3 | WHITE PAPER: IDENTITY IN MOBILE SECURITY
ca.com
Introduction
In recent years, the concept of “Anywhere, Anytime Computing”
has become the common denominator in driving personal
electronic device sales, as users are adopting to new categories
of devices such as smartphones, tablets, and smartTVs. These
devices enable consumers and employees to access
information and services from almost any device at any time.
Gartner studies show that the estimated mobile phone market
is to reach 1.8 billion devices in 2013
1
.
As the surge in mobile device sales continues, the number of
iOS and Android applications that provide a more personalized
app experience for both professional and private usage is
proliferating. To meet high demand, developers worldwide are
leveraging social network identity platforms or enterprise
identity systems to provide a customized app experience. On
top of this, applications and data are now dispersed in multiple
datacenters around the globe, and the primary challenge is
how to manage the increasing number of user identities that
need to securely access these applications
2
However, protecting
one’s identity information may not be taken into consideration
as often as users would like. In many cases, users need to
access different resources that reside in a cloud environment or
behind an enterprise firewall. Thus, fortressing identity has
superseded the traditional enterprise network perimeter as the
new model for security.
The concept of using identity as a basis of access control is not
a new digital invention; national passports for example have
been an unequivocal source of identity verification for over 600
years. But the ease of transferring information in adigital and
mobile-enabled world has made confidential data management
more imperative, especially in mobile applications.
Payment by mobile device is an example of a new and innovative
mobile service that relies heavily on verified but sensitive user
information. Exactly how any mobile app accepts user credentials
and verifies information is a critical success factor. Therefore, two
parts exist for this issue: authentication and protection of data.
Mobile apps need to resolve and verify user identities in a reliable
and trustworthy manner. The OAuth protocol was introduced to
defeat the anti-password pattern where users previously had to
share their credentials with apps whenever access to a protected
resource was necessary. Even though OAuth has improved the
situation, it is still often the case when the user is still required to
type out passwords. Consequently, this has lead to an increased
usage of low-entropy passwords. A recent study showed that
approximately 82% of passwords were cracked within an hour
3
.
This is a concern, and as user identity has quickly become the
main critical service enabler, which means a stronger focus on
mobile security is paramount. Until very recently, the mobile
industry as a whole has been mainly concerned with device
management, and what has been missing is a renewed focus on
enabling secure applications. In collaboration with Samsung, the
NSA (National Security Administration) has taken a step toward
this direction by creating SE Android. However, this solution is
only available through the Samsung Knox program, and does not
address a particularly important scenario where the mobile app
is consuming sensitive data on the backend.
By looking at the security gaps in mobile applications, the
following critical areas must be resolved in protecting user
identity and data. First, mutual trust should be established
between the client app and the backend API provider. Second, an
enterprise or organization’s identity management infrastructure
must develop a method of assisting mobile apps that require
access to resources behind firewalls. Third, the usage of
username-password authentication schemes is reduced to a
minimum while security rules are still applied.
This paper brings forth recent threats that have affected millions
of users and suggests a strong yet simple low-cost solution that
not only allows mobile apps to access sensitive data, but retains
the trustworthiness of client apps and its users.