Two into One: A Safe Environment for Mobile Openness
Posted: February 7, 2011
By David Wood, Accenture Embedded Software Services
It’s no real surprise that two powerful trends in mobile software are on a major collision course: 1) users of mobile devices want more control over these devices, and 2) corporations also want more control over these devices.
The first trend is that users of mobile devices want more control over these devices. More precisely, they want more choice over what happens on these devices. And they want to bring that personal choice and control with them when they enter the workplace. They like particular devices. They like how they’ve customised them and augmented them. And, in these days of “there’s an app for that”, they especially like being able to install whatever apps they choose: games, hobbies, entertainment, social - whatever.
The second trend is that corporations also want more control over these devices. Devices in employee hands can be packed with numerous pieces of sensitive data - business critical email discussions, prized customer information and other corporate secrets. Employees use these same devices to join enterprise conference calls or trade instant messages on hot business news. Corporations do not want this data falling into the wrong hands. So they typically insist on elements of device management: business data must be encrypted, devices should be password protected, and there should be a remote kill (or remote wipe) functionality that can be administered, in case the device is lost or stolen.
But suppose one of the apps installed by a user turns out to be more than it seems. Cunningly disguised inside it, there’s some kind of listening or monitoring mechanism. The user thinks, for example, that they’re playing a variant of the most recent popular mobile phone game. But in reality, behind the scenes, confidential business information is being badly compromised. And this could be going on for months, without anyone realising it.
As a foretaste of potential worse problems in the near future, Yahoo! News recently analysed reports of the so-called “Gemini” malware that disguises itself as a legitimate application, game or other software programme and infects devices using the Android OS.The problem is that, these days, it’s not just bored teenage hackers that write so-called “malware”. Nor is it just underworld denizens from emerging economies who want to boost their income by tricking users into inadvertently sending premium rate text messages. Increasingly, sophisticated spyware is being created by, yes, sophisticated spies - some of whom (whisper it) may even be employed, directly or indirectly, by overseas government agencies.
And with the exponential growth in the quantity and value of corporate data that passes through mobile devices, there are ever greater forces ready to pry into that data.
From my own observations, it’s the city gents in pinstripe suits who often seem to enjoy relaxing, on the train home from London Waterloo, by playing various wacky games of skill on their corporate messaging devices. Who knows if these games came attached to a nasty payload?Like it or not, as spying technology becomes more powerful, there seems to be lots of people willing to use it. The Register reported last year that authorities in Romania had arrested 50 people for surreptitiously installing “off-the-shelf software to monitor cellphone communications of their spouses, competitors, and others”. The people arrested “included businessmen, doctors, and engineers, in addition to a judge, government official, police officer and former member of Parliament”.Combine malware and spyware, and the outcome is unpleasant. So what’s to be done?
One simple solution is for companies to insist on “two devices”: one phone for employee personal use, and another for business use. Users can install all the apps they like on their personal device, but the business phone is strictly controlled by the company. But there are drawbacks: an extra device adds to the weight of what needs to be carried around, and is something else that needs to be periodically recharged with electricity.More fundamentally, employees - often including the most senior employees in a company - frequently have their own stubborn views on the kind of device they’d like to use for their business conversations. Rather than being assigned a mobile device, they’d much prefer to “bring their own”.
The next line of defence involves additional runtime checks happening on the (single) device carried by employees. The operating system on the device can check that installed software has requisite permissions, before allowing it access to sensitive data.Anti-virus scanners can also run periodically on the device, looking for known malware, or for other suspicious behaviour. There’s a lot to be said in favour of these solutions. However, they’re not foolproof. In an arms race of measures and countermeasures, malware can find new backdoors to exploit, new spoofing mechanisms, and new ways to disguise itself.
The problem here is the sheer size of the operating system software. Modern smartphones sport operating systems with many millions of lines of code, and have to cope with numerous unforeseen combinations of applications and device drivers using different facilities of the operating system in parallel.
Even if tens of thousands of reviewers check over parts of this code, there’s scope for subtle defects to exist - scope that malware can exploit. Things get worse when overly confident employees take matters into their own hands and obtain special privileges (such as “root”) for applications they choose to install on their phones.This is where a third idea enters the picture - an idea that promises to combine the best of each of the two previous solutions. Rather than two phones on two devices, the idea is (strange though it initially sounds) two phones on one device.
Two different operating systems co-exist on the device: one providing the environment for secure business communications and content, and the other providing the environment for the user’s personal purposes. The two different environments both run at the same time - the user can easily switch between the two of them. However, data communications between the environments are very strictly limited.
What makes this piece of apparent magic work is technology known as “mobile virtualisation”, implemented by a so-called “hypervisor”. The hypervisor is like an operating system for operating systems. Each of the two main operating systems exists in a virtual environment, provided by the hypervisor. Bugs in the individual operating system environments are unable to reach into the other environment, to start extracting data (or any other nefarious activity).
For all this to work, two important principles need to hold true:
- The hypervisor needs to be, err, hyper secure, to prevent it in turn being hacked. Hypervisors that have very small cores provide the least “attack target area”. (The technical name for this “core” is “TCB” - or “Trusted Computing Base”.)
- The hypervisor needs to be hyper efficient, to prevent any noticeable slowdown in device operation as a result of its presence.
As it happens, mobile virtualisation provides several other important benefits too. Running several operating systems in parallel can support the following requirements:
- One operating system can run important “legacy” applications in a trusted environment (for example: applications that hook into network-side services provided by a telecoms operator), whereas another supports applications from newer, popular operating systems (such as Android)
- One highly specialised operating system can start up extremely quickly (within milliseconds), leaving it to another, more general, operating system to run the bulk of the services expected by the user
- One operating system can run the wireless signalling stack, with its demanding real-time constraints, whereas another can run the application suite - with both operating systems running on the same processor, thereby saving vital manufacturing costs.
Happily, at least three companies have hypervisors they have launched in the mobile marketplace: Open Kernel Labs, Red Bend Software, and VMware.As with many new technologies, they’ve been some time in development, but there are signs that 2011 will see increasing interest in the deployment of these technologies in commercially significant quantities. A healthy competition between the different solutions available helps sharpen everyone’s product. Early investigations into the possibilities of hypervisors are throwing up all kinds of interesting possibilities.