In our brave, new, mobile world, the possibilities are enticing. Smartphones and tablet PCs are becoming the universal weapon for businesses. But there’s skepticism, too: Can data be intercepted during transmission, and can potential attackers infiltrate the back end? And what happens if a smartphone is lost or stolen?
With the tagline “SAP, Microsoft, Oracle & Co. Business goes mobile” this year’s roadshow from security solution provider Integralis, headquartered in Ismaning, Germany, answered such questions and demonstrated solutions. In the use of mobile applications, Integralis refers to a three-stage security architecture.
This comprises the components end device, user, and (IT) infrastructure – each of which brings with it certain risk factors. The topic of mobile security was explained using these three stages. Sister companies itelligence and Cirquent took part in this year’s event for the first time.
PIM, and value-added and enterprise applications
In his presentation about end devices, Dr. Ralf Stodt from Integralis differentiated between three different application scenarios for companies: PIM synchronization, value-added applications, and enterprise applications. The synchronization of personal information management (PIM) includes push functions for e-mail, contacts, and calendar and is connected with groupware systems such as Exchange or Notes.
Regardless of the mobile platform, Microsoft ActiveSync is the standard here. Value-added applications are very popular, both among consumers and in the business world, and cover such areas as reservations, timetables, ticket sales, and navigation. In addition to PIM, enterprise applications are critical, because they use data from a company’s ERP system and enable access to the back end.
Next page: Hacking a Network in Half an Hour
First think, then act
Integralis advises companies to draw up a preliminary strategy before deploying mobile devices: Which employees need access to which data? Is the concept a B2C (business-to-consumer), B2B (business-to-business), or B2E (business-to-employee) one? Furthermore, the company’s own use policies should be checked and all components in the process taken into account. User training is also advisable.
To keep an overview of device management, no more than three types should be used, but jailbreaked (hacked) smartphones should be avoided at all costs. Locking the device if a password is entered incorrectly – device wipe – should also be a standard feature. It is particularly important for the phone to be managed “on the air” (OTA), meaning that the IT department has permanent access to it.
Companies need to give all this serious thought, because the trend away from the desktop PC is unstoppable. A study by Gartner predicts that smartphones will be replacing conventional cell phones and laptops as early as 2012. In 2014, the move is likely to be toward tablet PCs, with more of them being sold than smartphones for the first time.
Hacking the mobile network in half an hour
Mobile end devices are not without risks. These include unauthorized access, as well as weaknesses at interfaces and data transmission. From Bluetooth through WLAN, e-mail, MMS, SMS, downloads and vulnerabilities in the program code, harmful software can be spread in many ways.
Intruders can also find their way into company networks or wiretap data transmission, while deleting old data on flash memories is insecure. Even dialers, a hangover from the days before the Internet flat rate, are making their way from Asia to Europe and North America.
Stodt reported that GSM (Global System for Mobile Communication), the most widely used digital mobile phone system and the de facto wireless standard in Europe, can be hacked in half an hour using hardware for €1,000. Although fewer than 100 forms of malware are known for Android, this is largely due to the minimal information provided by Google and a lack of tools for tracking malware down.
Thanks to detailed reports, more is known about malware for Apple iOS. Cases tend to occur more frequently after an operating system upgrade. The reason for this is that Apple announces the improvements to the new release, so the weaknesses of the previous system are also revealed, but users don’t always update their systems immediately.
This is one area where people are weak points. In addition, private and business e-mail accounts are often managed using the same menu, resulting in confidential or controversial content being sent all too easily to the wrong address. Not to mention losing a device on a train or in a pizzeria.
Next page: Mobile Device Management
Mobile platforms – from Android, iOS, Symbian, and RIM, through Windows Mobile – all have valid security concepts. These include:
- Code signing: digital signatures that guarantee that a certain code was not changed
- Sandboxing: runtime environment for software. This is separate from the rest of the system and can be analyzed in terms of its functionality.
- Data execution prevention (DEP): stops a file from being executed
- Mandatory access control: control and management of access rights, which include the identity of the user and the object, plus further information
- Lockdown: blocking the system in case of discrepancies
Configuration options depend on the providers and vary greatly. In his presentation, Stodt named three components that play a key role in security: ActiveSync, mobile device management (MDM), and third party client. As an example, he used Apple’s iOS operating system.
ActiveSync has various security functions that work together with Microsoft’s Exchange groupware system from version 2007. These include an improved password function, logout after a period of inactivity, and the deactivation of the camera and Web browser. Remote wipe enables the data in the application to be wiped remotely; HTTPS ensures secure data transmission.
With Outlook Web App (OWA), Outlook is available everywhere, and roaming costs can be avoided when abroad by deactivating synchronization. What’s more, Exchange 2010 has a quarantine function.
