Infosys experts share their views on how digital is significantly impacting enterprises and consumers by redefining experiences, simplifying processes and pushing collaborative innovation to new levels

« August 2016 | Main | November 2016 »

September 26, 2016

Mobile Apps Security-Is it a challenge?

Author: Jitendra Jain, Senior Technology Architect (HILife - Architecture & Design Group)

Introduction

Mobile app security is one of the biggest talk of the current digital arena where we have seen a phenomenal traction. This major shift in the security landscape has drawn an utmost attention by mobile app vendors, mobile app developers and almost all small and big mobility enterprises including Google, Apple, Nokia, Samsung, Microsoft etc. Mobile app security can be defined as a way by which we protect mobile or smart devices from any kind of soft attack by the attackers or Hijackers from malware, harmful viruses and any other kind of illegal activities. Consequences of a mobile attack can be very severe in some instances where complete device data and controls are in compromised situation.

The term "Mobile app security" can also be referred to various kind of technologies and industry best practices to minimize the risk of exploits to mobile devices through their installed apps.

According to Gartner, "Mobile Data Protection (MDP) systems and procedures are needed to protect business data privacy, meet regulatory and contractual requirements, and comply with audits." Additionally, "Most companies, even if not in sensitive or regulated industries, recognize that encrypting business data is a best practice."

In another Gartner Research they have highlighted by 2020, the security breach of business critical and confidential sensitive data on a single endpoint will incur average mitigation costs of 70 times or more than the original price to implement encryption strategies and solutions on all the endpoints in an enterprise. 

Sec_Obj_mobile.png











What Exactly Attackers Want? (**Mobile attack injection points**)

Need User Credentials

o        To login to device

o        To use external 3rd party services (email, banking info, business critical info etc.)

Need Your Personal Information ( **Identity info**)

o       Full Name, PAN\TIN\ SSN\SIN

o       Address book data ( Contact details )

o       Geo Location data ( Coordinates for planning)

Cardholder's Secure Data

o   Credit/Debit/Loyalty Card Numbers, Expiration dates, PIN, CVV ( Use for Cloning )

Hijack or Access to your device for

o   Sniff your connections

o   Misuse your device for Botnets, Spamming and for illegal activities

o   Steal trade secrets or other sensitive confidential data


Major Vulnerabilities and Threats for Mobile Devices

Below are the main vulnerabilities and threats for mobile devices which causes issues in mobile securities.

  •         Usage and storage of bad data.
  •         Malware & phishing attacks
  •         Architectural and design flaws
  •         Unauthorized access
  •         Data leaks while syncing operations
  •         Data caching vulnerabilities.
  •         Week device encryption standards ( iOS platform is better than Android)
  •         Usage of un-trusted suspicious mobile devices and networks
  •         Usage of apps created by unknown parties, vendors
  •         Massive interaction with other non-reliable systems
  •         Use of un-trusted contents, resources and URLs
  •         Non- optimal usage of location services (GPS capabilities)


How to Secure Mobile Devices?

We can follow below tips and techniques to avoid major vulnerabilities and threats for securing our mobile devices.

  • Always lock your device: maintain strong pass-codes and complex patterns to restrict illegal unauthorized device access
  • Always know your apps before you use them: Know app details and download from trusted app stores
  • Keep latest updated software: ensure to have latest app version with security patches
  • Monitor data usage: Keep a red eye on daily or hourly mobile data usage statistics for active devices. High data usage scenarios could always be closely tracked and verified. Do monitor network activity as well on regular basis. 
  •  Judge the mobile behavior: Always identify any kind of suspicious or malicious change in the behavior using appropriate software and tools
  •  Use of mobile security software: Use best in-class software's (anti-virus, anti-malware etc.)
  •  Optimal data caching technique:  Avoid hard storage instead implement data caching approach so that the cached data can be automatically wiped every time the device reboots.
  •  Advanced app analysis: Keep performing advanced app security analysis regularly  to detect known and unknown threats and vulnerabilities
  •  Strong security design policy: Enterprise security policies on the mobile device must be strong enough to protect the devices.
  •  BYOD Strategies: Enterprises that are embracing mobile computing and bring your own device (BYOD) concept seems very vulnerable to      security breaches unless they really follow strong methods and latest cutting edge security tools and technologies for mobile application security testing and risk assurance.


