{"id":268,"date":"2015-01-28T23:04:01","date_gmt":"2015-01-28T23:04:01","guid":{"rendered":"http:\/\/outworx.com\/blog\/?p=268"},"modified":"2017-03-29T11:57:41","modified_gmt":"2017-03-29T11:57:41","slug":"more-secure-architecture-for-mobile","status":"publish","type":"post","link":"https:\/\/www.outworx.com\/blog\/more-secure-architecture-for-mobile\/","title":{"rendered":"A More Secure Architecture for Mobile"},"content":{"rendered":"<p>What do the latest Apple iPhone and many Samsung Galaxy Android phones have in common? \u00a0Each runs two separate operating systems on a single phone. \u00a0The application OS is the familiar iOS or Android OS. \u00a0Users download their apps and run them in this OS. \u00a0The second OS is a small, secure OS that handles keychains, cryptographic functions, and similar high security functions.<\/p>\n<p>Apple&#8217;s secure OS for is described in their <a title=\"iOS Security, October 2014, iOS 8.1 or later\" href=\"https:\/\/www.apple.com\/business\/docs\/iOS_Security_Guide_Oct_2014.pdf\" target=\"_blank\">security white paper<\/a>. \u00a0According to that paper,<\/p>\n<blockquote><p>The Secure Enclave is a coprocessor fabricated in the Apple A7 or later A-series processor.\u00a0It utilizes its own secure boot and personalized software update separate from the\u00a0application processor<\/p><\/blockquote>\n<p>The Secure Enclave runs an <a title=\"Wikipedia article on L4 microkernel family\" href=\"http:\/\/en.wikipedia.org\/wiki\/L4_microkernel_family\" target=\"_blank\">L4 microkernel<\/a>, which has been modified by Apples. \u00a0The Secure enclave uses encrypted memory. \u00a0It communicates with the application processor via a single mailbox and some (unencrypted) shared memory. \u00a0It is impossible for the application processor to even access the main memory for the Secure Enclave. \u00a0Some devices, like the Touch ID sensor, communicate directly with the Secure Enclave over an encrypted channel. \u00a0The application processor can&#8217;t read the encrypted data sent to the Secure Enclave.<\/p>\n<p>Many of the Samsung Galaxy phones are compatible with their Knox mobile security and management solution. \u00a0The Knox phones use Samsung&#8217;s Trust-Zone-based Integrity Measurement Architecture (TIMA) to verify the integrity of the Android\u00a0OS. TrustZone-based keystores strengthen the key storage.<\/p>\n<p>Mobile devices are increasingly used by consumers for digital wallets and payments. \u00a0Merchants use mobile devices and tablets to accept payments. \u00a0These use cases require high levels of security, and the design pattern used by Apple and Samsung can dramatically boost security.<\/p>\n<p>The key concept here is to have two operating systems in a single device. \u00a0A small, secure OS runs in a trusted environment. \u00a0Its memory cannot be read by the application\u00a0OS, and its memory can even be encrypted. \u00a0The application\u00a0OS cannot disable or interfere with the secure OS.<\/p>\n<p>Because the secure OS is small, its attack surface is also small. \u00a0Microkernels work well here since they can be verified. \u00a0In contrast, the feature rich Linux\u00a0kernel has\u00a0over <a title=\"Lines of code in the Linux kernel\" href=\"http:\/\/royal.pingdom.com\/2012\/04\/16\/linux-kernel-development-numbers\/\" target=\"_blank\">15 million lines of code<\/a>, so reviewing its security in depth would be problematic to say the least.<\/p>\n<p>The secure OS can also have encrypted communications to devices. \u00a0In Apple&#8217;s implementation, this means that fingerprints can only be read by the secure OS, and the application OS can&#8217;t even unencrypt them. \u00a0This same approach could be used to securely communicate between a credit card reader and the secure OS. \u00a0For POS terminals, this means that a credit card reader could talk to the secure OS without unencrypted credit card data ever passing through the application OS. \u00a0Carefully, done, this would make the POS almost immune to memory scrapers that steal credit card data. \u00a0(The scapers could only access the application OS memory, not the secure OS memory.) \u00a0This could also reduce the PCI compliance effort since the applications running in the application OS would never see credit card data. \u00a0For these apps, the system\u00a0would resemble a P2P solution.<\/p>\n<p>The application OS is the large feature rich and far more insecure environment\u00a0where mobile apps are downloaded and run. \u00a0It has to be present, because consumers want it. \u00a0It lets them tap into the rich ecosystem of apps in the iTunes store or Google Play. \u00a0It also gives development organizations access to the many developers who are familiar with the iTunes and Android interfaces.