|Topic:||Securing an app-centric society|
Richard Parris is an Anglo-American technology entrepreneur with extensive experience in the cyber security and identity management industry. He founded Intercede in 1992 and has led the Group through all stages of its growth, including an IPO in 2001.
Richard regularly engages with governments, systems integrators, cloud service providers and major corporations to promote the importance of identity assurance as the cornerstone of cyber security, physical access control and the digital delivery of public services. Richard is a member of Catalyst UK, a global network of business leaders, influencers and academics that have agreed to help UK Trade & Investment (UKTI) and other parts of the British government to promote UK excellence internationally. He is also a member of the UK government’s Cyber Growth Partnership.
Richard Parris is a Chartered Engineer and has an MBA from the University of Warwick Business School.
There are already a multitude of apps available to the Android market place designed to cope with sensitive data, such as Bitcoin transactions, online shopping and secure voice calls. Developers writing apps of this type, where security and privacy measures are critical, should look to deploy them in the Trusted Execution Environment (TEE) to take full advantage of the robust security it provides.
Technology has advanced at a tremendous rate since the days of dial-up internet, where calls were not possible while browsing the web or sending an email. No longer glued to a desktop computer, we now live in an ‘always on’ society and are accustomed to sending and receiving data from almost anywhere at any time from any device. But while manufacturers and developers have been working hard to develop the ground breaking technology available today, behind the scenes cyber criminals have been devising more diverse opportunities for extortion, theft and fraud. Cyber threats are increasingly sophisticated and not enough is being done to protect against them.
So much time and effort has been invested into the creation of new, innovative devices which add value and convenience to the lives of every day consumers but not enough thought has been given to the security of these devices. A recent survey commissioned by Intercede revealed the impact that the prolific hacks of the last year had on the consumer; 53% of UK respondents said they would not access financial applications on a mobile device. Evidently there is a lot of work to be done in order to replenish trust in mobile – not just on a consumer level, but for enterprise too. Now is the time for organisations to take a step back, evaluate the security weaknesses in their systems and networks and move forward accordingly.
The proliferation of mobile usage is so widespread that many organisations have to either implement a robust BYOD strategy or enforce a blanket ban on employee devices. Turning a blind eye to the issue may result in employees putting company data at risk by accessing corporate systems and networks from their own device. The 21st century employee desires the ability to access corporate networks and data from their own device, be it from the office or while working remotely, and like it or not, this is an issue that needs to be addressed by employers.
According to Strategy Analytics, the Android operating system is now present on 84% of global smartphone shipments . Despite this, the Android platform is frequently cited as a weak link in the security chain. The platform’s open nature allows developers to create an app and offer it to a potential customer-base of around a billion users through a number of different app marketplaces. While this is a great opportunity for genuine app developers, it unfortunately also means hackers posing as genuine app developers have an opportunity here too. This means applications and their associated content are vulnerable to attack from malware threats, which could result in the leakage of sensitive data.
Gartner estimates that by the end of 2015, 75% of mobile applications will fail basic security tests. It further predicts that by 2017, 75% of mobile security breaches will be a direct result of app misconfiguration. While this may seem damning on the surface, it need not spell the end to a mobile enterprise.
Many modern Android devices are manufactured with an ARM processor at their heart. These processors have a secure area known as the Trusted Execution Environment (TEE) that offers a safe haven for apps containing and dealing with sensitive data. Built into over 350 million Android devices as part of the chipset design at the point of manufacture, the TEE offers a highly secure location. Through hardware protected isolation, the TEE acts as a bank vault for trusted apps, keeping its contents separate from the main Android OS. Apps deployed to the TEE remain locked away in ‘safety deposit boxes’ with individual locks and are protected further by software and cryptographic isolation. This ensures the apps – and any transaction or activity associated with the apps – are kept safe from whatever else may be present on the handset, making it the ideal place to run applications that deal with sensitive data both in transit and at rest.
The gradual move towards a digital society means that transactions traditionally conducted in the physical / analogue world – such as banking, shopping and even phone calls – are now under threat from hacking. The data stored and exchanged digitally today is increasingly more sensitive in its nature. As such, it is vital to implement the correct procedures and tools to protect this data from theft and extortion.
There are already a multitude of apps available to the Android market place designed to cope with sensitive data, such as Bitcoin transactions, online shopping and secure voice calls. Developers writing apps of this type, where security and privacy measures are critical, should look to deploy them in the TEE to take full advantage of the robust security it provides. However, gaining access to and utilising the TEE is not a straightforward operation. It requires the use of cryptographic keys written to the device at manufacture and a trusted application manager (TAM) must be employed to provide access to the required keys and the mechanism to deploy trusted apps using those keys.
The TAM loads trusted applications into secure containers within the TEE, ensuring apps are protected not only from anything running within the Android operating system, but also from other trusted apps within the TEE. A TAM service is robust and secure, and eases the deployment for app developers.
In 2014, mobile security was a concern for over half of UK consumers. While the Intercede research revealed over 53% of UK consumers would never use mobile banking services, it also found that 50% avoided mobile payment apps and almost a quarter (24%) would not feel safe shopping on their handsets. The TEE offers technology vendors and financial institutions alike the opportunity to restore consumer trust. For those developing financial apps, the ability to ensure that financial data and transactions are isolated from potential attack is priceless. For organisations desiring a secure BYOD policy, the TEE offers a means to protect corporate data from hackers ‘listening’ in through other apps on the device.
Whether you’re an app vendor wishing to offer government agencies and large corporate organisations secure digital rights, or an app developer looking to provide a secure wallet for Bitcoin, employing TEE technology gives both you and your customer reassurance that the app and its associated content are safe and secure.