event coverage

Mobile security (where FUD may not be as fake as we’d like to believe)

With more enterprises buying fully into mobile computing, security for mobile devices bulks increasingly large in the concerns CISOs face. (And don’t even get them started on the Pokémon GO issues.) We spoke with OptioLabs’ Chief Technology Officer Bryan Glancey and Hamilton Turner, Senior Director of Research and Engineering, about their approach to securing mobile devices.

OptioLabs provides low-level security elements to embed in Android. “Phones are complicated systems that we tend to view very simply. Everything going on in a desktop is going on in a phone, and with a lot of other nuances that are even more dangerous or prone to abuse than your regular PC,” Glancey said. “We allow you to restrict permissions of applications, hardware, so enterprises can make policies to lock down devices for secure purposes.”

One approach OptioLabs thinks is a mistake. “Do you really want to make phones secure by removing physical functions?” (Like, say, the camera—Glancey and Turner described some enterprises that buy iPads, and then scratch out the expensive camera because they don’t want to deal with the security risk of the wrong kinds of pictures finding their way onto the Internet.) “Wouldn't you rather be able to turn one general phone into a specifically secured device for a specific purpose?”

A lot of solutions let you manage devices and control security. “But we act with low-level system privilege. We have fine-grained control over the phone.” Policies are more static that phones truly are in their day-to-day environment. “We've coded in policies to react to the state of the device. A lot of the phones you see have security policies standardly flashed to the phone. Our security polices can be a lot more flexible. Getting the most utilization out of the hardware makes sense.”

OptioLabs has traditionally gone through its partners, like Cisco, who build their software into the phones. This in turn enables the partners’ customers to tailor the phone to a specific group without having to physically alter it. They also offer contextual safeguards—you could, for example, configure policies to permit a user to take a picture, but not not post that picture to Facebook. Customers who can benefit from OptioLabs’ solution include those who operate in regulated industries, governments, companies trying to make secure phones for banking transactions.

Here’s an example of one customer: an unnamed US state government has equipped its toll takers with mobile devices so they can communicate from the remote toll booth to the home office. If there's a crash, the state doesn’t want the toll takers shooting pictures and posting them to the Internet. So they find an effective way of securing what the employees can do.

Looking at trends in the mobile market, OptioLabs sees a tremendous growth in the manufacturing base. There are now a thousand or so companies manufacturing mainline phones. The fragmentation of Android is only going to increase. Everybody's building their own phone as barriers to entry continue to fall. Manufacturers are trying to hedge their bets by introducing their own valuation points, but the big reality is that the smartphone economy is now a world economy, with people now building five-dollar devices. If you want to see the future, consider the botnets we see running on old versions of PCs and OSs. Phones could easily become like that, with a long tail of botnets running on non-updated software. So people are beginning to grasp the value of a rapid update cycle.

And people now understand more about phones and their powers. They're starting to get the implications of the packages that go into a device. As demand for devices rises, the security vulnerabilities will rise along with them.