My friend Franco Travostino compiled a list of ten issues that smartphones have, several caught my eye (note - Franco says that they are in no particular order, but he puts unexpected entitlements #1 which I agree with) and not surprisingly a number of the issues are related to security :
1. Unexpected entitlements. Some applications are more equal than others. For instance, try signing-out from your primary gmail account on Android. It won’t work unless the whole device is wiped clean;
The user has little to no visibility or control over entitlement management, the other issue here is where those same entitlements are being reused across apps and services.
4. Stale coding practices. The application development environments don’t leverage any of the new ideas in software engineering, like Ruby on Rails with its built-in unit/functional testing;
This might not seem like a security issue, but it most definitely is. Software security has only recently been getting traction primarily on web-style applications, and so many web developers are up to speed on the basics like malicious software, SQL Injection, XSS and on and on, and then they take some at least basic measures like fuzz testing, static analysis to address these. You can reasonably expect an intermediate web developer to have some of these tools and knowledge in their toolbelt and if not there are many places to go to learn. But that's typically not the case in mobile, there's an extremely naive trust model, but little in the way of assurance, again Chip and PIN is a good example here.
Problem is - the web apps got the level of assurance and resiliency they currently have (which could be better I grant you) through getting bludgeoned by bad guys and fails, but the lessons learned here must carry over to other networked apps, its not good ROI to pay to learn the same things twice.
6. Password sprawl. Without a widespread identity infrastructure, I’m forced to set passwords in as many different applications and have their renewal/challenges hanging on me. Intriguingly, the latter too change in frequency and style with the application, thus making it a really fragmented experience and a race towards lower grade security policies (i.e., simple passwords with the longest expiration intervals possible);
This one is just sad. The web people in the 90s had the excuse that there were not cheap, easy and readily available ways to solve the identity problems. Today's mobile developers have many options - SAML, oauth and many other standards. Using the mainframe-style subject-object password bind leads to other problems like:
7. Back-end password handling. Without a widespread identity infrastructure, chances are that for a given application the database of subject’s secrets and the subject’s application data get collocated into the same Cloud and the same logical slice therein. This is what my colleague Gunnar Peterson colorfully describes as loading dynamite and detonator onto the same truck;
Again with the naive trust model.
8. Porous sandboxes. The sandbox that an application operates in has several back-alley read/write access pathways to free-for-all data (e.g., the keyboard cache and address book on the iPhone, as described here), thus creating opportunities for Trojans and covert channels;
I would suggest changing porous to non-existent. Or perhaps "box made of sand." Look people we have seen this movie before, PCs were never designed for malice, they just accreted functionality and data, and then the web was the active ingredient that spread virii and the like across the porous PC world. Mobile apps have networked apps as first class citizen, the thin thread the current "security" of these systems is predicated on poorly understood target environment. Does that sound like a sound long term moat to you?
10. Cloakers and phishers. Some applications mean big business and naturally attract ill-intentioned copycats. There are just so many pixels to copy. Current defenses are mainly non-technical - e.g., the presence in the iTune store hinges on relationships between vendor, Apple, and the user community. They are not as effective in the bazaar style of application store.
This one has the potential to be worse than what we've seen so far on the Web. Why? Think about the earlier points that Franco makes - lack of control of identity, old school "trust-y" programming and password models, lack of visibility into entitlements, and ugly failure modes - unless you rethink your security model for mobile this is a cloaker/phisher dream platform. In a podcast with Marcus Ranum, Dan Geer summed up the old security model as "I'm ok, you're ok, but we can't trust the network", this led to SSL and other security measures. Now Dan says the model is "I know the network is hosed, I have to assume you are to, and I may be as well." If you extrapolate that reality assessment to the above points its an ugly situation that taking your existing apps and putting a mobile face on them will make much worse.
What happens many times is that mobile is treated as just another front end along with web portals and web services, the rest of the architecture they connect to - like customer, order or product services, remains relatively unchanged. This assumes that mobile is just another front end like supporting a different version of Firefox or something.
What's missing here is that more or less everything is different in the mobile environment, it looks similar enough - hey its HTTP and HTML/XML! - to fool people into tacking on the web security model. Its better to start fresh, look at the message exchange patterns, look at the conversations, identities, claims, and data. Look at the threat model for mobile separate from Web and Web services, look at the control environment.
Hoff's CSA riff at RSA sums this up quite well
All this iteration and debate on the future of the “back-end” of Cloud Computing — the provider side of the equation — is ultimately less interesting than how the applications and content served up will be consumed.
Cloud Computing provides for the mass re-centralization of applications and data in mega-datacenters while simultaneously incredibly powerful mobile computing platforms provide for the mass re-distribution of (in many cases the same) applications and data. We’re fixated on the security of the former but ignoring that of the latter — at our peril.
People worry about how Cloud Computing puts their applications and data in other people’s hands. The reality is that mobile computing — and the clouds that are here already and will form because of them — already put, quite literally, those applications and data in other people’s hands.
If we want to “secure” the things that matter most, we must focus BACK on information centricity and building survivable systems if we are to be successful in our approach
As always in security it pays to be a connoisseur of chaos:
A. Well, an old order is a violent one.
This proves nothing. Just one more truth, one more
Element in the immense disorder of truths.
B. It is April as I write. The wind
Is blowing after days of constant rain.
All this, of course, will come to summer soon.
But suppose the disorder of truths should ever come
To an order, most Plantagenet, most fixed. . . .
A great disorder is an order. Now, A
And B are not like statuary, posed
For a vista in the Louvre. They are things chalked
On the sidewalk so that the pensive man may see.
Just a note; you can "sign out" of your gmail apps on at least some Android devices without wiping the whole device. On the HTC Hero, if you navigate to settings>Applications>Manage applications>Google Apps and "clear data", it will flush your login info and you will be prompted to log in again next time.
I was horrified to find out that there was no native/easy "log out" function when I got my Hero, though. (Shame on you, Google.) I set up a second Gmail account exclusively for synching my calendar/tasks/contacts on my phone.
Posted by: Aaron | March 17, 2010 at 11:34 AM