I am fortunate to have been involved with the Payment Card Industry (PCI) mobile task force for the past year discussing mobile card payment security challenges with some of the brightest minds I’ve had the pleasure of working with. When speaking with customers, I am frequently asked what are the most important takeaways from that experience.
The biggest eye opener is consistently the pace of change in the mobile industry. It is evident – on the task force possibly more so than anywhere else – that the adoption of mobile technology is a disruption of historic proportions that has outpaced earlier transitions such as mainframe to PCs and client/server to the Internet. The pace of change is so great that certain mobile security standards can quickly become obsolete. That is the case with antimalware and mobile.
Learning from recent retail attacks
Recent retail breaches exposed a common theme with the attacks that involve infecting legacy point-of-sale (POS) devices. It enumerates a lack of defense-in-depth strategies with these legacy POS environments.
The nice thing about mobile POS is that when organisations incorporate enterprise mobility management (EMM) and mobile into a retail environment, it comes with a full defense-in-depth strategy. Any holistic security strategy should include both proactive and reactive countermeasures. EMM and Mobile enables that in a variety of ways.
> See also: Old tricks appear in new malware
Malware impacts only 0.5% of mobile apps
After analysing more than 2.5 million apps for our mutual enterprise customers, Appthority found that less than 1/2 a percent (<0.5%) were malware. Appthority is an app reputation service that integrates with MobileIron’s enterprise mobility management (EMM) dashboards.
Traditional antimalware (especially antivirus) are becoming less relevant in the mobile era. This is because operating system architectures are shifting from open file systems (Windows 7 and below) to application sandboxes (Android, iOS, Windows Phone/Pro/RT).
For example, on iOS, there isn’t much for antimalware or antivirus products to do because neither they nor any other app on the device can access another apps’ storage or memory. Same story with Windows Phone and Windows 8.1 modern apps. On Android, there is some shared storage and memory and so there are antimalware and antivirus products. But these products only detect and alert, so even on Android, they don't mitigate or remediate the problem once detected because they can't remove a bad app.
The EMM alternative
The basic difference between antimalware and enterprise mobility management (EMM) is that antimalware for mobile is reactive and doesn’t mitigate the problem once detected. EMM provides both proactive countermeasures and reactive mitigation.
EMM proactive and automated mitigation measures include managing app, content and device access and creating automated countermeasures for when devices fall out of compliance with security policies. This includes:
Mobile POS proactive & reactive automated protection
Mobile POS (mPOS) can be further protected by EMM. For example, EMM solutions can distribute the mPOS App to the device. This therefore enables management of the App to enforce control over that App. If a nefarious attack occurs, or the device falls out of compliance (jailbreak, root, disable PIN, etc.), the auto-quarantine kicks in and can block network connectivity or remove the mPOS app and it’s data, this mitigating a breach. In the case of recent retail breaches, the window of compromise occurred for weeks or months with legacy POS devices.
With mobile and EMM, organisations can detect malicious apps, as well as when a jailbreak or rooting occurs, and can respond in a matter of hours or minutes. It’s also important to note that this mitigation is automated without the need for a human in the loop. This can mitigate the threat automatically, and minimise the window of compromise.
The PCI Data Security Standards (DSS) 3.0 requirements outline the use of certificates for authentication for WiFi and for remote access. EMM enables this by providing a built-in Certificate Authority and automated distribute of certificates to Mobile Devices. This deters Man-in-the-Middle (MiTM) attacks and eliminates passwords, which can be vulnerable to Brute Force attacks. This also helps organisations achieve compliance with the Mobile Payment Security Guidelines v1.0 Objectives 1, 2, & 3, released in Sept. 2012.
App containerisation through a software development kit (SDK) or app wrapping to separate corporate and personal data so that even if malware is downloaded to the device, the isolated corporate data remains intact and unaffected. Enforcement of data loss prevention (DLP) rules to restrict content sharing with unauthorised apps on the device
App Reputation Service
Anti-Virus and Anti-malware are largely ineffective in mobile due to the application sandboxing in iOS, Android, and Windows Phone 8. Arguably the best that these products can accomplish is to possibly identify malicious, rogue, or risky apps. In contrast, an App Reputation Service in conjunction with EMM can provide a variety of detection as well as countermeasures and quarantine options to remove the human-in-the-loop and automated mitigation.
Not forgetting consistent security policies applied to corporate data such as email, apps, documents, and web pages, and device-level lockdown policies when tight control is required.
EMM reactive mitigation measures include auto-quarantine ranging from a simple blocking of email to an automated selective wipe of the corporate data and apps to avoid a breach. This action can be triggered by a malware download or a jailbreak/rooting action, and the security action knob can be adjusted by the administrator.
Additionally, integration with app reputation services that monitor the inventory of apps on the device to flag those with undesirable or risky behaviors and trigger a notification, access control, quarantine, or wipe action.
Put another way: where do EMM solutions overlap with mobile security services from the top antivirus vendors? There is very little overlap and they take completely different approaches. Traditional security products were built for the security issues of Windows. Mobile architectures are different.
Protection at the speed of mobile
EMM solutions approach mobile security in a different and more complete way than traditional antimalware solutions. An enterprise won’t be able to secure mobile apps, content, and devices using only an antimalware solution.
There might be times when enterprises wish to distribute an antimalware app through EMM to provide additional security, and antimalware can provide some complementary controls on certain devices, but EMM is quickly becoming the primary approach to protect cardholder data on mobile.