Chris is right, I was endorsing the security of the cellular networks, not judging the security of other networks. I did point out one thing that is more important than the native security of any network; that is the network’s ability to accept other security measures on top of its own.
I was speaking with a customer in D.C. about data security. He told me that the other carriers were preparing elaborate presentations for him about encryption methods, signaling protocols and all kinds of other technical stuff. He then asked me if I would do the same. I answered him with one long question: “If I told you that we used the best encryption algorithms allowed by the Federal government, broke up the data and sent it over multiple data paths so that hacking one or more channels would reveal nothing of use, that our air interface had never been hacked by any method, and that I could assure you that all of your data would be 100% secure on our network, would you settle for that level of security?” His answer was “of course not.” Me: “So why should I waste your time with a long drawn out presentation on our security levels when the real answer is that your data is going to be as secure as YOU make it.” Customer: “Good point.”
That answer saved me hours of PowerPoint work and helped net T-Mobile a 10,000 line government contract. The point that the customer and I discussed in more detail was that the security of the data channel is secondary to the security that they wanted to lay on top of it. Network security is important to Joe Customer and for off the shelf software. The network’s ability to handle additional security layered on top of its own is what matters to truly secure applications.
With this in mind, WiFi, WiMax, HSPA, EV-DO and even Bluetooth will be as secure as YOU make it with the security options you choose to use.
Mark
Mark Jenkins
President
Marquis Mobile Solutions, Inc.
830 New Century Boulevard South
Maplewood, MN 55119
Good point. Even if the data stream is secure, how do you let the customer know it? That is the role of security certifications and some industry groups that will test your solution (for a price) and then let you add their seal of approval to it.
Mark
Mark Jenkins
President
Marquis Mobile Solutions, Inc.
830 New Century Boulevard South
Maplewood, MN 55119
From: mobile-tw...@googlegroups.com [mailto:mobile-tw...@googlegroups.com] On Behalf Of Hashbrown
Sent: Thursday, June 18, 2009 9:08 AM
To: mobile-tw...@googlegroups.com
See my notes within your e-mail.
Mark Jenkins
President
Marquis Mobile Solutions, Inc.
830 New Century Boulevard South
Maplewood, MN 55119
From: mobile-tw...@googlegroups.com [mailto:mobile-tw...@googlegroups.com] On Behalf Of Chris Mitra
Sent: Thursday, June 18, 2009 9:42 AM
To: mobile-tw...@googlegroups.com
Subject: Re: Security Concerns with Mobile commerce
If the data is in the clear (not SSL), then it could still be snooped downstream.
(MEJ – All cellular data channels are encrypted and secure. SMS or text messaging is an exception. Text messages, or data over the SMS gateway is sent in the clear.)
You eliminate one point of
access by using a secure local link layer, but the data is still going through
3rd party routers / etc. Of course, it is probably much more likely that
snooping would occur at your endpoint than at any of the routes in between --
but it would still not be "secure."
What I've come to discover is that in the case of native apps, ultimately it
comes down to trust in the developer. Once an app can run software on
your device, all bets are off, whether you are entering secure data or
not. For example, on most mobile platforms, there is nothing preventing
an app from pulling all your contacts from your contacts DB and submitting them
to a website behind your back.
(MEJ – On most, but not all! BlackBerries allow the user to “allow” or “disallow” this kind of access for every application that they load on their device. Of course, the consumers who know about it and understand it are few and far between.)