How to protect mobile data through encryption and secure transfer

What is Mobile Data Security?

Data is now more portable than ever. On the one hand the mobile nature of data is opening up opportunities, but on the other hand it is challenging businesses to secure personnel and corporate data.

Mobile data security  is defined as an effort to secure data on mobile devices such as tablets and smartphones. Generally, mobile security is something which enterprises work on to safeguard sensitive information whose security can be compromised because of its use on several mobile devices.

Why Mobile Device Management?

Mobile device management (MDM) is the administrative area dealing with integrating, monitoring, deploying, securing, & managing of mobile devices such as tablets, laptops, and smartphones in the workplace.

The objective of MDM is to enhance the security and functionality of mobile devices within the enterprise while synchronously protecting the corporate network.For instance, hackers can erase sensitive company data from a lost mobile device and/or can remotely lock mobile devices. Mobile device management application allows administrators to manage mobile devices as comfortably as desktop computers & offer excellent performance for users.Moreover, enterprise apps need to use proper encryption and network transfer techniques to protect data at the application level itself.

As per the recent research by Nokia Threat Intelligence Lab, smartphones now account for 60% of the total malware activities in the mobile space, leaving laptops and PCs behind. It also reported an increase in iOS malware, evolving sophistication of Android malware and the increased risk of mobile ransomware.

A ransomware is a type of malware that can be installed without user’s knowledge.

What is the need for Mobile Data Security?

Mobile Data Security becomes more and more important each day as mobile devices have gone from communication tools to cameras for still and video photography and mini computers for emailing, searching, maps etc.

Mobile devices which transmit enterprise data & access corporate networks pose a risk in terms of keeping sensitive information secure. It is necessary to prevent corporate data from getting exposed through users’ devices. There are several tools available including encryption, remote wipe, (MDM) mobile device management applications and more.

For instance – though ‘Apple’ has quite a reputation for security, it is still possible for iPads and iPhones to be infected by malware and affect the enterprise. There are processes through which hackers can access the security features on devices. Some users don’t utilize basic features such as passcodes, making it even simpler for hackers to get access to sensitive corporate information.

2018 updates:

1. Adios to Mobile Device Management (MDM):

2017 saw a major shift in focus of the enterprises from Mobile Device Management to Mobile Data Protection as the data now is not anymore a device’s property, but can be moved easily between different devices (thanks to cloud technology). Therefore, it does not make much sense to manage data at the device level or app level.

There are some good reasons to ignore device management and app management:

• The strategies used for device management are very complex
• When the management becomes complex the expense incurred due to that also increase
• Cloud technology is much more advanced that enable blazing fast transfer of data between devices.

The data now gets securely stored in the cloud and retrieved whenever necessary in a secure way. This eliminates all complexities and expenses involved in managing several devices and their data. IT team can now focus entirely on managing the cloud. The communication between a mobile device and the cloud follows industry standard encryptions and decryptions.

2. World of IoT (Internet of Things):

With growing popularity of IoT devices, many enterprises have started using them to collect more data and save more money. IoT devices continuously collect and stream the data over a network like mobile phones, but with less protection. This can pose a serious threat to enterprise data. As the IoT devices are presently not fully secure enough, mobile security strategists suggest the following:

• Make sure the firmwares of IoT devices and routers are always up to date. The latest security patches resolve any vulnerabilities of the devices. It is suggested to automate the updating process wherever possible.
• Prohibit anyone from connecting their personal devices to the company network. Enterprises can create a guest network to provide access to an employee’s personal device when required.
• The company’s IT team should regularly track the devices connected to the network and should assess the level of access they require.

With this said, IoTs are still newbies to the industry and need time to settle down. Probably in 2018, we might see a drastic improvement in usage and security for these devices.

How can optimal ‘ Data Security’ be achieved?

Good mobile data encryption techniques help IT companies & users protect data on mobile devices.

Symmetric Encryption

Symmetric encryption is also known as private key cryptography. It is so called because the key which is used to encrypt & decrypt the message needs to remain safe and secure. Usually, the sender encrypts the data with one key, sends the data and then the receiver uses the same key to decrypt the data.

 

Advantages of Symmetric Encryption

• Encrypting and decrypting of the symmetric key data is pretty easy to do. In fact, several solid state drives (SSD) that are extremely fast use symmetric key encryption to store private data.
• Symmetric Encryption is used in services which store encrypted data on behalf of the user (such as “cloud backup services”).
• Encrypt computer or device storage (This is because a well-encrypted device can quickly be erased)
• Helps to create a secure channel between two network endpoints, given there is only a different scheme for exchanging the key securely .

