An Oracle blog about PeopleSoft Technology

The (in)security of mobile access

Greg Kelly
Product Strategy Director - Security

With the introduction by PeopleSoft of the Fluid User Interface the type of device, and screen size, has become transparent to the application. While technically PeopleSoft can accommodate any device access, there is the issue that mobile devices, and the native browsers and protection software, are not as robust as similar desktop versions. The mobile operating systems have been shown to be “leaky.”

This is compounded when an organization broadens access to the application to an indeterminate population with a variety of BYOD (Bring Your Own Device) devices where those non-corporate users have installed potentially rogue applications or are circumventing the device native OS restrictions by jailbreaking or rooting.

I have given sessions on “What You Need to Know before Exposing Production Services on Smartphones/Tablets” a few times, but I thought it might be useful to call out some of the more important topics for consideration.
The areas include:

Compromised Devices DoS and DDoS
VPN and HTTPS SMishing
Untrusted Networks Exfiltration
Inappropriate Access  


MAM/MDM/EMM – Main Protection Solutions
(see: Mobile Application Management, Mobile Device Management, Enterprise Mobility Management)

One of the main considerations is what sort of protection can be put in place?
These protection solutions generally come under the broad term of “Enterprise Mobility Management.” There are a number of vendors for these products, and as always, it is difficult to measure the RoI for security. With security, particularly mobile security, we are protecting the user while they are accessing the system and protecting the system, data and infrastructure, from inappropriate access, either deliberate or inadvertent.

The graphic shows the notional differences between HTTS. VPN, and the IPSEC/AppTunnel type feature delivered by most EMM solutions.
In this case, the unsecured traffic from a compromised device is carried by both HTTPS and VPN. The IPSEC/AppTunnel carries traffic from the secured app within the device to the application backend.

In general, but more importantly, for mobile, VPN, (T)OTP, HTTPS are not alone sufficient security, other protection has to be considered.

All protection, and security standards, rely on “People, Processes, and Technology” and many of our customers have implemented sophisticated systems.

mobile anti-viru comparison The attached graphic from DEFCON a couple of years ago, shows a review of various vendors’ mobile anti-virus solutions, showing some weaknesses in those solutions. Obviously, solutions improve, but vendors still struggle with the compromise on mobile systems of memory, processing and power efficiencies.

You should be able to find the recorded version of the presentation on the Quest user site, but if you would like a copy of the presentation PDF just let me know.

You may also find the DISA site of interest:
DoD Mobility Unclassified Capability (from DISA - Defense Information Systems Agency)

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.