Government agencies are beginning to experience the many benefits (and a few critical drawbacks) of mobile technology. This has been an evolutionary process that is still in its infancy.
Initially, agencies released apps that were focused primarily on providing information to the public. In most instances this repackaged information that was already available on the agency website.
The second phase was creating a two-way interaction with individuals and the agency. These apps have provided very useful services to the public. Examples include reporting potholes or searching to see if a professional is licensed and in good standing. Government is just putting its toe into the water with using mobile technology to communicate with citizens. All kinds of new services are possible using mobile technology. For example, an agency might ask for the public’s assistance in tracking the location of a beetle infestation that is killing trees. The app could use geo-location and the camera to help capture this information.
The third phase is government leveraging mobile technology for its own employees. Nearly every government employee who is out in the field can potentially leverage mobile technology to reduce paperwork, speed the processing of information, improve safety and increase efficiency. Today’s government employees, just like their private sector counterparts, have a desire to be able to access their work from home or on the road. With the understanding that there are employment rules as well as security concerns, government must adapt to these changing work dynamics.
The increasing demand for the many benefits of smart phones is demonstrated by the fact that many government employees are carrying two cell phones. The first is typically a government issued Blackberry (often with restricted functionality). The second is their own personal smartphone that is equipped with lots of apps as well as additional functionality including gps and camera.
I believe we are experiencing the very beginning of the many opportunities that mobile technology is going to create for government. Whether it’s tracking pollution or finding an abducted child, mobile devices offer tremendous potential for government to enlist the aid of citizens.
I look forward to discussing these topics and many more during my panel session, Using Mobile Technology to Engage the Public, at the upcoming FOSE conference.
Your mobile device is a treasure chest of valuable information for criminals…
Mobile computing is quickly changing the way we live and interact with the world around us. While being connected to the world at all times makes us more efficient and productive in society, there are many security and privacy issues to take into consideration.
The threat model for mobile devices differs significantly from their larger desktop and laptop counterparts. They travel everywhere with us, they are turned on at all times, and we use them to access a multitude of services. We have a much better chance at losing an iPhone than a 27 inch iMac desktop computer. Our smartphones contain all of our contacts, constant access to several email accounts, our social networks, our banks, corporate networks, and much more. Your mobile devices know where you have been, who you were there with, and what you did with them. Your mobile device is a treasure chest of valuable information for criminals and others with less than honorable intentions. Often, a vulnerability in a single application can lead to a compromise of many services where there may be password reuse by a user or leaked Single Sign On (SSO) credentials. A single piece of malicious software can extract everything about your life and potentially allow an attacker to pivot into your enterprise’s network. This is bad.
As more companies move into the mobile space, we continue to see trends indicating that we have taken several steps backwards from a security perspective. From both privacy and security perspectives, this is frightening. In application security, we have cultivated a list of best practices over the years, many of which have been adopted as formal standards. These include storing sensitive information encrypted, leveraging SSL for data in transit, and following the principles of least-privilege access. We have not seen many of these best practices and “easy wins” replicated within the mobile application space. As the “easy” issues are being neglected, we are simply not preparing ourselves to tackle the security challenges of more exotic mobile technologies and use cases that are being developed.
In many cases, security is being neglected as a result of racing new products to market to gain a competitive edge. The difference between being first to market and finishing in second place can mean the world to a company. At the same time, building your house out of straw instead of bricks will eventually come back to haunt you. While balancing security requirements with usability is a constant juggling act that one must endure, organizations built for long-term success understand and embrace these challenges.
The harsh reality is that before we can get better, things will probably get much worse. We have only scratched the surface of what is possible in mobile computing. There will surely be many new risks and security obstacles to overcome in the next few years. With technologies such as Near Field Communications (NFC) set to become integrated with virtually everything around us, these risks to businesses and organizations will become much more visible and widely exploited.
I encourage any individuals, government organizations, or companies developing mobile applications to pay close attention to how secure their applications are and how well they are protecting the data for their users. Security extends far beyond the mobile device itself; your infrastructure is vital to a secure mobile architecture as well, even if you do not host your own physical servers. A serious security breach could place a huge financial and resource burden on your organization. More importantly though, you owe it to your customers and users to do your absolute best to protect their privacy and personal information.
About Jack Mannino
Jack Mannino is the CEO of nVisium Security, a leading provider of mobile application and web application security services. At nVisium he is responsible for ensuring that all services are delivered at the highest levels of quality and with keen attention to detail. nVisium’s offerings include security source code reviews, penetration testing, remediation services, threat modeling, and developer training. He focuses on mobile application security research (especially Android), and is the co-leader of the OWASP Mobile Security Project. In addition to the Mobile Security Project, Jack is also heavily involved with the OWASP Northern Virginia Chapter where he serves as a member of the chapter’s board.