by Fabio Martinelli
As evidenced in our special theme, mobile devices play an increasingly important role in our everyday lives, not only by enabling us to communicate but also by providing access to a large variety of pervasive services. The global mobile security market [1] is steadily increasing in value (about $1.6bn in 2012), as companies and organisations seek to secure their smart devices against the dangers of mobile malware. Our software products aim at targeting both this market and that interested in the integration of mobile devices into legacy applications.
We use mobile devices in many roles, eg as employee in relation to our employers, as consumers in relation to commercial service providers, and as citizens in relation to our governments. There are now more mobile devices than desktop computers accessing the Internet. Extrapolating this trend, the number of vulnerabilities affecting these mobiles devices and their typologies is increasing with the growing pervasiveness of the services. These devices thus represent an attractive target for attackers.
Mobile devices are not only taking over typical PC activities (social networking, browsing, e-mailing, online shopping) but also offer more sensitive applications in areas such as mobile payment transactions, access to health services, etc. The frequent press coverage of hidden tracking, open profiles, and fraud is one of the factors that has convinced us that security and privacy threats are realistic. The ever-growing sophistication in data mining can easily be misused for commercial or criminal exploitation. A particular concern is that mobile devices are available to a wide range of users (from teenagers to seniors), who are not necessarily experts or educated to these risks. This makes successful attacks on these devices even more dangerous, especially when the devices are then used to access services.
In the framework of the EIT ICT Labs (an initiative of the European Union), several research organizations (CNR, Novay , TU/e, TU Berlin,) and leading European industries (Engineering and SAP) are working together to address the challenge of ensuring the security of mobile devices guaranteeing service access in a privacy preserving way.
The partners in this activity have a significant track record for research and innovation in many mobile security related areas and bring together a significant set of experience ranging from European projects to industry based pilots and experimentations . The field is far from mature, neither in terms of providing solutions nor in terms of fully understanding the threats and the potential on new protection methods. Nonetheless many specific activities have been already performed and are amenable to exploitation. The potential adoption of these technologies –if deployed properly - is extremely high, while on the other hand the failure to properly secure our mobile devices can be harmful to society at large.
We are thus currently developing a software suite of these mobile devices to secure access to data-sensitive platforms such as financial and e-government services or pervasive ones such as e-health for personal monitoring. The data and protocols used to store and (sometimes even autonomously) use personal identity information must be secure. This entails the protection of the devices themselves, in order to avoid various types of misuse, ranging from the security of communications, to privacy considerations on data disclosed to get access in these communications.
One of our main challenges is the use of security solutions within mobile applications. To address this problem, SAP aims at facilitating the development of secure mobile applications with its SAP Mobile Platform (SMP). SMP offers a unique opportunity for developers to quickly develop business applications interacting with critical systems – typically the company ERP. While SMP is already providing state of the art security, SAP intends to extend the security functionality spectrum and to provide new sensitive services developed within the project.
Besides protecting the private data on the device, we also consider the protection of data used by the services the device connects to. In authenticating to the services, we deploy privacy-friendly biometrics with biometrics templates which are protected, also from `insider’ threats.When using the services, a lot of personal information is shared. We provide tools to analyze the amount of personal data revealed and to validate the privacy-protecting properties of communication protocols used.
Our applications will be tested using the Experience and Living Labs facility offered by EIT ICT. This will allow to test the usability and the social acceptance of the solutions developed. Several business and transfer technology actions are planned in order to make our envisaged mobile centric secure identity managing available on the market place. The activity described above is in collaboration with many groups. As main partners we mention Silvia Boi, Laurent Gomez, Niklas Kirschnick , Jerry Den Hartog, Martijn Oostdijk, Jean-Christophe Pazzaglia and Daniele Sgandurra.
Link:
SAP Mobile Platform: http://www.sap.com/solutions/tech/mobile.html
Reference:
[1] The Mobile Security (mSecurity) Market 2012-2017 March 2012, https://www.asdreports.com/
Please contact:
Fabio Martinelli, IIT-CNR, Italy
E-mail: