The future of smartphone security: Hardware isolation

Register for the upcoming webinar: Top 6 Security Needs for APIs and Serverless Apps

smartphone security hardware isolationMobile spyware has become increasingly more ubiquitous in corporate networks and devices. In a 2017 study, Check Point has found that out of the 850 organizations that they queried, 100% had experienced a mobile malware attack at least once in the past.

To date, most cybersecurity companies have focused either on software-only or built-in hardware solutions as a way of fighting back against these threats. While some of these solutions have proven to be effective, I want to propose that the next generation of mobile security will be primarily based on hardware rather than software solutions.

In the following article, I will go over the kinds of advantages that hybrid hardware isolation can have for combatting smartphone attacks and vulnerabilities. If you create a low-power, highly flexible, hardware-isolated computational and storage container that isolates data inside the host architecture, you can secure data and processes independently of the host’s operating system or networking protocol and make them virtually impervious to attack; an innovation that will change cybersecurity as we know it today.

Identifying existing security threats

In a Frost & Sullivan security analysis, Frank Dickson points to the key problem of identifying mobile threats: “Identifying a true threat can be difficult when malicious apps blur the lines between useful features and excessive or exploitative functionality.” Indeed, as more and more applications rely on collecting users’ behavioral information for marketing or design purposes, the line between malicious and aboveboard apps blurs more and more every day.

This trend has been growing in recent months. In August of 2017, the spyware dubbed Pegasus took hold of iOS: the spyware was capable of hacking any iPad or iPhone to harvest data or conduct surveillance on the victim. After Apple fixed these exploits, a spyware version of Pegasus masqueraded itself as an app download on the Android store, secretly gaining root access to millions of devices.

For government officials or enterprises working with sensitive information, Android and iOS no longer provide adequate security solutions for keeping data safe and secure from malware. For these reasons it is more important that ever to go beyond the ineffective software solutions that are populating the mobile marketplace.

Existing mobile software security is inadequate

Mobile security applications such as Lookout, Avast, or Kaspersky, are limited in their effectiveness by the very sandboxing that iOS and Android employ to thwart attacks. For these and other reasons, many argue that we should be using the common sense approach: don’t download apps that you don’t use, password-lock your phone, and change your passwords often.

The common sense approach, however, dodges several large issues. If you use quotidian tactics such as locking your phone behind user authentication, backing up your device, or updating often, you will find that these tactics are largely useless if your phone has been already compromised by a rogue application. Not all of us are infallible in our judgement – the purpose of dedicated security software is to be the first line of defence after good usage habits.

Furthermore, some of this security advice – such as user authentication – can only prevent from either physical threats (your device being stolen) or from threats that Apple and Google have already patched into their software.

Combining hardware and software

What is needed in mobile security isn’t more software or common sense, what mobile security desperately lacks is a low-cost, plug and play hardware solution.

By combining software encryption with a hardware-isolated containers – such as a Linux computer on a microSD chip – Android devices can secure important data without necessarily undergoing the hassle of using a hardened phone or a proprietary ecosystem.

The advantage of combining software and hardware in the smartphone space is immense. Compared to the prohibitive costs of hardware solutions such as the specialized phones, a plug-n-play microchip offers a hardware-isolated “Trusted Execution Environment” that is cost-effective and does not require users to change their usage habits. Users can then store information, relay and process sensitive data, and communicate securely straight through the secure interface contained within.

By combining both hardware and software, we were able to create a cost-effective solution that is platform-agnostic and can be integrated easily into existing networks and devices. Users can now manually isolate the data that is important to them without compromising their regular phone usage.

Paradigm shifts in mobile security

Existing mobile security approaches, based in either hardware or software, are flawed by design: the attackers and defenders of the user’s data are still locked into the same battlefield. Hackers attack the same software or hardware which a phone or app developer uses to protect it. And since the both sides have an access to exactly the same knowledge and tools, this tug of war will always favor the attackers.

This new approach to cybersecurity aims to protect a phone by taking the battleground away entirely: if you store away data on a hardware isolated container, it cannot be accessible to an attacker. If you build cybersecurity solutions that take advantage of hardware isolation, you will be able to create truly accessible solutions for enterprises that want to be protected against spyware, ransomware, and other threats that may target their employees.

While software best practices can prevent rudimentary attacks, relying on Android for security is like asking your car’s manufacturer to protect you against car thieves – there is only so much a company can do to protect its own popular product. Adding an isolated self-contained layer of hardware and software protection is of paramount importance to running a responsible, cyber secure business in the twenty-first century.