SECURITY OF MOBILE PLATFORMS AND APPLICATIONS

The group discussion began with a discussion about the scope of the brief, and the acknowledgement by all the delegates that the mobile ecosystem is a very broad one, with many players including, at the very least, the consumer, handset manufacturer, OS vendor, application vendor and mobile operator. It was agreed that in such a diverse environment, there was no one group who could, or should, take responsibility for security. Each player had a valuable contribution to make, and the security must be dealt with in a holistic manner.

Some discussion then followed on how it might be possible to incentivise the various stakeholders to take security seriously. Discussions included the possibility of legislation to enforce good security practice, but conceded that the borderless nature of the mobile internet might give rise to questions of jurisdiction. The introduction of some form of ‘health check’ to assess a consumer’s behaviour and security practices, and the concept of some form of ‘security insurance policy’ were also discussed. This latter suggestion recognised that the ability to assess and quantify risk was a potentially difficult area.

On the consumer front, there was a broad discussion around location-based services, m-wallet services and mobile banking. Of particular concern was the handling of sensitive data and privacy. The issue of cross-application use of data was discussed, as was the concept of multiple, throw-away ‘personas’, where a consumer could create a ‘persona’ with a data profile for use by a specific application, or for a restricted period of time.

There followed some discussion in the area of enterprise mobility, centred on the Bring Your Own Device (BYOD) philosophy. While acknowledging that this approach might be essential to help organisations attract young talent, there were a number of serious issues raised including question over the control of device features, the cross-contamination of personal and business data, and methods of addressing the physical security of the device.

The broad group discussion can be summarised under the following topics:

1. Holistic Mobile Security Models

Security breaches in the mobile ecosystem can have many sources, including handset vulnerabilities, operating system flaws, malicious applications and even network availability. As a result, no single player in the ecosystem can have sole responsibility for security. Research in the mobile space should look first of all at holistic security models, and investigate common policies and technologies that can be applied to all components and players in the mobile architecture.

2. Trust models for the consumer

The issue of trust has a significant impact on consumer confidence regarding the management of their confidential data and the uptake of applications like secure mobile banking. From the consumer point of view, there are still dangers inherent in the transmission of private transactions and the storing of sensitive data by service providers. Research should focus on trust models, authentication and application certification in order that consumers can manage sensitive data and carry out secure transactions with confidence.

3. Enterprise Mobile Security

For businesses, the distribution of data across the mobile ecosystem and into the enterprise also creates questions of ownership, responsibility and control. This is compounded by the complexity of a Bring Your Own Device (BYOD) environment, where such issues extend to both the data and the device. From an enterprise perspective, research should examine problems such as data segregation, filtering, configuration and control in order to enable corporations to implement a BYOD model which is both secure and reliable.

The key to success in this area is that any research must consider the views and needs of all stakeholders in the ecosystem, as well as the input of consumers, businesses, legislators and regulators.