Mobile computing is a paradigm shift away from personal computers and their infrastructure toward very large flexible networks of loosely connected platforms. It has new platforms, operating systems, applications (apps) and exciting new approaches to old problems. As the paradigm shift gains momentum, the application of the technology expands to include areas never considered when the technology was designed. Risk mitigation requirements tend to be glossed over as the devices’ ease of use, affordability, and accessibility compels use. Users are often naive regarding the risks to their information, enjoying the benefits of use without giving a lot of thought to potential dangers.
Mobile devices that do not require users to be identified and authenticated are said to have anonymous users. Anonymity is an issue because it is impossible to impose accountability for user actions or mediate access to resources based on prior granted access. In effect all of the mobile devices’ assets are available to any anonymous user solely based on physical access to the device. Availability is important as the applications supported by mobile devices expand to include electronic commerce transactions and manage privacy-related data. The transparency of apps is an issue, apps that store sensitive information have been found that store the information in intermediary files that are shared with third parties without the knowledge or consent of the user originating the information.
Computing technology paradigm shifts have tended to ignore issues that would complicate or slow their acceptance, information security is a case in point. The shift to client server and wireless networking both had periods when protection requirements remained unaddressed and serious problems arose, Mobile computing is following a similar path, ignoring old lessons does not make them any less important, it simply means they have to be relearned. At this point protection measures are well understood, so the path to a secure solution does not have to be as painful as earlier experiences would indicate.
Ignoring previous generation protection measures has tangible benefits for the platforms. Administration is greatly simplified and significant processing and other overhead is eliminated, performance benefits. Measures associated with user aggravation are eliminated, improving the user experience and satisfaction, facilitating acceptance.
Mobile devices rely on the Internet for much of their communications, eavesdropping or hijacking Internet sessions are well understood and common attacks executed to steal data, encryption will defeat this attack, when the measure is used. The reliability of communications is an important issue as time-sensitive apps rely on it to complete revenue-generating transactions and to provide a satisfactory user experience for a variety of activities. We are quickly moving beyond the issue of dropped calls.
The lack of common protection measures is a non-trivial issue, raising risks thought to have been minimized long ago. Device theft to allow the thief to use the device for its intended purpose is giving way to theft for the purpose of access to specific data, often for packaging with other stolen data for sale to a customer with ulterior motives. Stealing address books for sale to spammers is a nuisance compared to data theft with the intention of large scale fraud or identity theft.
Corporate entities are making apps available to current and potential customers who have little to no insight into the apps, trusting the provider to address data security requirements that are outside the provider’s requirements sets or concerns. As provider expectations evolve to business critical levels, satisfying customer expectations will increase in importance to providers, complicating requirements and demanding increasingly sophisticated apps.
Corporations are also making mobile devices available to employees as productivity tools, without giving serious thought to the corporate data that will ultimately be processed, stored or transmitted by the devices. Configuration management of mobile computing platforms is, at best, informal. The easy access to apps introduces risks each time a new app is introduced. Allowing, if not encouraging sensitive information to be used with the platform places that information with exposure to a largely undefined and poorly understood set of risks for compromise, loss of integrity, and non-availability.
E-commerce apps that manage payment transactions and information are of interest to the Payment Card Industry’s Data Security Standard (PCI DSS). Where the host mobile device does not provide basic protection measures, compliance with the DSS is unlikely, raising a variety of serious questions. The value of information associated with the next generation of transaction processing apps is increasing, incentivizing execution of sophisticated attacks to steal the highest value assets.
We remain in the early days of malicious activities targeting mobile devices. At least one large scale attack of mobile targets has recently occurred, more sophisticated attacks are likely as the technology’s use grows and attack strategies are perfected. Attacks using malware remain to appear, although there seems to be no serious technical impediment to their occurrence other than the lack of recognized algorithmic vulnerabilities available for exploitation.
The integration of mobile computing into architectures supporting business critical applications remains an unexploited opportunity. How long this is true is in serious doubt, replacing the desktop PC has compelling economic drivers — it has to happen. Tying mobile apps into servers is already occurring on an experimental basis. This will raise the stakes significantly for tablets and the other evolving mobile devices. Corporate requirements for robust solutions will put pressure on technology providers to enable the safe expansion of the application of the platforms beyond messaging and e-commerce, which goes full circle back to resolution of conventional protection needs.
Whether mobile computing technology is “ready for prime time” in large scale applications remains to be seen. Clearly a large number of lessons need to be learned by app developers and architects regarding compliance with statutory privacy requirements as well as less formal user confidentiality expectations. Early adopter tolerance for problems that can be interpreted as technical glitches is unlikely to exist in production environments with large user populations and big company revenues.
Mobile computing is in its early days, the lack of meaningful protection measure for the information processes, stored, and transmitted by the platforms is a serious concern. Use of the technology for new applications without consideration of the risks by users and technology providers raises the likelihood and scope of potential damage to be inflicted by well thought out and executed attacks. The bell has rung, class is in sessions.