Hopefully it is fairly obvious from the last couple of posts how I think a mobile application can be made ‘secure enough’ to replace hardware security devices and enable many other capabilities from mobiles / tablets etc. However I thought it may be useful to provide an overview of how the detailed components will work together to provide this capability.
Many organisations such as banks have or are already launching payment applications that enable you to make payments with your phone rather then needing your bank card, and of course there are Apple Pay and Samsung Pay etc.
So it’s clear people are becoming comfortable with mobile devices for some use cases, sometimes purely software, sometimes with hardware components involved such as Knox or TEE (Trusted Execution Environment). This is likely helped by the rise of ‘contactless’ payments in many parts of the world.
While hardware components and secure operating system components can form part of a secure mobile application solution, they are by no means a silver bullet. As you still need some part of the application to run in normal, untrusted space, you still face the same problems as if there were no hardware solution in place. What is to stop a malicious application attempting to man-in-the-middle the communications between the secure and insecure environment? Indeed what is to stop a malicious application from just impersonating the secure component to the insecure one?
Hardware based solutions also face challenges around support and different capabilities on different devices.
This is why I have focussed on a software only proposal.
If we get to the point where we can trust and monitor a software only solution, this opens up so many possibilities – as long as you are on a supported O/S version, you can run our secure application(s) on any device, anywhere.
While we have the above mentioned payment applications, there are much wider use cases when we get to the point that we really do trust the mobile application I mentioned some of these in my original post on this topic.
As a recap, these were;
- Become your payment instrument. Not like Apple pay that still uses your card in the background, but actually being your card(s).
- This can also provide a much richer user experience such as alerting the user every time there is a transaction on the ‘card’
- Take payments in stores without the need for a physical card payment solution.
- EMV (chip and pin) becomes EMV mobile devices and PIN / other
- Replace your drivers license / passport / age card etc. as a valid form of ID.
- Enable secure signing of legal / contractual documents.
- Combine with technology like RFID and GPS etc. to revolutionise the retail experience.
- ‘Card not present’ becomes ‘card present’ (the end of ‘Card not present’ fraud!)
- Secure mobile banking becomes actually secure and fully featured
- Support (or deny) any disputed transactions by providing more detailed information about the device, location and users involved
- Become your mobile medical record – no longer do doctors or hospitals have to look up your records (or not find them), you carry a copy with you, that syncs from the central repository when it is updated
I am sure you can think of many others!
So how do the components previously detailed components all come together to proved a secure, monitored environment?
In ‘real time’ there are 5 main components;
- The mobile app
- Secure decision point
- Real time risk engine
The mobile application – this comprises all of the security components deployed to the mobile device, along with the actual application capabilities of course! These components are the key to understanding the security status of the device. They also providing details of behaviour, from things like location to the users activity, and authentication information. These components have the responsibility for securing and monitoring the device and user behaviour, plus ensuring this data and telemetry is securely provided to the secure decision point and monitoring services.
The secure decision point is to provide a central (resilient of course!) control point for all application traffic to pass through. This enables relevant data to be passed to the correct components such as the risk engine and monitoring solution(s). In addition this provides an added layer of protection for the back end application services. Any time the application or user behaviour is deemed unacceptable, the connection can be blocked before it even reaches the back end services.
Real time risk engine enables risk based decisions to be made based on the information from the other security components. The secure decision point, authentication solution and ‘external’ source like threat intel and the big data platform all feed the risk engine. This can be applied to many activities including authentication, user behaviours, and transactions.
Authentication does what the name implies – it authenticates the user, and likely to at least some extent device. The difference between this an ‘traditional’ authentication is that as well as authenticating at logon, and supporting multiple factors and types of authentication, is that it can authenticate constantly in real time. Every time the application is used, information about the device, location, user behaviour etc. is passed to the authentication solution, enabling authentication decisions to be made for any application activity. In addition to providing rich risk information for the risk engine this also enables fully authenticated transactions.
Monitoring, refers in this case to security monitoring of the system components and their data. This provides expert analysis and alerting capabilities to augment the automated processes of the risk engine, authentication solution and security decision point. This may be internal staff, a dedicated SoC (Security Operations Centre), or a dedicate mobile security monitoring centre, or a combination of multiple options.
As you can see, all these components combine to provide an understood and secure environment on the mobile device, backed up by real time monitoring, risk based decisions and authenticated activities.
These ‘real time’ components are further backed up by external feed from intelligence sources, and by analytics performed in the big data platform. This enables learning from the behaviour of users and devices in the environment so that the risk based rules and manual alerting can be refined based on previous and current activities and outcomes.
Depending on a combination of the security requirements for your application, and the resources available, you may not need or want to implement every component here. Overall the detailed environment provides a software only solution that is capable of providing enough security to enable pretty much any activity. I’d love to hear your thoughts, and any experiences of deploying and proving secure mobile applications!