Can I drive my smartphone safely ?

On the matter of safety, it may happen that the old and established car industry has things to teach to the young and dynamic mobile industry.

 Middle social class passengers getting into their car do not even think that their car security may be a problem. This peace of mind was not given from the beginning of this industry. We all know that first cars were dangerous. But due to citizen and governments pressure – driven by a willpower to protect lives and save national health budget – combined with automotive manufacturing collaboration – agreeing on a minimal barrier to access the safe and comfortable car market – a vehicle has now to survive several security steps, including crash tests, before being driven by a smiling father of a family (well know that only fathers are conducting in families, right ?).

Which safety for my mobile today ? In the mobile industry, safety related to wave emission is addressed (hum… everyone pretends it is be under control). On the other hand, the actual security of user assets is poorly addressed, and this could also cause some damages. What do we mean by securying a mobile ? Making sure your login, passwords, account number, signature, keys, digital wallet, business contacts, very private emails will not end in the hands of anyone having in mind fraudulent usage. Well, lets be honest, there are some ways today to maintain security in your mobile phone: (1) you choose an Apple device – equivalent to driving in a very private road network – where everything seems to be under control and at least security flaws correction can be systematically deployed, (2) you choose any other open smartphone, select an anti-virus, manage carefully application authorization and … pray that no malware will find you, or (3) you buy a low end phone and just use it to call.

Which safety for my mobile tomorrow? If we want the mobile industry to grow and answer the promise of hosting any type of application, some long term efforts need to be made – and as usual, long term effort means cost. One possible solution would be for the mobile industry to make joint effort to reach a common level of security. A minimal one, helping service providers to enter an untroubled mobile market. How can this magic happen ? By agreeing on a common security certification scheme for mobile phone.

Security Certification scheme, what is that ? One efficient way to control the level of security of any system, is to go through a simple process of describing the assets you would like to protect and define how protected your assets will be – named a level of assurance. For this you need to know the system, the protection you think that you implement, the potential threats it may be exposed to, the money and time an attacker may need to break this protection… Like in any engineering problem, you need to describe your problem, your potential solutions and test it. This security certification is already widely used in the software and hardware industry where high value applications are handled : the banking area has a EMVCo [1] certification combined with a PCI [2] one, building a completely certified payment schemes, from banking card to merchant system; national governments have also developed appropriate technologies such as FIPS [3] endorsed by the US government – listing the security requirement for computing systems ; international security schemes are also existing such as Common Criteria [4] defining protection profiles for specific secure IT systems… The principle of those security certification schemes relies on the fact that, the service provider who would like to use a secure smart card or server will require a specific security evaluation, which is delivered thanks to an independent but accredited security laboratory. The security laboratory is conducting attacks on the product requiring a certification, a kind of crash test, where – instead of using speed and wall to test the car resistance – state of the art of hardware and/or software attacks are conducting on the product.

Frankly speaking, is formal security certification suitable for mobile ? I am already hearing screams of terror, hysterical yelling. What ? Security certification ? For smartphones ? How could that fit ? How could smartphone makers catch an accurate description of such a versatile environment ? How could this methodology, requiring time, be applicable to mobile lifetime of 12 to 16 months ? How could such methodology be applicable when so much stakeholders are involved in smartphones design – from the chipset maker to the operating system makers ? Well, these are valid questions… but it is not an excuse. Mobile users and service providers do need security and that can not be avoided. This is where the security experts will have to be creative, and knowing few of them, I am sure they can …

[1] EMVCo  , [2] PCI Security Standard Council , [3] FIPS , [4] Common Criteria