Article:

How do we determine the effectiveness of mobile apps’ security systems?

How do we determine the effectiveness of mobile apps’ security systems?

With the spate of remote working regime due to Coronavirus pandemic, the reliance and growth for video conferencing platform has been exponentially escalated. Zoom, one of the more widely and popularly used platform, was reported to have 500,000 hacked accounts being sold on the Dark Web. Zoom credentials stolen includes email address, passwords, Zoom host keys, among others. These type of attacks are not unique to Zoom. 

In 2019, a white-hat hacker successfully accessed Tchap, the French government’s secure, encrypted messaging app that was restricted to certain government officials. Meanwhile, banks and digital forensics experts have been reporting a new type of malware that targets mobile banking apps, obtains financial data, and covertly performs operations on these apps.

A few factors contribute to this widespread lack of security. The most commonly used protective measures—code obfuscation, app shielding, and even sophisticated white-box cryptography—can only slow down a cyberattack, not prevent it.

Businesses also need to consider user experience and scalability alongside security. You could make the code almost undecipherable for cybercriminals, but that would significantly slow an app down, too. You could use hardware to physically protect data, but that would limit operations to a specific location or device and have an impact on user experience.

The problem with settling for the status quo is that you can possibly compromise secret keys and user data. This is compounded in the banking and government sectors. A successful hack could result in the theft of millions of dollars, state secrets, or comprehensive information on citizens

As a result, additional mobile app security solutions have emerged, ranging from mobile ID software to biometric verification. But with the erosion of customers’ trust in IT security, the same problem plagues these security solutions: how do we know we can actually rely on them? What vulnerabilities in these systems will expose our data?

And, more fundamentally, do these security solutions actually do what they claim to do?

What certification does – and doesn’t – achieve for security products

That’s why many IT security companies undergo rigorous evaluation to get their solutions certified. 

But ask any cybersecurity insider and they’ll tell you to take these certifications with a grain of salt. After all, these badges only serve to guarantee that a product does what it’s designed to do. That means they hold varying weight for products with different designs, functions, and objectives.

Herein is another conundrum for consumers – if they can’t take certifications at face value, then what guarantee of security can they have? 

“The key is to analyze what exactly was tested and certified,” according to Er Chiang Kai, Chief Technology Officer of V-Key. “You also need to look at the scope of the certification. Gaining certification for one security product does not mean the entire suite of security solutions is certified, too, unless the former serves as the design foundation and basic infrastructure of the entire suite.”

That’s what V-Key did when it obtained EAL3+ certification for its V-OS product in July 2020.

What is EAL?

An Evaluation Assurance Level (EAL) is a category ranking given to an IT system or product following a Common Criteria security evaluation, which is an international standard. The category is reflected in a numerical rating (i.e., EAL 1, EAL 2, and so forth). A higher rating doesn’t necessarily mean a product is more secure, but rather that it underwent a deeper and more rigorous level of evaluation.

Protecting mobile apps through a virtual secure element

V-OS is a patented virtual secure element that can be embedded within a native iOS or Android mobile app. Think of it as a secure sandbox that “creates a safe operating environment where data can be stored and cryptographic processes can be executed in isolation from the rest of the mobile app”.

In other words, even if cybercriminals can reverse-engineer a mobile app’s code and get into the system, they can’t break or access the box. They can’t get their hands on confidential data stored within V-OS.

V-Key’s other security products, including but not limited to a smart token, biometric EKYC (electronic Know-Your-Customer), and cloud identity solutions, are built on V-OS. That means by obtaining EAL 3+ certification for V-OS, V-Key has shown that its entire suite of security products can be trusted. 

Er Chiang Kai highlighted that this is the first virtual secure element in the world to accomplish such a feat. 

In addition, V-Key achieved FIPS (Federal Information Processing Standard) 140-2 Level 1 certification – a security standard issued by the U.S. government – for V-OS in 2016. The company is now aiming for a higher level for FIPS140-2 certification.

Bottom line: it’s all about trust

Government agencies, as well as banks like UOB and DBS, use V-OS to secure their mobile applications. With the V-OS’ EAL3+ and FIPS 140-2 certifications, these and other V-Key clients can guarantee their customers that their apps’ security systems work the way they’re intended to. 

That goes a long way in establishing trust, especially in today’s climate where cybercrime is rampant.  

“By having a common criteria certification, we give our customers the assurance that our product has been well-evaluated and has all the protections that are expected by the customer when they use it,” added Er Chiang Kai in the press release. “We want to give customers a product they can trust.”  

And in the end, thats really what certifications help achieve.

Download PDF Here!

Article
Is the detection of jailbroken/rooted phone sufficient against threats?

Functions that detect jailbroken/rooted devices are most commonly added to transactional mobile applications, serving as the most basic defense against threats. However, this is nothing but a drop in a bucket.

Article
Why Existing Mobile Software Protections are Insufficient

Recognizing that existing mobile software protections are insufficient against today’s cyber threat landscape, we take a closer look at the main types of software protections in the market.

Article
V-OS Protection against CPU vulnerabilities

Virtually every computing device in the world is made unsafe by the latest disclosures on Central Processing Unit (CPU) vulnerabilities. Find out how the virtual secure element technology is protecting millions of mobile application users against such vulnerabilities.

Article
V-OS Protection against Android Plugin malware

There has been a recent surge in Android malware abusing Android Plugin Frameworks for malicious behavior. DroidPlugin, Parallel Space and VirtualApp are several plugin frameworks that have been abused by malware in recent months to spread Android malware.

Article
Three steps to fight the Mobile Security status quo

Have financial institutions accepted a status quo that sacrifices user experience for increased security? With mobile digital identity quickly becoming central to an entire suite of online services, those who challenge the status quo will set themselves up to prosper and grow. Read more to find out three oft-ignored areas of research.

Article
Cryptography in V-OS

V-OS is the world’s first virtual secure element. Cryptography plays a dual-role in these; to secure and manage the secrets kept within V-OS, and to provide a lightweight yet comprehensive cryptographic library.

Article
Building V-OS with HSM

V-OS is the world’s first virtual secure element, a software solution with security built into the firmware code. These include secret cryptographic parameters and data, which need to be randomly generated and securely persisted, and are then transformed into code and data files.

Article
How does a Virtual Smart card protect a customer if they lose or change their mobile phone?

From banks to government agencies, many organisations are intrigued by and exploring software security solutions such as mobile tokens and mobile identity systems for individual identification, authorisation and authentication.

Article
Is software-based Biometrics Authentication the solution to ASEAN’s regulatory challenges?

Banks in Southeast Asia should look towards software-based biometrics as the way forward to navigate the regulatory differences in the region and secure their customers’ transactions.

Article
Infographic: The next frontier in Banking transformation

As technology evolves, banks and financial institutions have no choice but to innovate. However, when it comes to security, many still rely on traditional, costly methods.

Article
Mobile Security that works for everyone

Safe, convenient and simple.

Article
The next wave of Finance: Singapore’s growing Fintech market

With global cumulative investment in financial technology (fintech) forecast to exceed US$150 billion in three to five years, economies around the world are vying to attract fintech innovators and cash in on this growing industry.

Article
Deloitte Partners with V-Key

Deloitte’s Thio Tse Gan, Cyber Security Leader (SEA), shares his views on V-Key’s impressive technology, that brings an end-to-end mobile identity solution.