The 4G Security Threat for Mobile Developers
We are accustomed to thinking that smartphone safety depends on the habits of the user, but that’s likely to change with the transition to Long-Term Evolution (LTE) architecture, popularly known as 4G. Even the most careful user who never loses a phone, installs security software, and never uses suspicious apps might be more vulnerable than you think. And it’s not just consumers who are at risk—there are potential threats for any entrepreneur building a business around mobile applications or devices.
Here’s the problem for developers. Any cellular network core is a virtual treasure trove of sensitive information about your customers and their daily interactions via mobile—interactions made possible by the innovative apps and platforms that mobile entrepreneurs are creating every day.
Think of the operator’s core network as a kind of vast control center that processes and manages all the information that is sent to and from your customer’s smartphone and millions of other users’ devices. Now imagine how, in the wrong hands, even the most limited glimpses into that information could be put to use, and the scale of consumer backlash that such breaches could unleash, with the potential to undermine the vitality of the entire mobile ecosystem.
In the days of 3G, a closed and protected end-to-end environment allowed operators to apply rigorous safeguards to protect communications from tampering and theft. But the mobile security environment is changing in a big way as operators address overwhelming traffic volumes by moving to faster, more distributed, and more heterogeneous LTE networks. Because LTE is all-IP, it is subject to the same security vulnerabilities as any PC or business network, which puts a question mark on the security of the smartphone or mobile device.
While this doesn’t apply to operators with their own fixed and mobile network assets, most mobile providers don’t have that advantage, and must stitch together their LTE coverage from a diverse array of technology, network sharing relationships and backhaul strategies. One such instance is the explosive growth in the use of small cell radio base stations from multiple vendors, in locations varying from lampposts to the roofs of convenience stores, which are inherently vulnerable to physical as well as digital threats. Another is Wi-Fi offload, where the user is connected to an enterprise network at one moment and is hooked in to free public Wi-Fi at an airport or coffee shop the next. Security is part of the collateral challenge with which operators struggle to deal.
The Innovation Dilemma
The threat profile that LTE networks present suddenly appears very different from what we have seen in previous generations of mobile networks. And yet operators trying to solve these new security challenges are not being well served by some of their traditional infrastructure vendors, the mega-corporations whose routers and servers were designed for the telecoms environment of the ’90s. Security places a huge burden on typical core network equipment, slowing performance and requiring operators to continue making costly purchases without ever catching up with traffic needs. Incumbent equipment vendors are highly protective of their installed base, and so slow to move that operators are looking to startups and innovators who can remove this barrier. Surely, when the mobile industry is sparking an unprecedented level of creativity and opportunity for entrepreneurs from arts to artificial intelligence, it makes sense to bring innovation into the heart of the telecoms operator network. The only question is why the turn to new solutions is taking so long.
For the app developer, the battle between legacy vendors and innovators should be of key interest. With more network sharing arrangements between mobile telecom carriers, and growing use of Wi-Fi offload, mobile consumers will become increasingly “nomadic”—more and more unaware of the precise network on which they are currently receiving service, and increasingly frequently being served by an all-IP network.
This means that your mobile banking or advertising app is only as secure as the least secure network to which your consumer’s device is currently connected. Not a comfortable thought when the opportunities for data thieves are so attractive: a Facebook mobile app gets diverted to fraudulent links, mobile check deposits or mobile payments are intercepted, a consumer’s personal data is suddenly compromised when she syncs her hacked phone to her PC or laptop.
It’s ironic. At the precise moment that the market is urging mobile consumers to make use of the most security-sensitive financial applications, carriers are moving towards greater use of potentially untrusted networks and vulnerable all-IP architectures, while their infrastructure vendors are struggling to deliver adequately performing security solutions. It’s time for telecom carriers to get over their entrenched conservatism and look beyond the incumbents to network solutions as innovative as the entrepreneurs, apps, devices and consumers that their network supports.
Any participant in the mobile ecosystem with skin in the game should be paying close attention to how the security conundrum is handled. Mobile-focused businesses can’t take full advantage of LTE speed bumps if they constantly struggle to gauge which network is safest. All businesses looking to ride the next wave of mobile communications need to stay in touch with the debate and lobby for appropriate protection rather than settle for the same mixture as before—or something designed for a different purpose. At the end of the day, lack of innovation in just one area puts all innovators at risk of missing the next economic wave.