Subtext, can a mobile application be ‘secure enough’ to replace single purpose hardware devices?
An area I have been discussing for some time is whether we can make a mobile application secure enough that it can be trusted to replace physical devices / items.
If we can achieve this, there are many possibilities for your phone / tablet enabling it to;
- Become your payment instrument. Not like Apple pay that still uses your card in the background, but actually being your card(s).
- This can also provide a much richer user experience such as alerting the user every time there is a transaction on the ‘card’
- Take payments in stores without the need for a physical card payment solution.
- EMV (chip and pin) becomes EMV mobile devices and PIN / other
- Replace your drivers license / passport / age card etc. as a valid form of ID.
- Enable secure signing of legal / contractual documents.
- Combine with technology like RFID and GPS etc. to revolutionise the retail experience.
- ‘Card not present’ becomes ‘card present’
- Secure mobile banking becomes actually secure and fully featured
- Support (or deny) any disputed transactions by providing more detailed information about the device, location and users involved
- Become your mobile medical record – no longer do doctors or hospitals have to look up your records (or not find them), you carry a copy with you, that syncs from the central repository when it is updated
The question is can we?
My take on this is yes. But with some caveats around how, and what we need to do to ensure the safety of the data used by the application.
The great news for me is that other people are finally starting to get on board with this idea, after a mere 18 months or so it seemed like an opportune time to write in some more detail about my thoughts!
Before we start this discussion we need to adjust the mind-set from
- thinking about a supposedly secure device that we do little to monitor
- thinking in terms of real time application and behaviour monitoring to provide assurance of the application and device security, along with the user identity and behaviour.
For me the ‘assumed secure hardware’ stance seems terrifically old fashioned when compared to a solution where we can monitor and understand the risk profile continuously
Now we are thinking in these more current terms, just how do we go about making a mobile application as secure as a dedicated hardware device? Indeed, when you consider the more intelligent monitoring and risk assessments we can perform in real time I would position this software solution as considerably better than the existing hardware options.
For me the ecosystem for a secure mobile application would comprise of the following components;
To avoid this becoming a mammoth post, I’ll cover some of the key capabilities of this system here, and provide details of each component in part 2 of this
Some of the key capabilities these components will provide include;
- Real time monitoring
- Data sent to and from app in real time
- Automated blocking and alerting
- 24*7 ‘eyes on glass’ monitoring
- Behavioural monitoring
- Application monitoring
- Is it the correct application (e.g. checksum)
- Is it behaving as expected
- ‘trap’ code in the application that is only accessed of changed if there is an issue
- Rooting / Jailbreak detection
- Auto updates to detect new methods or ways of hiding
- Can alert monitoring and user if detected
- Malware detection / device interrogation
- Device ID, software versions etc.
- Automatically updating detection capabilities
- User alerting
- Alerts user if there are any issues detected
- Alerts user of activity on their account
- Behaviour blocking
- Can block some or all in app activity based on the current risk profile
- Secure communications
- between app / mobile device and back end
- frequently changed keys
- key management and distribution
- White box
- In field
- In app
- Bot vs. real user detection
- detects bot like behaviour
- detects remote control behaviour
- build picture of user normal behaviour
- Real time risk scoring of activity / transactions
- collection of multiple data points
- real time risk scoring, decisioning and blocking of transactions and behaviours
- Multiple authentication methods and step up authentication
- Policy based
- Risk based
- FIDO compatible
- GEO location
- Current location
- Historical locations linked with behaviours
- Fraud detection
- Components can detect potentially fraudulent activities such as the amount entered into a field, not matching the amount sent to the back end
- Trending and predictive analytics
- Big data platform can provide analytics capabilities and long term trending
- Machine learning and predictive analytics can guide security enhancements
- May also become a saleable service for your business
This is by no means an exhaustive list, my intention is to get people thinking about the possibilities for secure mobile applications. Hopefully this post has got you thinking about how we can secure and monitor our applications on any device, anywhere. This really will open up a whole new world of possible capabilities for mobile devices especially in the worlds of business and consumers / businesses transacting.
Part 2 will follow in the next few days providing some more details around the building blocks in this ecosystem.