<\/p>\n<p>Using the two OSes in a single phone gives consumers the power and flexibility of iOS or\u00a0Android apps, while significantly improving security. \u00a0Custom built devices POS can also reduce PCI compliance effort, and potentially defeat credit card memory scrapers.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>What do the latest Apple iPhone and many Samsung Galaxy Android phones have in common? \u00a0Each runs two separate operating systems on a single phone. \u00a0The application OS is the familiar iOS or Android OS. \u00a0Users download their apps and run them in this OS. \u00a0The second OS is a small, secure OS that handles &hellip; <a href=\"https:\/\/www.outworx.com\/blog\/more-secure-architecture-for-mobile\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;A More Secure Architecture for Mobile&#8221;<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":521,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"xn-wppe-expiration":[],"xn-wppe-expiration-action":[],"xn-wppe-expiration-prefix":[],"_bbp_topic_count":0,"_bbp_reply_count":0,"_bbp_total_topic_count":0,"_bbp_total_reply_count":0,"_bbp_voice_count":0,"_bbp_anonymous_reply_count":0,"_bbp_topic_count_hidden":0,"_bbp_reply_count_hidden":0,"_bbp_forum_subforum_count":0},"categories":[13],"tags":[],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v17.6 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>A More Secure Architecture for Mobile | OutworX<\/title>\n<meta name=\"description\" content=\"Architecture of mobile apps needs to be secure to prevent any fatal issues with app users. This is an detailed guide on secure architecture of mobile.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.outworx.com\/blog\/more-secure-architecture-for-mobile\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"A More Secure Architecture for Mobile | OutworX\" \/>\n<meta property=\"og:description\" content=\"Architecture of mobile apps needs to be secure to prevent any fatal issues with app users. This is an detailed guide on secure architecture of mobile.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.outworx.com\/blog\/more-secure-architecture-for-mobile\/\" \/>\n<meta property=\"og:site_name\" content=\"OutworX\" \/>\n<meta property=\"article:published_time\" content=\"2015-01-28T23:04:01+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2017-03-29T11:57:41+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.outworx.com\/blog\/wp-content\/uploads\/2015\/01\/mobile-secure.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1078\" \/>\n\t<meta property=\"og:image:height\" content=\"516\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Outworx\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.outworx.com\/blog\/#website\",\"url\":\"https:\/\/www.outworx.com\/blog\/\",\"name\":\"OutworX\",\"description\":\"Blogs, News and Updates of IT Industry | OutworX\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.outworx.com\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.outworx.com\/blog\/more-secure-architecture-for-mobile\/#primaryimage\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/www.outworx.com\/blog\/wp-content\/uploads\/2015\/01\/mobile-secure.jpg\",\"contentUrl\":\"https:\/\/www.outworx.com\/blog\/wp-content\/uploads\/2015\/01\/mobile-secure.jpg\",\"width\":1078,\"height\":516,\"caption\":\"mobile secure architacture\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.outworx.com\/blog\/more-secure-architecture-for-mobile\/#webpage\",\"url\":\"https:\/\/www.outworx.com\/blog\/more-secure-architecture-for-mobile\/\",\"name\":\"A More Secure Architecture for Mobile | OutworX\",\"isPartOf\":{\"@id\":\"https:\/\/www.outworx.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.outworx.com\/blog\/more-secure-architecture-for-mobile\/#primaryimage\"},\"datePublished\":\"2015-01-28T23:04:01+00:00\",\"dateModified\":\"2017-03-29T11:57:41+00:00\",\"author\":{\"@id\":\"https:\/\/www.outworx.com\/blog\/#\/schema\/person\/e305dc141a7e95d5a79eb095ac1f1461\"},\"description\":\"Architecture of mobile apps needs to be secure to prevent any fatal issues with app users. This is an detailed guide on secure architecture of mobile.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.outworx.com\/blog\/more-secure-architecture-for-mobile\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.outworx.com\/blog\/more-secure-architecture-for-mobile\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.outworx.com\/blog\/more-secure-architecture-for-mobile\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.outworx.