Some Quick Tips to Protect your Mobile Device

  • Do consider security features when buying a mobile or smart device 
  • Do configure your mobile device with security features
  • Do configure proper web accounts to consume network provided secure wireless/ LAN type of connections (HTTPS/SSL)
  • Never follow links shared by any unknown sender through any network mode like suspicious email or text/voice messages etc. 
  • Do consider information and data storage on the device
  • Do you really need all available apps? Yes or No , think again before you install
  • Plan and try to hold physical admin kind of control for the devices, it is especially true in open/ public or semi-public places.
  • Always disable external interfaces if not in use (Infrared,Wi-Fi, Bluetooth, Hot-Spot)
  • Always keep Bluetooth-enabled devices in non-discoverable mode
  • Do not join any unknown Wi-Fi networks or public Wi-Fi hotspots. It is a big risk.
  • Always clear memory after use or before you discard the device
  • Be extreme careful whenever using social networking applications.
  • Never "root" or "jailbreak" the device. Your device security may be on high risk
  • Do act quickly if your mobile device is stolen


Standard Mobile Data Protection Solutions ( MDP) 

For big enterprises it is always better to use standard mobile data protection ( MDP) solutions. There are lot of open sources and commercial platforms are available which we can choose and use based on business requirements. As per Gartner below are the leaders and visionaries in MDP space. 

Mobile_Gartner.png


















References 

www.mcafee.com/us/independent-reports/gartner-mq-mobile-data-protection.aspx

September 19, 2016

BLOCKCHAIN: CHANGING THE WAY WE DO BUSINESS IN FINANCE AND BEYOND

Introduction

There's been a great deal of buzz lately about the blockchain and its application to the finance industry. But the new news is its impact on other industries such as government, energy, healthcare, retail and media among others. Corporate leaders now need to think differently about their digital, financial and customer strategies. In the past year, Australia has become a hotbed of blockchain activity, riding high on the digital wave. Blockchain, coupled with other digital technologies, is changing entire business models across Australia, as well as the world.

Australian banks are on a blockchain high

The NAB, Westpac, CBA and Macquarie Bank are among the more than 45 financial institutions that are part of the R3 consortium initiative. These banks, and a number of major international financial institutions with presence in Australia including Citi, Goldman Sachs, HSBC, and Morgan Stanley, are engaged in finding new ways of leveraging blockchain technology. As a result, the first purely, virtual banking branch, enabled by the blockchain and digital technologies, is not far away.

Securities exchanges: T+3 day settlement to near real-time

Securities exchanges, including the Australian Stock Exchange (ASX) and NASDAQ, are testing the blockchain model for activities such as post-trade services and managing shares in private companies. ASX was one of the first international stock exchanges to pilot blockchain technology, working in collaboration with its legacy system for its post-trade clearing solution. Recently, ASX announced its intent to base its new post-trade platforms on the distributed ledger technology that blockchain technology affords. The ASX is moving forward with the blockchain to potentially replace its core, post-trade cash equities system. This brings us even closer to near real-time T+3 day settlement.

Trade finance: Smart goods
 
The application of blockchain technologies are in trade finance as well, managing digital sales and other finance and accounting contracts, can enable the location of goods to be tracked, which can, in turn, facilitate payments in close to real-time. In the trade finance space, this will have positive implications for importers, exporters, shipping, logistics and insurance companies in the future. Trade finance is becoming more and more a top use case in the R3 consortium as well with various trade finance pilots to be experimented on across the globe.

In Australia, one of the leading four banks is already seeing great potential for the blockchain in trade finance, backed by results from the many experiments it had completed over the past year. This particular bank is currently collaborating with global banks and export clients, including one effort that entails sending cotton shipments abroad. In this trial, a monitor, linked to GPS technology, is placed inside a cotton container connected to the Internet of Things to provide the insurer of the goods and the buyers with real-time status of the condition and the status of the shipment.

Beyond finance

As a shared public ledger platform with distributed architecture, blockchain-based applications have the potential to drive new business models not only in banking, finance and securities, but in other sectors as well. In Australia, we are seeing enterprises exploring applications in the public sector across government, energy, retail, healthcare, and the media ic industry.


