Security Concerns with Mobile commerce

10 views
Skip to first unread message

Brad

unread,
Jun 17, 2009, 6:43:05 PM6/17/09
to Mobile Twin Cities
I'm looking for wisdom from the group regarding mobile security,
particularly as it pertains to shopping from your phone. There has
been a long effort to provide secure shopping on the internet, and
convince users of it's safety, and we will now be encountering the
same issues for mobile users.

Now for phones like iPhone and Android with real browsers, I would
assume the security measures are no different than any web commerce,
ensure forms with sensitive content are posted from https pages.

Are there any different security concerns because its a phone? I
imagine if you are using wifi, then it depends if the access is
secured with WEP/WPA, otherwise others could sniff the requests
between the phone and the router. Again, if the requests are over
https you should be fine anyway. How about on the provider like edge
or 3G? I'm assuming those are using proprietary protocols or at least
some sort of private key encryption for all the data?

Finally, what if I'm shopping via a native app, like the Amazon store
application. The purchases do not go through a browser, so how do I
know as a user, that my data is secure OTA?

These were some of the thoughts I was having, and would welcome of
your input.

Thanks!

Brad

Mark Jenkins

unread,
Jun 18, 2009, 1:33:01 AM6/18/09
to Mobile Twin Cities
Brad,

Short answer on the cellular data networks - they are very secure AND
very accommodating of additional security layers.

Long answer - I consulted with the NSA and NCS on Secure GSM, so I can
get as technical as you want on this. I can point you at the technical
documents you might want to support the short answer. Let me know if
you want to dig deeper into this part of the communications chain.


Mark


Mark Jenkins
President

Marquis Mobile Solutions, Inc.
830 New Century Boulevard South
Maplewood, MN 55119
+1 (612) 701-2019
www.MarquisMS.com

Hashbrown

unread,
Jun 18, 2009, 9:35:27 AM6/18/09
to mobile-tw...@googlegroups.com
Thanks for the reply Mark.  Don't need the details at the moment, just looking for advice I can tell users.  Sounds like, given the option, I'd rather do my mobile commerce while on my network versus a wifi connection.

Brad
--
Tweets: http://twitter.com/hashbrown1
Posts: http://www.HashbrownOnTheMic.com

Chris Mitra

unread,
Jun 18, 2009, 9:49:26 AM6/18/09
to mobile-tw...@googlegroups.com
I don't think you should interpret Mark's response as advocating against using Wi-Fi for mobile commerce.  (Mark, I don't think you were implying that, were you?)

Actually, it should not matter what type of network you are on.  Any e-commerce site that uses HTTPS (which should be all of them) will be encrypted end-to-end.  SSL/TLS lives above WiFi & 3G in the network stack (at the Transport layer), so neither type of connection would be able to inspect the contents of the data.  SSL/TLS is designed to provide end-to-end encryption on potentially unsecure networks.

If you are not using HTTPS for commerce-related transactions, then it's another story.

Chris

Hashbrown

unread,
Jun 18, 2009, 10:08:08 AM6/18/09
to mobile-tw...@googlegroups.com
Yep, agreed Chris.  I made the point about https in my original post.  What is still unknown to me is the security of native applications.  They may be using an https protocol under the hood, but without a browser address bar, how is the user to know.  How can users trust the security of any sensitive data they might submit to an app store application, for example.  In that case, it seems that I could feel fairly confident if I was on my network, but not wifi. ??

Brad

Mark Jenkins

unread,
Jun 18, 2009, 10:26:41 AM6/18/09
to mobile-tw...@googlegroups.com

Chris is right, I was endorsing the security of the cellular networks, not judging the security of other networks.  I did point out one thing that is more important than the native security of any network; that is the network’s ability to accept other security measures on top of its own. 

 

I was speaking with a customer in D.C. about data security.  He told me that the other carriers were preparing elaborate presentations for him about encryption methods, signaling protocols and all kinds of other technical stuff. He then asked me if I would do the same.  I answered him with one long question: “If I told you that we used the best encryption algorithms allowed by the Federal government, broke up the data and sent it over multiple data paths so that hacking one or more channels would reveal nothing of use, that our air interface had never been hacked by any method, and that I could assure you that all of your data would be 100% secure on our network, would you settle for that level of security?”  His answer was “of course not.”  Me: “So why should I waste your time with a long drawn out presentation on our security levels when the real answer is that your data is going to be as secure as YOU make it.”  Customer: “Good point.”

