Corporate smartphones, which process tasks previously done on secured PCs, now require the same protection against snooping and malware – and security providers are lining up to provide intermediate safeguard systems.
Mobile security software is now evolving rapidly to meet the growing needs of the business market, although some vendors freely admit that this segment has only really been commercially relevant since around 2011; but as enterprise smartphone usage has exploded the risks of unauthorised access to sensitive corporate information, hack-based disruption, and commercial espionage, have also accelerated.
With mobile devices far more capable than ever in terms of screen size, storage capacity and processing power, many are now regularly used for home working, for example, and businesses are increasingly nervous about protecting information which is on personal devices and not under the corporate ICT function's direct control.
Smartphones are an enabler for remote working on a much larger scale, using email and virtual private network (VPN) to access enterprise accounts. According to David Holman, vice president of sales for Europe at Cellcrypt, an eight-year-old company which specialises in encrypting data on wireless cellular, Wi-Fi and satellite networks, there is "also a level of voice security in part brought about by the ability for voice calls to be intercepted relatively easily and cheaply by hackers without needing huge knowledge".
Commercial organisations of all sizes now roll out smartphones, tablet PCs and other portable devices to employees en masse for the purposes of their work. This has greatly expanded the opportunity for mobile device management (MDM) platforms that specialist software vendors and telcos traditionally offered large corporates. Features include user and device authentication, remote lock and/or wipe to prevent access if the device is lost or stolen, centralised over-the-air (OTA) application and content distribution, and configuration and management from the comfort of the IT manager's desk without having to call in hundreds of devices from dissatisfied staff.
Security software companies that previously focused on the PC market but have now started to shift their attention to the mobile device sector include brand leaders Kaspersky Lab, AVG, Norton, Webroot, F-Secure, McAfee and Trend Micro. According to a report compiled by market-watchers ABI Research, these companies often hang on to the coattails of start-ups specialising in prevention of data being stored on mobile devices and control over who and what has access to it.
"If you work for a global oil company, then the last thing you want is an OPEC policy document sitting in your iPhone," says Ian Evans, EMEA managing director at MDM specialist AirWatch. "But with metadata and tagging, we can strip the email attachment off the message, put it in the cloud, or an on-premise data store, then profile the device before we allow it access."
However, while many applications have started to include document encryption protection, anti-virus tools, authentication mechanisms, number blocking, phone location capabilities, SIM card removal protection, download scanning and application locking for mobile platforms, few have evolved beyond the device itself to protect the communications sessions that smartphones enable. In some respects this is the next frontier for enterprise mobile security provisioning.
Encrypted voice, text and IM
Reports in October 2013 that Germany's Chancellor Angela Merkel had her mobile calls monitored by the US government's National Security Agency, despite having a secure device which she could have been using, caused alarm around the world.
For consumers, fears of somebody monitoring mobile calls, SMS messages and instant messaging (IM) conversations may be nothing more than healthy paranoia. The situation is potentially more serious for public sector organisations dealing in information covered by the Official Secrets Act, along with businesses wanting to protect intellectual property and 'trade secrets' that might be useful to rivals and competitors.
ABI Research senior analyst and cyber security expert Michela Menting points out that people living in countries where there is active government censorship may have genuine cause for concern. She maintains, however, that it is government agencies and corporate staff who have the most to lose, which is one reason for increasing numbers of organisations putting policies in place to make sure that their representatives use voice encryption and do not connect to the local Wi-Fi service while attending conferences and other large-scale meetings.
"This happens at a lot of big, international trade shows, as well as where communications on local Wi-Fi networks can be easily intercepted," says Menting. "There is definitely a lot more awareness about the information that may be imparted on the phone when attending the type of event where lots of competitors will be present."
Mobile encryption platforms
Depending on individual requirements, businesses do not have to pay through the nose for feature-rich MDM and mobile encryption platforms. Some are available as a managed or subscription service, including those from AirWatch, CellCrypt, Centrify and Silent Circle. A raft of tools from software start-ups give small businesses and consumers specific elements such as VPNs, message management and voice encryption, which may offer a smaller, but more tailored form of protection.
AnchorFree offers both free, advert-supported and premium versions of its Hotspot Shield mobile VPN platform. It is aimed at companies with 50-100 employees that do not have the expertise or infrastructure to set up their own VPN server, and are therefore looking for a quick and effective method of securing devices attached to public Wi-Fi networks, rather than full MDM services offered by specialist vendors or telcos, for example. The software provides secure Internet browsing, anonymous IP addresses and basic malware protection for Android and iOS devices, adding anti-spam and telephone support in the paid version.
Others offer software that encrypts voice calls made between Android apps installed on two devices either end of a data-enabled communications channel, whether Wi-Fi or cellular, with Whisper Systems' RedPhone (acquired for an undisclosed amount by Twitter in November 2011) based on open-source code, which is free to download. The company also offers an app which secures SMS messages called TextSecure.
GroundWire is the business version of the Acrobits Softphone, another VoIP client for iOS devices, based on the session initiation protocol which adds call conferencing, multi-line call waiting, voicemail, and GSM Web call-back/call-through to help reduce GSM roaming charges on international connections, as value-added features.