Public sector - Government

Data61, which is a research unit of the Commonwealth Scientific and Industrial Research Organization (CSIRO), is working with the Australian Federal and other government agencies to review how the blockchain can be used in both the public and private sectors with the intent to find practical use case scenarios for pilots.
Imagine a future-state where governments digitize property titles or other information such as business licenses, property trade-ins, and birth certificates. The blockchain will allow citizens to digitally transact without lawyers, notaries or physical presence at government offices, resulting in a strong digital, online government. Blockchain could also be used for record keeping, digital voting and legal contracts.

Digital voting:
With the high demand for digitization, and technology shifts opening up new approaches, Australia Post is planning a blockchain-based, digital voting solution for 2017 elections.  It has announced that it will start conducting tests through digital voting via the Blockchain technology in a bid to reduce costs, ensure verified identify, and improve efficiency.  A new Australian political party called Flux is aiming to change the way Australians vote by using the Flux app built entirely on the Blockchain platform.

Smart contracts:
The other area of notice is the government/legal industry, which is being digitized. The huge amount of paperwork involved in this area has resulted in a high cost of tracking paper trails by legal officers, barristers, citizen etc.  It will be win-win for both legal agencies and citizens if all contractual instruments are digitized and blockchain technology is employed to securely store them in a shared ledger. This is what niche firms like Stampery are focusing on. Once recorded, the document becomes digital proof of what exactly transpired between the contracting parties and at what time. Digital proof in legal cases could be required for anything from a property dispute, marriage, and divorce to a home sale.  

These are just a few, early examples of how blockchain-based applications in the government can transform how we do business. There is indeed a lot happening in this space and it is very likely that blockchain applications, with underlying digital technologies, will be high on the agenda of the Government Digital Transformation Office to boost economic growth by encouraging more innovation in this digital world.

Healthcare

Blockchain-based use cases and applications are emerging in healthcare as well. In most countries, including Australia, the system to store patient records is fragmented since they are maintained in siloed systems managed by healthcare providers. For example, a patient's medical history is split between GPs, specialists, chemists, and hospitals. Doctors, specialists and medical staff face many challenges when trying to communicate data with entities outside of the organization. We can perceive how blockchain technology could be used in public and private institutions for things such as health and aged care records. In fact, startups such as Brontech in Australia are already using the blockchain to build a platform that can help establish security and trust in the healthcare system to more transparently share a patient's record across entities.


Energy

Recently, a Perth-based company announced the commencement of the trials of peer-to-peer (P2P) solar energy trading with the aim to change the way energy trading is done in the country. This is in pilot stage where individuals can buy, sell or exchange excess solar electricity through blockchain-based software instead of on the grid. The company plans to deploy in Perth and Victoria by 2017 based on the success of the pilot.

Retail

Blockchain technology can help in the supply chain of materials and products to provide consumers with greater transparency about products authenticity and origin in the complete supply chain journey, which in turn allows them to see the high-quality information needed to make more informed choices. Implementing supply-chain transparency using distributed ledger drastically reduces the high initial cost for participants, eliminating third parties involved in the product to consumer journey. Companies like Provenance are starting to use block chain based technologies  and we can see  very soon retailers will ask for more block chain based applications in future with the push  from their customers to see even more transparency and security  to make informed choices.

Media

The blockchain based technologies can secure IP of creative instruments like music, images, videos etc. A blockchain distributed ledger can be a reliable and transparent way to make it possible to enforce usage rights. Companies like IBM and Samsung are planning multiple pilots built partly using Ethereum which is a blockchain based framework, to demonstrate how blockchain can support such use cases. We might see in future newspaper agencies evolving their business mode to charge readers per article or per video view rather than monthly or weekly subscriptions.

Conclusion
 
Blockchain technology is rapidly developing its applications beyond finance. Just as the Internet created new possibilities that we didn't foresee in its early years, the blockchain will create new business models and ideas that will become apparent over time. The technology has immense potential to reduce fraud, because of the built-in transparency and trust protocols, among users as they share data across people, devices and business. With early adoption of blockchain technology, the management of day-to-day complications and exception handling of paper-based invoicing and fulfilment systems can also be eliminated which is key to every organization due to the power of the technology to manage disputes and legalities. We are in stage where we must educate ourselves and innovate to see all the possibilities of this transformative technology.

-end-

Subscribe to this blog's feed

Follow us on

Blogger Profiles

Infosys on Twitter


Categories