Among the disadvantages of ActiveSync are its incomplete coverage of MDM functions and limited monitoring. A device lock is also lacking, as is code deletion, and mixing private and business data is not prevented. In addition, applications that have already been developed cannot be installed on the device. Stodt is convinced that companies will need more than ActiveSync for their secure smartphones.
Mobile device management
MDM enables devices and applications to be managed centrally. Administration works using an MDM server from the company’s own IT department or from another provider. For OTA management, frameworks are available on the various platforms to determine which functions can be implemented with MDM.
The smartphone communicates with the server in the background, and interaction with the user isn’t necessarily required. In addition to the SAP-owned company Sybase, reputable MDM providers include Good Technology, MobileIron, and Airwatch.
Combined with ActiveSync, MDM offers the following value-added features, depending on the platform:
- Complete and central device management
- Monitoring and configuration management
- User self-service and remote support
- Device location
- Jailbreak detection
- Application distribution
- Selective deletion functions
The use of Native Client poses a risk, as does mixing business and personal content. What’s more, not all functions are available for every mobile operating system.
Third party client
Using the example of PIM functions, another concept was addressed – namely that of the third party client. This accommodates the fact that many people use their smartphones for both private and business purposes, and keeps the two spheres apart. The devices can still be managed personally, and access to private images, applications, and so on is no problem.
All PIM functions are executed through an encrypted container, which is password-protected and prevents the management of private and business e-mail accounts from a single menu. It includes a selective remote wipe.
With the third party client, Outlook Web App can be severed from the Internet and authentication can take place directly on the application. Encryption is end-to-end. However, Stodt noted that this concept has gained little user acceptance, because it requires people to adapt.
Next page: Native and Player Apps
Native or player apps?
In the second presentation, Matthias Kumm (itelligence) and Ralf Stodt (Integralis) showed how companies can provide suitable apps. There are basically two options: first, developing their own native app and second, drawing on a player concept, where preconfigured content increases the chances of faster realization. In most cases, companies should consider both options, depending on circumstances.
A native app connected to a database is complex in terms of programming, because – among other things – developers will need knowledge of the programming language, for example, xcode for iOS and Java for Android. In a comparison of the two platforms, iOS scores in the areas of sales and distribution and quality, while Android offers free development tools and familiar programming languages.
If enterprises adopt the player concept, apps can easily be integrated with the back end and developers don’t need specialized programming skills.
Player app for SAP
For the SAP programming language ABAP, there’s it.x-mobile from itelligence. With pregenerated content, the tool offers “self-services for the vest pocket.” Data from SAP is transferred to the smartphone using REST-based services. Default settings are made in the ABAP Development Workbench and then executed within the player concept.
Biometric verification? Not yet!
According to Stodt, biometric verification using voice recognition, iris patterns, or fingerprints is not yet mature enough to hit the market. A secure password is much more important, and there are four authentication levels: device, application, gateway, and portal.
Integralis recommends alphanumeric passwords that are different at every level. Access data should not be saved on the end device. Among possible alternatives are certificates, adaptive authentication, and one-time passwords (OTP).
For adaptive authentication, user-related data such as place, time, and login channel are saved. If irregularities appear, additional authentication is required. In contrast, OTPs cannot be used offline, while external certificates (smartcards) cannot be used with many devices due to a lack of interfaces.
Screenshots, keyboard entries, and data in other apps such as Google Maps remain dangers that cannot be wholly avoided. Ultimately, organizations have to strive for a compromise between usability and security.
Next page: Securing Corporate Portals
Secure corporate portals
Norman Wenk, also from Integralis, spoke about the dangers for Web services and corporate portals (infrastructure):
- Cross-site scripting (XSS): attacks on users
- Cross-site request forgery: malicious exploit of communication
- SQL injection: manipulation of internal data
- Directory traversal: unauthorized access to protected areas
- Parameter tampering: manipulation of internal data
- Malicious file execution: manipulation of internal data
The measures that need to be taken to avoid these dangers comprise three steps: secure application development, a Web application firewall (WAF), and the provision of applications, management, and operation.
Application development comprises the phases of the development, integration, and production environment. These reflect the software development lifecycle (SDLC). In the integration phase, various tests are performed – in particular, an examination of the source code to identify security breaches plays a role here. The company VirtualForge, based in Heidelberg, Germany, provides an analysis tool especially for ABAP.
WAFs are used to ward off illegal requests and responses. With help from the signature database, a blacklist is created that prevents unauthorized access. Requests are filtered during session management based on a whitelist defined using company guidelines.
Furthermore, in its capacity as access portal, the Web application firewall controls central authorization, such as Web single sign-on and mass authentication. At the same time, the application manager ensures that the application’s availability and performance remain high.