Drawbacks of Symmetric Encryption

• The biggest problem with symmetric key encryption is that you must have a process to get the key to the party with whom you share the data.
• The encryption keys aren’t simple strings like password. As such, you must have a secure way to get the key to the third party. And of course, if you find a secure way to share the key, you possibly don’t need to use encryption in the first place. Thus, symmetric key encryption is especially useful when encrypting your own data/ information as opposed to when sharing the encrypted information.
• If an attacker gets access to the key, all your encryption will become useless.
• It’s also important to remind that even if the data is encrypted, software must have an access to the unencrypted data to complete its job. (And if the software/ platform is compromised, the encryption will become useless). The solution to this is to design the service in such a way that data is encrypted, leaving the key exclusively in the user’s possession and storing only unreadable encrypted data.

Asymmetric Encryption

Asymmetric encryption otherwise known as public key cryptography, is in contrast with Symmetric encryption because it uses two different keys for encryption and decryption. In this encryption, a public key is openly available to everyone & is used to encrypt the messages, and another private key is used by the recipient to decrypt the messages.

Advantages of Asymmetric Encryption

• Asymmetric encryption is used with TLS in order to secure the connection between website and browser and for other network services.
• It is used along with SSH to secure the login session to remote servers and to authorize the users without actually using passwords.
• It is used to sign the software updates so that the devices can understand that they are receiving a code from a trusted party.

Drawbacks of Asymmetric Encryption

• The massive issue with public key cryptography is in trusting the public key (which you have). A man-in-the-middle attack is the most common way to accord on the asymmetric encryption.
• And so, you must get a certificate for the HTTPS site from a certificate authority to overcome data thefts. Thus, web browsers trust these authorities to sign the keys, by allowing websites to send signed public keys on to the browsers.

Hashing

Hashing generates a unique, fixed-length signature for a data set / message. Each “hash” will be unique to a specific message, so slight changes to the message will be easy to track. Once when the data is encrypted using hashing, it cannot be deciphered or reversed. Though, Hashing is not technically an encryption method and does not provide strong data protection but it is still useful for proving that data has not been damaged.

Hashing usually takes a data and generates a hash out of it, with these 3 important properties:

• The similar data will always produce the similar hash
• It is impossible to regress it back to the original data
• When given knowledge on only the hash, it’s impossible to create other data string which can create the same hash (otherwise known as “collision”)

Advantages

• Hashing is used for protecting the passwords.
• For instance, if a system stores a password hash instead of a password, hashing will then check the incoming password and see that if it can match with it. It’s not possible to use the hash for authentication.
• The other advantage of a hash is to authenticate besides clearly transmitting the data using a shared secret key. But the shared secret will not be transmitted and is infeasible to modify the hash or data.

Drawbacks

• It’s impossible to reverse a hash. But it’s possible, with access to the hashes & lots of resources to find data that hashes the same as the password—a collision—and this may even be the password itself.
• Hence, it’s important to select a great password hashing algorithm which costs a lot to find a collision. Raising the cost of brute force will make the hashing more resistant.

Our Implementation

We have used the asymmetric encryption technique to protect the user’s sensitive data (i.e. data- which is stored on the device or the data when transferred through a network.)

We have implemented the asymmetric encryption algorithm AES 128 and hashing to create signatures out of the data which is being sent through a network protocol HTTPS. We made sure that the user sensitive data will be sent only to the intended person who can decrypt the encrypted message (using the private key).

Here’s our process to authenticate the server and to enable the communication with JWT token:

• Created a JWT token that contains a header, payload and signature appended to each other with a “dot”(.).
• The header and payload consists of an algorithm – in JSON format (which is bas64 URL encoded).
• The signature is calculated by appending both header and payload with “dot” .
• Finally, bas64 string from the header, payload, and signature are appended together with “dot”(.) which gives a JWT token.
• The JWT token is given to “Authorization” header while requesting for access. The server validates and sends a token which should be used to further communication with the server.
• In the subsequent requests, we encrypt the payload sent using AES 128 encryption and a public key as provided by the other party.
• With the help of a received token, we send the encrypted payload to the other party.
• And the other party can now decrypt the data and can send a response back.
• The entire process uses HTTPS protocol to communicate with the server, and even to resolve man in middle attacks.

Using encryption techniques and other security APIs can help us reduce the leakage risks of sensitive data. Thus, storing of data on servers, using proper security tools, and customizing mobile device use policies can also limit these risks.

---

We will be happy to discuss how our data security implementation can be leveraged to increase your revenue and ROI. To talk to an expert, write to harishm@enlume.com or you can contact us here.