 

That answer saved me hours of PowerPoint work and helped net T-Mobile a 10,000 line government contract. The point that the customer and I discussed in more detail was that the security of the data channel is secondary to the security that they wanted to lay on top of it.  Network security is important to Joe Customer and for off the shelf software.  The network’s ability to handle additional security layered on top of its own is what matters to truly secure applications.

 

With this in mind, WiFi, WiMax, HSPA, EV-DO and even Bluetooth will be as secure as YOU make it with the security options you choose to use.

 

Mark

 

Mark Jenkins

President

 

Marquis Mobile Solutions, Inc.

830 New Century Boulevard South

Maplewood, MN 55119

+1 (612) 701-2019

www.MarquisMS.com

 

Mark Jenkins

unread,
Jun 18, 2009, 10:30:05 AM6/18/09
to mobile-tw...@googlegroups.com

Good point.  Even if the data stream is secure, how do you let the customer know it?  That is the role of security certifications and some industry groups that will test your solution (for a price) and then let you add their seal of approval to it.

 

Mark

 

 

Mark Jenkins

President

 

Marquis Mobile Solutions, Inc.

830 New Century Boulevard South

Maplewood, MN 55119

+1 (612) 701-2019

www.MarquisMS.com

 

From: mobile-tw...@googlegroups.com [mailto:mobile-tw...@googlegroups.com] On Behalf Of Hashbrown


Sent: Thursday, June 18, 2009 9:08 AM
To: mobile-tw...@googlegroups.com

Chris Mitra

unread,
Jun 18, 2009, 10:42:08 AM6/18/09
to mobile-tw...@googlegroups.com
If the data is in the clear (not SSL), then it could still be snooped downstream.  You eliminate one point of access by using a secure local link layer, but the data is still going through 3rd party routers / etc.  Of course, it is probably much more likely that snooping would occur at your endpoint than at any of the routes in between -- but it would still not be "secure."

What I've come to discover is that in the case of native apps, ultimately it comes down to trust in the developer.  Once an app can run software on your device, all bets are off, whether you are entering secure data or not.  For example, on most mobile platforms, there is nothing preventing an app from pulling all your contacts from your contacts DB and submitting them to a website behind your back.  Heh, it might even do that over SSL -- it would be secure at the Transport layer, but insecure at the App layer.  (Hence, Mark's point about data only being as secure as you make it.)

This problem can be mitigated by app signing, or less technically, by reputation.  So let's assume you trust the app to not be *malicious*.  Then, it depends on the back-end that it is accessing;  more likely than not you'll be OK simply because the backends would not be exposing sensitive APIs in the clear -- so no app (native or browser-based) could ever make a sensitive transaction without going over SSL.

If the data is being submitted to some random site, however, then I would be more suspect.  Assuming you trust the developer to not be malicious, that's probably the situation where lack of encryption might play the biggest role.

Chris

Mark Jenkins

unread,
Jun 18, 2009, 11:16:24 PM6/18/09
to mobile-tw...@googlegroups.com

See my notes within your e-mail.

 

 

Mark Jenkins

President

 

Marquis Mobile Solutions, Inc.

830 New Century Boulevard South

Maplewood, MN 55119

+1 (612) 701-2019

www.MarquisMS.com

 

From: mobile-tw...@googlegroups.com [mailto:mobile-tw...@googlegroups.com] On Behalf Of Chris Mitra


Sent: Thursday, June 18, 2009 9:42 AM
To: mobile-tw...@googlegroups.com

Subject: Re: Security Concerns with Mobile commerce

 

If the data is in the clear (not SSL), then it could still be snooped downstream. 

(MEJ – All cellular data channels are encrypted and secure.  SMS or text messaging is an exception.  Text messages, or data over the SMS gateway is sent in the clear.)

You eliminate one point of access by using a secure local link layer, but the data is still going through 3rd party routers / etc.  Of course, it is probably much more likely that snooping would occur at your endpoint than at any of the routes in between -- but it would still not be "secure."

What I've come to discover is that in the case of native apps, ultimately it comes down to trust in the developer.  Once an app can run software on your device, all bets are off, whether you are entering secure data or not.  For example, on most mobile platforms, there is nothing preventing an app from pulling all your contacts from your contacts DB and submitting them to a website behind your back. 

(MEJ – On most, but not all!  BlackBerries allow the user to “allow” or “disallow” this kind of access for every application that they load on their device.  Of course, the consumers who know about it and understand it are few and far between.) 

Reply all
Reply to author
Forward
0 new messages