Mobile applications --- Lions, tigers and bears?
mhondo 110000BG0Q Visits (1539)
Black Hat [Black hat conference] was in Vegas was last week, so it made me wonder where people see mobile application development within the wider lens of web application development [XForce news] . And while there is still plenty to be done, technology shifts can be a great opportunity to rethink things and with mobile applications.... less may be more.
The push and pull of identity. User names and passwords are great until you have hundreds ofthem and this is the reality today with identity silos. When I worked on WebServices and in particular, WS-Federation we anticipated the need for bridging across these silos of identity. New waves are on the horizon as “social networks” and federated corporate id’s are intermixed and we are now seeing hybrid identities find their way to mobile devices and mobile applications. For some classes of mobile apps, it may be advantageous to let someone else manage the identity data ( for example, let a third party IDP manage the username & password and establish the first link in the security chain). The proliferation of internetservices (e. g.Facebook & Twitter) and the emergence of Open source Identity provider mechanisms like OpenId mean users want to merge their multiple identitiesand the line distinguishing a "social" Id (firstname.lastname@example.org ) and a “private” id (email@example.com) has begun to blur. This will present challenges to IT organizations that have not anticipated this change as these new mobile applications extend beyond traditional enterprise boundaries and embrace third party identity providers. The areas where application developers should concentrate on enhancing or controlling authentication and authorization is where reliance on 3rd party providers (having someone else handle end user authentication) has to be done in compliance with regulatory concerns aroundprivacy and credit. In regulated areas, the duediligence involved in compliance for maintaining privacy and user identity protection through establishing relationships with themanaging entities might be more difficult and costly than managing the user data yourself.I worked with a volunteer effort supporting the UN recently and we were looking at a campaign where I learned that at the end of the year there will be 7 billion people on the planet. Application owners should consider whether theyreally need to or want to track individuals on every possible mobile device that has been or will be created. That's a lot of information to protect. Instead of creating a new identity silo, it may be a better investment to review the fundamentals for establishing a long running relationship with your customer, whoever that is.
I attended a Workshop recently sponsored by the W3C (Identity in the Browser) where the goal was to look at the state of browser managed identities and the audience included a wide range of browser providers and interested security practitioners with a lot of energy. So there is new hope for navigating identity on the web. The topics for managing identity at the workshop crossed between "standard" web and mobile environments. It is evident that mobile apps will extend existing web patterns and include third party IDPs and web techniques like cookies (with appropriate protection hopefully -- XForce proposal on secure wireless) for collecting relevant stats on traffic and preference. A well designed layered security model where "re-authentication" or authorization of mobile users is triggered when an end user needs to pass from a public to a high value information domain can be a bridge between worlds and not only improve mobile application security but all application security. After all, managing identity & passwords isonly the first step to developing a digital profile for end users. A good investment for mobile development efforts is to rethink how application services are offered and to start to think about different profiles for "low value" and high value services tailored to augment existing account affinity and enabling a differentiation of requests by valu
One of the hardest problems with mobile is the coexistenceof things like “Angry Birds” on the same device as my HR test resultsand my financial data. Until Angry Birds becomes an Olympic event, I don't think I have to worry much about how I do. My HR results on the other hand, I'm a little worried about, and having people be able to hack into my banking app and get my financial data....well you can see its a continuum of low to high value data and the costs and risk mitigation strategies need to be in place for the appropriate local protection ( if data is stored on the phone) and access. The expression of access policies and rules is not new to mobile application development [Polcy & Rules]. Many businesses already have strategies for web hosting, and many of the low to mid value mobile apps are fine running within these risk mitigation strategies. In many cases the scaling issues particularly around dynamic web content may be the first challenge for Mobile IT support. The high value data is where the mobile space gets interesting. For the highest value data you've got to look at the overall trust model including the device OS and be responsive to new threats like the ability to "jailbreak" a phone. Beginning with our feature pack, the focus is on educating and raising the awareness with regard to some of the risks involved in using dynamic web technologies. The tools and strategies to use to mitigate the threats both on laptops and mobile devices [Web 2.0 security ] are areas where we draw on the experience of our research teams to help us respond to these ever-evolving threats. [ more security pointers] What are you seeing? Give us your feedback.