Mobile Commerce Security

Security, whether in the airport or in an application, is a confusing subject that is often confused further by techno-speak. We’ll try and minimize the jargon today as we look at maximizing the security of Mobile Commerce apps.

Convenience, The Often-Overlooked First Question:

Mobile application security can be thought of very similarly to the security of transferring cash between individuals. Let’s say for example that the day before a best friend’s wedding in San Francisco, an urgent family matter in New York calls you away. Much to your chagrin, upon landing in New York you realize that you have your best friend’s $20,000 diamond ring in your bag. e commerce app

There are many aspects to consider figuring out how to get the ring back to your friend. The thing that rarely gets talked about is the fact that convenience, (whether yours or your friend’s), will be the single biggest factor in determining how you choose to get the ring back to him. Can you afford the time to take it yourself or does it need to be given to a courier? How quickly does it need to get there? How much money is it acceptable to spend in order to get the ring there safely?

For the vast majority of apps the answers probably come out similarly to the way they would for the diamond ring. The transfer of the item has to be most convenient for everyone and relatively inexpensive – that is we’re looking for a solution that is fast, cheap, and with extremely high probability of success.

From that standpoint, most solutions get thrown out right off the bat. For example, flying the ring back yourself takes too much time and costs too much money. The same might be said for sending it back in an armored truck for that matter. So, at the end of the day, we need to be resigned to sending it via FedEx – still we want to take the right precautions so that the ring doesn’t get stolen prior to its arriving back to your friend.

The 3 Aspects of Security: Devices, Networks, & Servers

For the purposes of our analogy, the wedding ring is analogous to secure data that can take many forms – credit card numbers, passwords, source code, or proprietary algorithms. Keeping that information secure and out of the hands of would-be thieves requires that you identify first the “path of the data”. When the ring is in your possession, that’s analogous to a credit card number being stored on your phone – let’s call that “device” security. When the ring is in transit (on the FedEx truck) that’s analogous to data being transmitted over the internet – what we’ll call “network” security. When the ring is at the FedEx processing center, that’s analogous to the data being stored on a database server – what we call “server” security. แทงบอลที่ดีที่สุด

Mobile Payments By Analogy

Let’s say that you are made aware of a small, lightweight combination lock-box that is nearly impossible to break into – that is, no one has ever done it and the expectation is that the technology to “guess the combination” won’t be around for another 100 years. It’s a no-brainer decision to put the ring in the lock-box while you are carrying it around, while it’s on the truck, and when it’s passing through the FedEx facility. For digital data there is a magical lock-box which is called data encryption.

Well, it seems like it should be a no-brainer decision to use the lock-box. The truth is, most people don’t/won’t. They either don’t know about it or don’t want to be hassled by it (it’s a little heavier to carry around in your pocket, it’s a little more expensive, there are other things to do aside from running around town trying to find a lock-box, etc.). For digital data, lock-boxes are called “RSA encryption”, 3DES, RC5, AES, and others. They’re all uncrackable when using 256bit keys

To reiterate, there is a lot of confusion out there regarding encryption, but to make a long story short, in a well-designed encryption system “guessing the combination or key” is impossible. batterystoragehome

The real vulnerability with data encryption schemes comes with stealing the key. That is, if you write the combination down on a piece of paper or tell your friend the combination over the phone – that represents the thief’s best opportunity to steal the key. If they are also able to steal the lock-box then they’re in business.

Oddly, all this conversation leads us to a few simple rules when designing a secure system:

1) Always encrypt (lock-box) sensitive information regardless

2) Never store the key in the same place as the encrypted data (or any place that can be found by knowing the location of the lock-box). For example, if you store encrypted credit card info on a phone, don’t also store the decryption key on the phone. If you store encrypted credit card info on a server, don’t store the decryption key on the server. Store the encryption key on the server and the encrypted credit card info on the phone, or vice versa.

3) When the “lock-box” is un-locked using the key – always discard the key immediately after the unlock operation. Lock the data back up as soon as possible afterwards.


Leave a Reply

Your email address will not be published. Required fields are marked *