This week I presented “Bringing Trust to Mobile Application with Hardware-Based Security,” which I know seems like a very dry topic, but seemed to have been appreciated by my audience at the Cybersecurity Innovation Forum, held in Baltimore.
My perspective was that with native mobile applications we have the opportunity to better secure them by leveraging security features of hardware, such as certificate storing, or validating components are trusted, (by using non-corruptible hardware components). This is the core of Trusted Computing, starting with a international standard Trusted Platform Module (TPM), that is a read-only chip that stores a certificate that can be used to validate other hardware and software components on a system. TPMs have been around for over 10 years, but not yet widely used. Most notable implementation is with Windows 8 for license management, and for storing of the key for Bitlocker disk encryption under Windows 7 and 8. TPMs are installed on most laptops and Windows mobile devices. But non-windows devices have similar capabilities, with components such as TrustZone on the ARM processor (found in almost all mobile devices) and Intel’s Trusted Execution Technology (TXT).
Almost everything we do today is performed by applications, and on mobile platforms, these applications are the threat vector for bad guys to steal data, access personal or privacy information (eg, contacts, calendar, or location), or even turn on features of the phone like the camera or microphone to snoop on us. That is why it’s important to only install apps from trusted App Stores, and be suspicious of apps requiring access to other phone features or components. But it’s also not just risks to the mobile device themself, but also to the application functionality. Classic web application vulnerabilities such as SQL Injection (direct calls to database), data passing in clear-text over connection (susceptible to sniffing over Wifi to view data or steal credentials), are all possible on mobile apps. My point for the presentation was most of these risks are known and have been part of web application security for over a decade, but we seem to start over with new technology and forget everything we’ve learned. So, I demonstrated how we can take this opportunity to incorporate what we know about web application security, utilize the security advantage mobile devices have over computers (eg, smaller attack surface simplified operating environment, separation of application execution, etc); and engineer on top of that, protecting credentials in hardware, and utilizing that hardware to test other components for trust before executing. Then we can spend less time worrying about how risky mobile devices are, and focus on the productivity and convenience they can bring.