At Google I/O, people spent a lot of time talking about secure containers like Samsung Knox to better secure Android phones. However, I’d just finished reading the latest McAfee Security Report and one of the trends it identified made it clear that the smart container approach likely won’t work. This got me thinking about how I’d rather see the problem addressed and that likely would be by keeping the device class that was attracting viruses away from the functions I needed to secure. Suddenly, the 5-inch Toughpad from Panasonic and the solutions favored by companies with government ties at the NASCAR event I went to last weekend make far more sense.
Let me walk you through it.
The Problem with Containers
The core problem with the container approach to a security problem is assuring that the foundation they are on is equally secure. For instance, much like building a super-secure bank in the middle of a high-crime area wouldn’t be that secure because the customers going in and out would be attacked, building a secure container on a platform that can be rooted and made to capture keystrokes (passwords and IDs) isn’t secure either. The information that is captured can be used to breach the secure container and if anything is created on the device, it will be compromised by keylogging before it can be secured.
The latest McAfee security report indicates that while there was huge dip in rootkits when the different smartphone makers moved to far more secure 64-bit platforms, this dip has reversed. Hackers have figured out how to get people to install rootkits on these phones now and, once again, they are compromised. Unless you block side loading or figure out a way to reengineer the users so they don’t do stupid things, a container simply isn’t going to work.
Separate and Tether
But given the massive increases in mobile malware identified by the McAfee report, the only thing that may work to truly secure a mobile transaction is to get that transaction off the phone and to a separate device. Yes, it is more expensive but against the cost of a breach, the extra cost is trivial.
Wrapping Up: Rethinking Secure Mobility
I get that firms want smartphones to be able to do anything, and potentially they can. But asking them to bridge personal games (which are being used to spread malware, according to the McAfee report) and highly secure tasks is just asking for a breach. They aren’t that sturdy either. Even though you can wrap them with cases, in the end, you are just trying to force a device that was designed for fun and entertainment to be something it wasn’t designed to be. It’s like trying to turn a sports car into a tank. Yes you can do it. I just don’t think it is a good idea.
The firms I spoke with at NASCAR were planning to use this new 5-inch Toughpad where others might use smartphones because they needed the job done correctly and securely. Often, it is best to use the right tool, not the cheapest. This is something I’ve learned the hard way more than once when working on a car.