build in sufficient security for mobile devices.
Editor’s note: This has been adapted from a longer article of the same name.
During the last 20 years, malware has evolved from occasional “exploits” to a global multimillion-dollar criminal industry. We hear about viruses such as Flame and Stuxnet, which can infect whole country infrastructures with relative ease. For example, for at least two years, Flame has been copying documents and recording audio, keystrokes, network traffic and taking screenshots from infected computers. If it’s that easy to attack governments and infrastructures, how difficult do you think it is to hack a smartphone?
Custom Malware Designed for Smartphones
Application providers need to step up and begin building in sufficient security for mobile devices, including vulnerability mitigation, re-evaluation of trust and incorporation of secure authentication channels.
The need for these techniques is magnified on mobile platforms and perhaps none more so than on Android. A recent study by AV-TEST showed that more than 75 percent of anti-malware solutions ignored at least one in every 10 of the main families of malware in the wild. Add to this that Android malware is increasing dramatically, quadrupling between 2011 and 2012, and it seems that failing to protect mobile applications in general, and Android applications in particular, might be inviting a disaster.
The open source nature of the Android platform means that there are a plethora of free, widely available and powerful tools that also make it simple to reverse-engineer unprotected applications or even elements of the OS itself in order to assess vulnerabilities and create attacks. Add to this the fact that there are a wide range of largely unpoliced Android marketplaces. Even Google’s own marketplace and its use of its “Bouncer” malware detection system is far from infallible, as researchers recently showed.
Mobile Security Critical for Businesses
With the huge growth of smartphones and the applications that run on them, mobile security is becoming a critical area for all businesses: they are an obvious route for threats that seek to penetrate the back office.
Unfortunately, to date, security in Android has been ineffective. Hackers create and input malware that can change the behavior of applications, substitute account numbers, modify amounts, initiate egregious transactions, capture PINs, and more. Applications running on remote devices, with unknown configurations, need to be able to defend themselves, their communication, and to clearly signal if they have been compromised.
Approaches to Secure Mobile Devices
There are various means to secure mobile device transactions. Strong security for mobile devices offers a comprehensive portfolio of embedded security solutions; the most obvious being anti-tamper technology to prevent code and data changes. The principle behind anti-tamper is quite simple: rather than relying on the security of the environment (by making the assumption that firewalls and virus checkers are installed, correctly configured and updated) anti-tamper ensures that the application can defend itself and its own data.
Clearly this approach will become the standard method for securing applications in the next few years. There are numerous ways anti-tamper technology can help secure smartphone apps for financial transactions:
- Protect the application itself against subversion.
- Protect application data.
- Protect data and keys within the application from capture or extraction by using cryptographic primitives.
- Prevent “code lifting” to extract individual functionalities.
- Trigger a response.
- Repair attacked applications or data.
As malware continues to attack smartphones, financial institutions must strive to provide the needed security to their applications. Malware won’t go away and companies need to be more proactive in securing apps from the inside out using anti-tamper technologies to produce that added level of security. We all know firewalls alone aren’t enough.
Andrew McLennan is an experienced entrepreneur who has founded five start-up companies since 1993, including Metaforic. Andrew has held all the key management roles in startups including CEO, CMO, CCO and COO. Andrew has an honors degree from Strathclyde University in mechanical engineering with aerodynamics.