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"A More Secure Architecture for Mobile\"}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.outworx.com\/blog\/#\/schema\/person\/e305dc141a7e95d5a79eb095ac1f1461\",\"name\":\"Outworx\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.outworx.com\/blog\/#personlogo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/01a175d14b9fd311bc14945e82e36b1d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/01a175d14b9fd311bc14945e82e36b1d?s=96&d=mm&r=g\",\"caption\":\"Outworx\"},\"sameAs\":[\"http:\/\/www.outworx.com\"],\"url\":\"https:\/\/www.outworx.com\/blog\/author\/outworx\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"A More Secure Architecture for Mobile | OutworX","description":"Architecture of mobile apps needs to be secure to prevent any fatal issues with app users. This is an detailed guide on secure architecture of mobile.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.outworx.com\/blog\/more-secure-architecture-for-mobile\/","og_locale":"en_US","og_type":"article","og_title":"A More Secure Architecture for Mobile | OutworX","og_description":"Architecture of mobile apps needs to be secure to prevent any fatal issues with app users. This is an detailed guide on secure architecture of mobile.","og_url":"https:\/\/www.outworx.com\/blog\/more-secure-architecture-for-mobile\/","og_site_name":"OutworX","article_published_time":"2015-01-28T23:04:01+00:00","article_modified_time":"2017-03-29T11:57:41+00:00","og_image":[{"width":1078,"height":516,"url":"https:\/\/www.outworx.com\/blog\/wp-content\/uploads\/2015\/01\/mobile-secure.jpg","type":"image\/jpeg"}],"twitter_misc":{"Written by":"Outworx","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebSite","@id":"https:\/\/www.outworx.com\/blog\/#website","url":"https:\/\/www.outworx.com\/blog\/","name":"OutworX","description":"Blogs, News and Updates of IT Industry | OutworX","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.outworx.com\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"ImageObject","@id":"https:\/\/www.outworx.com\/blog\/more-secure-architecture-for-mobile\/#primaryimage","inLanguage":"en-US","url":"https:\/\/www.outworx.com\/blog\/wp-content\/uploads\/2015\/01\/mobile-secure.jpg","contentUrl":"https:\/\/www.outworx.com\/blog\/wp-content\/uploads\/2015\/01\/mobile-secure.jpg","width":1078,"height":516,"caption":"mobile secure architacture"},{"@type":"WebPage","@id":"https:\/\/www.outworx.com\/blog\/more-secure-architecture-for-mobile\/#webpage","url":"https:\/\/www.outworx.com\/blog\/more-secure-architecture-for-mobile\/","name":"A More Secure Architecture for Mobile | OutworX","isPartOf":{"@id":"https:\/\/www.outworx.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.outworx.com\/blog\/more-secure-architecture-for-mobile\/#primaryimage"},"datePublished":"2015-01-28T23:04:01+00:00","dateModified":"2017-03-29T11:57:41+00:00","author":{"@id":"https:\/\/www.outworx.com\/blog\/#\/schema\/person\/e305dc141a7e95d5a79eb095ac1f1461"},"description":"Architecture of mobile apps needs to be secure to prevent any fatal issues with app users. This is an detailed guide on secure architecture of mobile.","breadcrumb":{"@id":"https:\/\/www.outworx.com\/blog\/more-secure-architecture-for-mobile\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.outworx.com\/blog\/more-secure-architecture-for-mobile\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.outworx.com\/blog\/more-secure-architecture-for-mobile\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.outworx.com\/blog\/"},{"@type":"ListItem","position":2,"name":"A More Secure Architecture for Mobile"}]},{"@type":"Person","@id":"https:\/\/www.outworx.com\/blog\/#\/schema\/person\/e305dc141a7e95d5a79eb095ac1f1461","name":"Outworx","image":{"@type":"ImageObject","@id":"https:\/\/www.outworx.com\/blog\/#personlogo","inLanguage":"en-US","url":"https:\/\/secure.gravatar.com\/avatar\/01a175d14b9fd311bc14945e82e36b1d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/01a175d14b9fd311bc14945e82e36b1d?s=96&d=mm&r=g","caption":"Outworx"},"sameAs":["http:\/\/www.outworx.com"],"url":"https:\/\/www.outworx.com\/blog\/author\/outworx\/"}]}},"_links":{"self":[{"href":"https:\/\/www.outworx.com\/blog\/wp-json\/wp\/v2\/posts\/268"}],"collection":[{"href":"https:\/\/www.outworx.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.outworx.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.outworx.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.outworx.com\/blog\/wp-json\/wp\/v2\/comments?post=268"}],"version-history":[{"count":14,"href":"https:\/\/www.outworx.com\/blog\/wp-json\/wp\/v2\/posts\/268\/revisions"}],"predecessor-version":[{"id":919,"href":"https:\/\/www.outworx.com\/blog\/wp-json\/wp\/v2\/posts\/268\/revisions\/919"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.outworx.com\/blog\/wp-json\/wp\/v2\/media\/521"}],"wp:attachment":[{"href":"https:\/\/www.outworx.com\/blog\/wp-json\/wp\/v2\/media?parent=268"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.outworx.com\/blog\/wp-json\/wp\/v2\/categories?post=268"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.outworx.com\/blog\/wp-json\/wp\/v2\/tags?post=268"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}