4 min read

Mobile security isn’t going to just happen

Security pros need to get hands-on

The future is mobile, folks. The real question is, Are you ready for it? Really ready for it?

I’ve spent the better part of the last six months learning and studying all I could about the iOS and Android worlds. For all sorts of reasons, I firmly believe that these platforms are going to be integral to our computing needs well into the future. The combination of hardware speed, size and availability, along with the maturity of the software, shows that the time is now.

Of course, that’s no great revelation. Anyone even remotely watching the IT world would have to know that mobile devices have been having significant impact for some time now.

But what does all this have to do with security? Well, despite the many innovations that were necessary to create our mobile world, there are many aspects of today’s mobile platforms that represent significant steps backwards, at least from a security perspective. Despite their Unix-derived lineage, most of today’s mobile platforms are basically single-user systems, with all the security of Windows 3. OK, Windows 95 … but little else. (Running all iOS apps as root? Seriously, Apple? What were you thinking?) There’s much to be done in the area of security for our mobile systems.

So, just how do we go about making mobile systems more secure? To answer that, we need first to take a brief look at how the IT security community has fared over the past few decades. Most significantly, since the explosive growth of the Internet got under way in the mid-1990s (largely due to the Web), we’ve been focusing our attention on applying add-ons to try to secure our systems.

We’ve built firewalls to put in front of our systems. We’ve developed intrusion detection (and “prevention”) systems to watch over our systems. We’ve put antivirus and personal security products on our desktops and laptops. We keep on adding security products to our systems, but the problems continue to get worse every year, not better.

You see, all these add-on approaches amount to rearguard actions, with fixes applied after the fact. By any objective measure, these practices haven’t done much to protect us from each novel attack that has come along.

One of the principal reasons for all these failures is that our software is broken. We use antivirus software because the operating systems have failed to protect us. We use firewalls because our applications fail to protect themselves. And so on.

I am convinced that until and unless we’re willing to roll up our sleeves and get down and dirty with the software that our systems run, we’ll continue to fail by trying to add security on after the fact. This approach is doomed, people.

Now, let’s bring this all back to the mobile world.

The pessimist will say we’re doomed because of the clear security weaknesses found in the most popular products. The optimist, on the other hand, might well see an opportunity. (No, not an opportunity to sell security products.)

We’re staring at an exciting new world that is fraught with both peril and opportunity. What we have here practically amounts to a blank slate. We can repeat our failures of the past and try to add security in later, or we can try to get things right earlier in the game.

Specifically, if you’re with me in saying that the problem is in the software, we’ve got to do a better job at engaging the software developers, and we need to understand their worlds.

To that end, I say that if mobile security is important to you, you need to be diving into these technologies and learning how they work. Go out and become an Android developer, and an iOS developer. Learn the technologies. Learn the languages — Java and Objective C, primarily. Write some “Hello World” (and hopefully a bit more) apps and see how things work in the mobile world.

If you’re not a software guy or gal, this probably sounds pretty daunting. But rest assured, there are some fabulous resources out there that can make life a bit easier for you.

In the iOS world, start by going to iTunes University and getting (for free) the Stanford University course “Developing Apps for iOS.” Apple also has a couple of free iBooks on Objective C, COCOA (the user interface framework) and more. Then sit down and study. In the Stanford course, you’ll start by writing a simple calculator app for your iOS device. Write it. Install it on your iPhone and try it. (You might even find it kind of fun.)

Over in Android land, the folks at Google have some fabulous learning resources available online as well. Your starting point here should be the Google Android Developer portal.

Naturally, there will be a learning curve, for either platform. If you’ve never been exposed to object-oriented programming, getting your head around that will probably be the toughest hurdle.

Also look at what groups like OWASP, the Open Web Application Security Project, are doing. There are a couple of projects and initiatives within OWASP that are addressing mobile security in a big way. These are all free to you as well.

Two OWASP projects that are specifically worth keeping an eye on are the OWASP Mobile Security Project and the OWASP iGoat Project. (Full disclosure: I’m the project leader on iGoat, which is a hands-on learning tool for iOS developers. It is on track for its first public release in June.)

But, without a doubt, the time you spend learning these topics will benefit you directly and indirectly.

The mobile world offers an exciting future. We security practitioners are in a position to help make that world be secure enough for our business needs. But if we simply try what we’ve done in the past, we’re doomed to relive the failures of the past.

With more than 20 years in the information security field, Kenneth van Wyk has worked at Carnegie Mellon University’s CERT/CC, the U.S. Deptartment of Defense, Para-Protect and others. He has published two books on information security and is working on a third. He is the president and principal consultant at KRvW Associates LLC in Alexandria, Va.

Computerworld (US)