Mobile computing is a paradigm shift away from personal computers and their infrastructure towards very large and flexible networks of loosely connected platforms.
It has new platforms, operating systems, applications (apps) and exciting new approaches to old problems. As the paradigm shift gains momentum, the technology's application expands to include areas never considered when the technology was designed. Risk mitigation requirements tend to be ignored as the ease of use, affordability and affordability of the devices compels their use. Users are often naive about the risks to their information, enjoying the benefits of using it without giving much thought to the potential dangers.
Mobile devices that do not require users to be identified and authenticated are considered anonymous users.
Anonymity is an issue because it is impossible to enforce accountability for user actions or mediate access to resources based on previously granted access. In effect, all mobile device assets are available to any anonymous user solely based on physical access to the device. Availability is important as applications supported by mobile devices expand to include e-commerce transactions and manage privacy-related data.
The transparency of applications is an issue, applications that store confidential information have been found to store the information in intermediate files that are shared with third parties without the knowledge or consent of the user who originated the information.
Paradigm shifts in computing technology tend to ignore issues that would complicate or delay its acceptance, information security being an example. The move to client-server and wireless networking has seen periods where protection requirements remain unresolved and serious problems arise. Mobile computing is following a similar path, ignoring old lessons doesn't make them less important, it just means they must be relearned. At this point, the protective measures are well understood, so the road to a safe solution need not be as painful as past experiences indicate.
Bypassing the protective measures of the previous generation has tangible benefits for platforms.
Administration is greatly simplified and significant processing and other overhead is eliminated, performance benefits. Measures associated with user irritation are eliminated, improving user experience and satisfaction, facilitating acceptance.
Mobile devices depend on the Internet for much of their communications, Internet eavesdropping or hijacking is well understood and common attacks performed to steal data, encryption will defeat this attack, when the measure is used. The reliability of communications is an important issue as time-sensitive applications depend on it to complete revenue-generating transactions and provide a satisfying user experience for a variety of activities. We're quickly moving beyond the issue of dropped calls.
The lack of common protective measures is a non-trivial issue, raising risks that were long thought to have been minimized. Device theft to allow the thief to use the device for its intended purpose is giving way to theft for the purpose of accessing specific data, usually to package with other stolen data for sale to a customer with ulterior motives. Stealing mailing lists for sale to spammers is a nuisance compared to stealing data with the intent of large-scale fraud or identity theft.
Corporate entities are making applications available to current and potential customers who have little or no insight into the applications, relying on the provider to meet data security requirements that are outside the provider's set of requirements or concerns. As provider expectations evolve to business-critical levels, meeting customer expectations will increase in importance for providers, complicating requirements and requiring increasingly sophisticated applications.
Companies are also making mobile devices available to employees as productivity tools, without giving serious thought to the corporate data that will be processed, stored or transmitted by the devices.
Configuration management of mobile computing platforms is informal at best.
Easy access to applications introduces risks each time a new application is introduced. Allowing, if not encouraging, the use of sensitive information with the platform exposes that information to a largely undefined and poorly understood set of risks of compromise, loss of integrity and unavailability.
E-commerce applications that manage transactions and payment information are of interest to the Payment Card Industry Data Security Standard (PCI DSS). Where the host mobile device does not provide basic protection measures, DSS compliance is unlikely, raising a number of serious issues. The value of information associated with the next generation of transaction processing applications is increasing, encouraging the execution of sophisticated attacks to steal the most valuable assets.
We continue in the early days of malicious activity targeting mobile devices. At least one large-scale attack of moving targets has recently occurred, more sophisticated attacks are likely as technology usage grows and attack strategies are perfected. Attacks using malware continue to appear, although there appear to be no serious technical impediments to their occurrence beyond the lack of recognized algorithmic vulnerabilities available for exploitation.
Integrating mobile computing into architectures that support business-critical applications remains an untapped opportunity.
How long this is true is a serious question, replacing the desktop PC has compelling economic drivers – it has to happen. Linking mobile apps to servers is already happening on an experimental basis. This will significantly raise the stakes for tablets and other evolving mobile devices. Corporate requirements for robust solutions will put pressure on technology providers to enable the secure expansion of application platforms beyond messaging and e-commerce, which go back to addressing conventional protection needs.
Whether mobile computing technology is "ready for prime time" in large-scale applications remains to be seen. Clearly, a large number of lessons need to be learned by application developers and architects regarding compliance with statutory privacy requirements as well as less formal expectations of user confidentiality. Early adopter tolerance for problems that could be interpreted as technical glitches is unlikely to exist in production environments with large user populations and large company revenues.
As mobile computing is in its infancy, the lack of meaningful safeguards for information processes, stored and transmitted across platforms is a serious concern. The use of technology for new applications without consideration of the risks by both users and technology providers increases the likelihood and scope of potential damage to be inflicted by well thought out and executed attacks. The bell rang, class is in sessions.