Latest Jailbreak Shows it’s Time to Secure Mobile Commerce
[The following article is running on Mobile Commerce Daily today 10/11/2010.]
Mobile Commerce should get used to security breaches. They’re a sign of mobile going mainstream. The mobile ecosystem needs to develop security strategies like the computing industry did in response to viruses and phishing.
Recently the U.S. Federal Government declared phone jailbreaking legal. Jailbreaking is the process for unlocking phones, like the iPhone, to do things Apple and the carriers restrict, such as changing to a different carrier or turning an iPhone into a WiFi hotspot.
While jailbreaking unlocks exciting additional functionality, it also increases the risk of a malicious attack. iPhone jailbreaking has become so mature that it now only requires the swipe of a finger after browsing to a particular website (http://www.jailbreakme.com).
Fortunately the iPhone Dev Team, the de facto jailbreak providers, seem to be using their skills for Good rather than Evil. However, the simplicity of the current process exposes an extremely dangerous vulnerability in the iPhone and, by extension, mobile commerce.
Mobile is growing rapidly. My firm, Mobile Strategy Partners LLC, has seen mobile banking adoption across the industry grow 20% per quarter over the last year. However, improving consumer perception of mobile security will drive future adoption.
“Respondents consistently cite security concerns a key reason for not choosing to use mobile technology,” says Tom Wills of Javelin Strategy & Research. “Studies over the last two years have held steady at about 42% to 43% citing security concerns as reasons for not using mobile.”
The latest jailbreak process opens up the possibility that bad guys could jailbreak and infect victims’ phones by simply visiting a web site. Once infected, the bad guys could potentially have ongoing access to confidential information on the phone, including how to access financial accounts.
Highly publicized damage from such an attack could stall mobile adoption across the industry in addition to inflicting significant financial losses.
Viruses, phishing attacks, and fraud in general, arose as computers and the Internet went mainstream. Now that mobile phones increasingly have our attention, fraudsters see the same economics as mobile marketers, and have turned their attention to mobile devices.
Like many readers here, my livelihood depends upon the success of mobile commerce. My firm works exclusively with mobile technology to help companies like banks, retailers, and insurance companies develop and execute their mobile strategy – especially as it relates to their customer facing mobile strategy.
I have a vested interest in the continued success of mobile commerce. Therefore, I also have a vested interest in mobile security.
The entire mobile community has a responsibility to educate customers on safe practices and keep mobile security one step ahead of the bad guys. Attacks will evolve continuously. Companies will face difficult challenges to protect themselves and customers. Security best practices developed from ecommerce experiences must be adapted for mobile, and organizations must stay vigilant for emerging threats unique to mobile.
Platform developers like Apple, Google, and the carriers, also have responsibilities to stay on top of the latest exploits and provide a malware protection framework for mobile commerce.
With the current system, application providers can’t protect themselves because platforms like the iPhone lack – and in some cases actively restrict – methods to detect and fix malware infections.
For example, there is no way to run virus protection on an unjailbroken iPhone, but the very risk to users is that a hacker could trigger the jailbreak at seemingly any time. Users need the ability to determine whether their phone has been compromised.
Similarly, the Google Android application developer identity verification lacks the strength of the Apple App process. Android needs a strong trusted identity authorization and validation system to make it more difficult for criminals to masquerade as legitimate businesses – and malware to masquerade as legitimate applications.
Strong security will ensure mobile thrives. As mobile commerce goes mainstream it becomes simply commerce. It’s already unthinkable to abandon using applications with sensitive information on our phones. We can’t go back to not using mobile banking, mobile shopping, or even viewing confidential email on our phones.
Mobile commerce must be secured. Mobile platform vendors need to help companies protect themselves and their common customer.