Perimeter
10/10/2012
09:58 PM
Gunnar Peterson
Gunnar Peterson
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Walking The Mobile Mile

Putting the 'i' in identity means navigating the hidden complexities in mobile identity

Mobile applications have disparate characteristics from normal Web applications and so demand different requirements from developers. This in turn drives the need for new security models. When enterprises write mobile apps, they are not simply delivering data to the customers as in a Web app, they are delivering code that interacts with the mobile device OS, data, and security tokens (and beacons) that will reside on the device for some period of time.

This opens a window of vulnerability for devices that are lost, stolen, or compromised by malware. The enterprise response has been largely focused on Mobile Device Management (MDM), which closes out several important gaps through services like remote wipe. Today, MDM is a sina qua non technology for many enterprises but its not sufficient by itself to get the job done for mobile. After all, as Paul Madsen posits: "If my CEO and I both have the same phone, is the device the right level of granularity?" Further, the device is only one asset in play.

To get a full picture of the risk involved, you must look end to end. Mobile apps do introduce new risks, but it's not just about the device its about how they connect up to the enterprise. Mobile Access Management (MAM) -- access control services that sit in front of the enterprise gateway -- has emerged as a server-side guard enforcing access-control policy for requests from the mobile app to the enterprise back end. Mobile apps get the lion's share of attention, but do not neglect the Web services that provide the wormhole from the iPhone straight into the enterprise core mainframes, databasesm and back end services.

MAM provides mobile-specific security services for the server side. But what about the app on the device? Yet a different set of controls called Mobile Information Management (MIM) enable policy-based communication on the device.

Confused yet? The result in the short run is that the enterprise's identity architecture must factor in many different kinds of identity claims needed to resolve an access-control decision, including the device identity claims (such as hardware fingerprint), the mobile app identity claims (such as the Android PID), the local/mobile user identity claims, and the server-side identity claims. From there, these claims about an identity must be resolved and need to work cohesively across a mobile session, mobile-to-server communication session, and, in some cases, mobile app-to-mobile app communication.

This makes for a real challenge -- difficult, but not impossible, getting consistent policy enforcement across sessions, devices, and servers. As with so much else in security, there are no silver bullets. There's no single product to solve all of these challenge. The mobile app provides a new set of challenges -- specifically an integration challenge -- and likely requires different protocols than enterprises have used in the past, such as OpenID Connect and OAuth. Identity requires first-mile integration (identity provider) and last-mile integration (service provider). But, in addition, mobile "mile" integration requires meshing an array of disparate identities and attributes to enforce consistent policy.

Gunnar Peterson is a Managing Principal at Arctec Group

Gunnar Peterson (@oneraindrop) works on AppSec - Cloud, Mobile and Identity. He maintains a blog at http://1raindrop.typepad.com. View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3861
Published: 2014-09-02
Cross-site scripting (XSS) vulnerability in CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted reference element within a nonXMLBody element.

CVE-2014-3862
Published: 2014-09-02
CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to discover potentially sensitive URLs via a crafted reference element that triggers creation of an IMG element with an arbitrary URL in its SRC attribute, leading to information disclosure in a Referer log.

CVE-2014-5076
Published: 2014-09-02
The La Banque Postale application before 3.2.6 for Android does not prevent the launching of an activity by a component of another application, which allows attackers to obtain sensitive cached banking information via crafted intents, as demonstrated by the drozer framework.

CVE-2014-5452
Published: 2014-09-02
CDA.xsl in HL7 C-CDA 1.1 and earlier does not anticipate the possibility of invalid C-CDA documents with crafted XML attributes, which allows remote attackers to conduct XSS attacks via a document containing a table that is improperly handled during unrestricted xsl:copy operations.

CVE-2014-6041
Published: 2014-09-02
The Android Browser application 4.2.1 on Android allows remote attackers to bypass the Same Origin Policy via a crafted attribute containing a \u0000 character, as demonstrated by an onclick="window.open('\u0000javascript: sequence.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.