Data at Risk: Mobile Computing, Apps and User Data

Mobile computing is a paradigm shift away from personal computers and their infrastructure toward very large flexible networks of loosely connected platforms. It has new platforms, operating systems, applications (apps) and exciting new approaches to old problems. As the paradigm shift gains momentum, the application of the technology expands to include areas never considered when the technology was designed. Risk mitigation requirements tend to be glossed over as the devices’ ease of use, affordability, and accessibility compels use. Users are often naive regarding the risks to their information, enjoying the benefits of use without giving a lot of thought to potential dangers.

Mobile devices that do not require users to be identified and authenticated are said to have anonymous users. Anonymity is an issue because it is impossible to impose accountability for user actions or mediate access to resources based on prior granted access. In effect all of the mobile devices’ assets are available to any anonymous user solely based on physical access to the device. Availability is important as the applications supported by mobile devices expand to include electronic commerce transactions and manage privacy-related data. The transparency of apps is an issue, apps that store sensitive information have been found that store the information in intermediary files that are shared with third parties without the knowledge or consent of the user originating the information.

Computing technology paradigm shifts have tended to ignore issues that would complicate or slow their acceptance, information security is a case in point. The shift to client server and wireless networking both had periods when protection requirements remained unaddressed and serious problems arose, Mobile computing is following a similar path, ignoring old lessons does not make them any less important, it simply means they have to be relearned. At this point protection measures are well understood, so the path to a secure solution does not have to be as painful as earlier experiences would indicate.

Ignoring previous generation protection measures has tangible benefits for the platforms. Administration is greatly simplified and significant processing and other overhead is eliminated, performance benefits. Measures associated with user aggravation are eliminated, improving the user experience and satisfaction, facilitating acceptance.

Mobile devices rely on the Internet for much of their communications, eavesdropping or hijacking Internet sessions are well understood and common attacks executed to steal data, encryption will defeat this attack, when the measure is used. The reliability of communications is an important issue as time-sensitive apps rely on it to complete revenue-generating transactions and to provide a satisfactory user experience for a variety of activities. We are quickly moving beyond the issue of dropped calls.

The lack of common protection measures is a non-trivial issue, raising risks thought to have been minimized long ago. Device theft to allow the thief to use the device for its intended purpose is giving way to theft for the purpose of access to specific data, often for packaging with other stolen data for sale to a customer with ulterior motives. Stealing address books for sale to spammers is a nuisance compared to data theft with the intention of large scale fraud or identity theft.

Corporate entities are making apps available to current and potential customers who have little to no insight into the apps, trusting the provider to address data security requirements that are outside the provider’s requirements sets or concerns. As provider expectations evolve to business critical levels, satisfying customer expectations will increase in importance to providers, complicating requirements and demanding increasingly sophisticated apps.

Corporations are also making mobile devices available to employees as productivity tools, without giving serious thought to the corporate data that will ultimately be processed, stored or transmitted by the devices. Configuration management of mobile computing platforms is, at best, informal. The easy access to apps introduces risks each time a new app is introduced. Allowing, if not encouraging sensitive information to be used with the platform places that information with exposure to a largely undefined and poorly understood set of risks for compromise, loss of integrity, and non-availability.

This entry was posted in Uncategorized. Bookmark the permalink.