Monday, April 30, 2012

Kenneth Van Wyk: We need more secure mobile devices

As things stand now, all bets are off if you lose your smartphone Computerworld - When you combine the words "mobile device" and "security," you get an oxymoron. That's the state of security in the mobile world, and it's been that way since day one. That has to change. Smartphones and tablets are increasingly doing heavy lifting in the corporate world, and are ever more likely to be repositories of sensitive data. But where do we start in making them more secure? For now, forget about malware and sophisticated hacking. We first need to close the most gaping hole of all for mobile devices, one that every expert I have talked to over the years has agreed on: If a bad guy gets physical access to a mobile device, all bets are off. A few months ago, the folks at the OWASP Mobile Security Project backed up this assessment. They did a threat modeling exercise of mobile devices and determined that two of the most glaring issues are the loss or theft of the device and insecure communications. A basic problem is that anyone who gets his hands on someone else's smartphone can access the user's login credentials with ridiculous ease. Mobile apps contribute to this problem. I myself have realized that some of the mobile apps that I use store login credentials and other sensitive data where they shouldn't be, and in the last month or so, I've read about numerous cases of such iOS app weaknesses. Using nothing more than a USB cable, an attacker can in many cases get to login and/or session credentials for many high-profile apps, on both iOS and Android platforms. For starters, mobile app developers must keep in mind when writing their software that devices can easily be lost or stolen -- and recognize that a lost device shouldn't be a free ticket to valuable data. Most modern mobile platforms provide mechanisms for reasonably protecting things like user login credentials. These mechanisms are generally called keychains. Current versions of both Android and iOS have keychain APIs that app developers can and should be using. While not perfect, they do provide significant protection over simply storing usernames and passwords -- even when hashed -- in plaintext files (e.g., plist or properties files). Second, other user data on mobile devices should be encrypted. This is something that users have to do themselves, but Android and iOS both provide mechanisms for doing that reasonably securely, and third-party add-ons like SQLcipher for AES encrypting SQLite databases are even better. If you look for strong mobile encryption mechanisms, you can find them. Next, we need better default protection settings in our mobile platforms. For example, on Apple iOS devices, sensitive data (including things stored in app keychains) is protected by hardware encryption that is keyed with a combination of a unique 256-bit device key and the user's own device lock code. Since that device key can be obtained by an attacker with physical access to a device, the protection afforded the user by the keychain essentially comes down to how strong his device lock code is. The default setting on iOS is a four-digit PIN, which just isn't up to the task. Usability advocates will argue that strong device passwords on mobile devices are annoying and won't be accepted by users. That's a fair argument -- strong passwords on a smartphone or tablet really are a hassle to work with. (Trust me.) Still, I'd prefer something stronger than four-digit PINs to unlock a device (and the data it holds). For the longer term, device vendors need to be shooting for stronger keying mechanisms -- perhaps a PIN in combination with a biometric like a fingerprint, facial pattern scan or voice recognition. For now, though, what I suggest to people who are serious about the security of their mobile devices is to carefully select the apps they use. It's easy enough to do some cursory static analysis of an app and its files using tools like iExplorer (formerly iPhone Explorer). At the very least, make sure your apps don't store login credentials in properties files and the like. Next, turn on strong passwords and use a reasonably strong one. A PIN just doesn't cut it. The mobile computing world is as vibrant as any tech environment in the world today. To call the growth explosive would be an understatement. It's easy to lose sight of core security principles in such a rapidly moving world. Still, developers should at the very least make use of security APIs when the platform allows. There's just no excuse for not making use of keychains and other secure data storage mechanisms.