PrivateWave's PrivateGSM, meanwhile, also uses SIP (session initiation protocol, a signalling communications protocol used for controlling multimedia communication sessions – such as voice and video calls – over IP networks) to set up mobile voice encryption on selected Nokia S60, Apple iOS, BlackBerry and Android-based devices.
The enterprise version includes PrivateServer, which links PrivateGSM into the company's existing VoIP private branch exchange allowing mobile users to make secure calls into desktop IP phones and to standard analogue telephone numbers connected by the public switched telephone network (PSTN), and vice versa. A'subsection'of mobile security companies are also turning their hand to encrypting video communications. Silent Circle allows users to send encrypted video calls made between Android and iOS mobile handsets alongside text messages, phone calls and file transfers.
Free to download open source platform Jitsi (formerly SIP Communicator) also supports videoconferencing and instant messaging using a range of common protocols and ZRTP encryption, but only between PCs or tablets running desktop operating systems rather than smartphone equivalents. AnchorFree is proposing a service that allows users to share their mobile phone videos selectively rather than posting them to YouTube, for example.
Its software stores a pointer on the site that leads the viewer to the actual content which is hosted somewhere else and accessed with a password. The video can be set to expire after a defined period of time.
The company conducted a survey of college students which found that 82 per cent had regretted videos they had posted to Facebook and other social network and sharing sites from mobile and other devices, voicing concerns that they would cause damage to their employment prospects in the future.
There is, of course, no absolute guarantee that any mobile security, MDM, apps or services will work on any one device. AirWatch and others spend considerable portions of their research and development budgets testing their software against individual makes of handset. This process has to be thorough, but the nature of the enterprise mobile market can help because certain handset types are more likely to be in the hands of business users.
VPNs over mobile networks
Because secure voice communications and encryption applications rely on setting up voice-over-IP (VoIP) links over data-enabled wireless networks, predominantly GSM, GPRS, 3G/4G and Wi-Fi, but also satellite and other forms of wireless networks, both the device and the network has to support data transfer.
"Mobile VPNs are not as reliable as they could be – sometimes they just stop working when the user moves from one cell to another, or from Wi-Fi to 3G," says David Holman at Cellcrypt, "and that is not conducive to voice communications [which are more sensitive to latency]."
In congested networks, where bandwidth is constrained by the number of users transmitting data simultaneously, latency can also disrupt the natural flow of conversation. Voice encryption packages attempt to get around this by using low-bitrate audio codecs, such as adaptive multi-rate audio (AMR) or Speex, which use anything from 4.75Kbit/s to 7Kbit/s of data to make calls.
With wireless network bandwidth and load balancing improving, however, it is arguably the initial call setup procedure where delays are more likely to happen. End-user tests suggest that placing a secure, encrypted mobile call can take almost twice as long for the remote receiver to start ringing followed by a brief one- to two-second delay caused by the authentication process. Handsets themselves may also be unsuitable to support adequate security.
Cellcrypt is considering adding extra features such as secure email and video broadcasting to its platform, for example, but says that data at rest is best handled by dedicated hardware features, which few smartphones yet incorporate.
"There are areas around message broadcasting on a one-to-many basis we might look at which work in the same way as one to many video broadcast technologies," says Cellcrypt's Holman, "but we need to wait for specific handsets [which support the Trusted Execution Environment (TEE)] to come out because secure pictures and video need data to be secured at rest."
Are the telcos missing a trick?
In theory at least, it is telcos and mobile operators which look best placed to capitalise on growing demand for mobile data and voice/text/video encryption – they own both the customer and the mobile communication channel after all.
Yet while many have been offering MDM platforms and integrated security solutions aimed at larger public and private sector organisations for years, ABI Research's Michela Menting says few are doing much on the mobile voice encryption side. She says they prefer to concentrate on filtering and white listing for word searches to block specific website access from mobile devices for consumer customers.
In the UK, for example, Vodafone uses filtering technology based on the Blue Coat platform, and similar products such as SafeNet and SmartFilter in other countries. Mobile operators including Vodafone and Telefónica in Europe (O2 in the UK) also use AirWatch products for enterprise grade MDM and mobile security.
"They [the operators] tend to partner security providers – I do not see a lot of solutions where they are developing their own," according to Menting. "It usually involves filtering at the network."
In the US, carrier AT&T is one of the few to offer mobile voice encryption services to businesses using BlackBerry and Windows Mobile devices based on KoolSpan's TrustChip and SRA International's One Vault technology, while North American rival Verizon teamed up with CellCrypt to deliver similar services to US government accounts in 2012.
European operators appear to be playing catch-up to an extent, but also seem reluctant to push mobile voice calls off GSM and onto data channels due to network performance and cost concerns.
"They [mobile operators] have an interesting quandary," says David Holman at Cellcrypt. "They want to make money out of [conventional] voice calls, but that revenue is going away, so they have to make more money out of data [to compensate]".
Holman points out that it makes more sense for large corporates and government agencies with large scale contracts providing connectivity to thousands of users at a time to ask mobile operators if they can sell them secure voice services on top of regular subscriptions."