This is the first post in a two part series about security. In this post, I tackle the issue of responsibility. In Part II, we’ll explore some things that developers need to know to help them write secure apps.
I sat on a panel recently at Sprint’s Open Solutions Conference in San Jose titled “Consumer Application Security for Developers”. Sexy topics like application security rarely pack a session hall at any conference and this was no exception. However, the attendance was much higher than I expected (about 30 people) and the discussion was very lively and interactive. It was immediately clear to me that developers – perhaps as consumers themselves – are thinking more about security than they had in the past. This is a good thing.
Whose Problem is Security?
One of the first questions that came up in the panel was: “Whose problem is security?” Our moderator suggested a number of potential “owners” for this problem and posed the question to his panel. Is it the carrier’s problem? How about the Handset OEM? The OS? Your employer’s IT admin? The app developer? The consumer? As you can see, there are a lot of parties to point fingers at when something goes awry.
I couldn’t help but jump on this one first. The answer is obvious: Security is everyone’s responsibility. Each player in the mobile device value chain is responsible for providing a secure environment over the part they control. At its most fundamental level, security is about protecting valuable assets from those who seek to steal or exploit them. You wouldn’t leave your house in the morning without locking the door, right? Even greater diligence is required in the digital world because the value can be greater, and the thieves are invisible.
Security is everyone’s responsibility
The Carrier: The carrier is responsible for providing a network that is secure from being attacked, snooped, or otherwise compromised. As carriers reduce their investments in their own app catalogs, their responsibility with app security lessens but responsibility for cellular and data network integrity remains.
The Device: The device’s operating system (OS) is at the center of security. The OS’s responsibility is to provide a secure environment for all applications, services, data storage, and network connectivity. The OS is responsible for handling permissions and defending against viruses and malware. Attackers primarily seek to exploit weaknesses in the OS or in its core applications such as web browsers. This is why it’s so important to design security into the OS when it’s being architected and built. Platform providers that offer App Stores have an additional responsibility to ensure that the apps it stocks in its store are safe from malware and abuse like piracy. It should be no surprise to anyone that RIM takes the issues of security very seriously.
The IT Administrator: The number one responsibility of IT at any high-tech company is protecting the company’s Intellectual Property (IP) –it’s like the crown jewels of the company’s value. In a world where IT administrators directly managed the mobile devices that had access to the company’s jewels, their ability to protect them was pretty clear. However, with today’s BYOD trend, their ability to protect the company’s assets and IP has become less clear. Only RIM has addressed this uncertainty and given control back to IT administrators and CIOs with its BlackBerry Mobile Fusion (IT’s MDM Portal) and BlackBerry Balance (the client side partitioning; controlled by a simple gesture). With these products and services, IT administrators can enforce corporate security policies and manage remote devices with confidence.
The App Developer: App developers have a responsibility too. It’s their job to build an application that can’t be exploited by attackers and protects sensitive information that the user provides. Strong operating systems provide many mechanisms for app developers to ensure their app isn’t the “unlocked window” that gains access to someone’s identity or bank account. App developers need to think about security as an end-to-end problem. This includes making secure network connections, encrypting local data on the device, and ensuring servers with sensitive customer data are adequately protected from attack.
The Consumer: Consumers need to be mindful as well. Use device passwords (and not “1234”) and, perhaps most important of all, be suspicious of applications asking for permissions to access files, social networks, and your contact list. RIM offers a great product for consumers called BlackBerry Protect that helps keep the information on your device backed up and secure should your device get lost or stolen. BlackBerry Protect also allows you to wipe all the data off your device remotely as well as display an alert message on the home screen should you lose your BlackBerry device.
Why is BlackBerry 10 so secure?
BlackBerry 10, RIM’s upcoming mobile computing platform, is built on QNX’s Real-Time Operating System. Sebastien Marineau, VP of OS Platforms at RIM, wrote a great article recently titled “How BlackBerry 10 avoids Android’s Security Issues”. In the article, Sebastien notes that the QNX RTOS has approximately 100,000 lines of code whereas a standard Linux implementation is around 14 million lines of code. QNX is 1% the size of Linux. When it comes to security, the fewer places where bugs and security exploits can hide, the better! Because QNX is so tight, and because it’s been designed with security in mind from day 1, it’s extremely hard to break in.
In addition, BlackBerry 10 includes BlackBerry Balance: a new, unique, and innovative capability that allows consumers to enjoy the full range of both a personal mobile device and a secure, encrypted work device without compromising on either one. No other mobile device can do this. With one simple gesture, the user can switch the device from “Personal” mode (wide open with all their apps, music, media, etc.) to “Work” mode (fully secure as if on your work’s VPN). Using BlackBerry Mobile Fusion, IT administrators can manage their company’s devices remotely and securely (including Android and iOS devices!).
In this blog post, we explored the responsibility of security — who owns what piece and why it’s so important. My next post on this topic, titled “Application Security Part II: What Should App Developers Do?” will explore different things developers can do to make sure they’re writing solid, high quality, secure mobile applications.