Citizen confidence on his mobile device is crucial for businesses as well as governance

AI Generated Summary

This panel discussion from India Digital Summit 2022 focuses on “Citizen confidence on his mobile device is crucial for businesses as well as governance” - exploring how to build trust and security in mobile devices for Indian citizens, particularly those using budget smartphones in lower-middle-class families.

Panelists

• Satyendra Varma: Head, Indian Citizens Assistance for Mobile Privacy and Security (iCAMPS) at IAMAI, moderator
• Colonel Sumit Monga: Head Government Affairs, Lenovo Group India and Asia Pacific
• Mr. P. Panini Prasad: Director, NCCS (National Center for Communication Security), Department of Telecommunications, Government of India
• Shubo Haldar: Co-founder and CISO, Appnox
• Anujan Shali: Head Trust and Safety, PhonePe
• Anant Shrivastava: Project Leader, Android Tamer and Android Security Researcher

Key Topics Discussed

Moderator’s Opening - Understanding the Problem:

India is Mobile First:

• Mobile security is cybersecurity: India is mobile-first country, here mobile security is cybersecurity - for us it means one and same thing
• Driving governance and businesses: Through citizen confidence on mobile device

Who are the Citizens:

• Average citizen: Owns budget smartphone
• Phone is family device: Shared device
• Lower middle class: Not proficient in English
• Aspirational: Seek services from government and industry
• Encouraged to adopt: Mobile governance
• Slowly becoming dependent: On apps
• Mostly unaware: Of dangers behind it

What is a Mobile Device:

• Average smartphone: Cheapest one available
• Manufactured outside: Controlled from outside
• Lacks memory: More vulnerable to security and privacy issues

Confidence Definition:

• Means: Reliability of a thing or an assurance
• Confidence in phone: Means confidence on ability and confidence on security of mobile device
• Rise of adoption: Level of adoption on smartphones is indicator whether confidence is there in citizens or not - clearly it’s there
• Security part: Serious rise in number of incidents - that is indicator about this
• For today: Security is the focus

Mobile Phone Layers:

• Various layers: Network, mobile, user, and services
• Can be sub-broken: Into further sub-layers
• Total of six vectors: Network, whole mobile device, operating system, application, user actions, offline processes - this is what constitutes mobile device

Confidence on Security Means:

• Confidence in entire mobile device industry
• Confidence in mobile OS companies
• Confidence in app developers
• Confidence on app play stores
• Confidence on telecom companies
• Confidence on internet service providers
• Confidence on internet companies: Which give service like e-commerce, fintech, etc.
• Confidence in six ministries: And multiple departments regulating all of above

Complexity:

• Not so simple: Citizens confidence in mobile device is not so simple
• Mobile device industry: Just one part - there are eight countries involved in one mobile phone which comes in hand
• Hundreds of component manufacturers: Spread around world
• Hardware and software developers: Who invent things, who patent things
• Travels to place: Where it gets manufactured
• Very wide industry: Which finally lands up on hand of innocent citizen in India

Colonel Sumit Monga (Lenovo) - Device Manufacturer Perspective:

Why Mobile Reached This Place:

• Easy availability: Today with online services available, mobile and device getting delivered right at doorstep at time convenient for shopping
• Accessibility: To device has become that much easier - not only device, multiple devices
• Coupled with affordability: Of connectivity itself and device - without these two main together, device alone doesn’t have any value or connectivity doesn’t have value
• Affordability in India: Is what is proliferating it to extent where transformed into mobile-first country
• Increase in usage: Estimated led to increase of almost 39% because of COVID scenario that emerged in 2020
• Digital push: Of current dispensation - people want to access entire gamut of services through devices
• Smart cities: And digital governance pursued by current dispensation really adding to it
• Smarter apps/environment: Created through IoT ecosystem (Internet of Things)
• Horizon of connectivity: Not getting limited only to device
• Examples: Home security cameras controlled through device, tracking device in car controlled from device
• Device converging: Lot of ease of living services into it

Transformation:

• From always on: Scenario experiencing (DSL services at homes)
• To always logged on: Scenario - logging on not from particular device, from multiple devices
• Threat surface increased: For us as individual increases that much more
• Want access: At time and place of choosing, including device of choosing
• Don’t want constrained: By bounds which earlier were binding us
• Want access available: So threat surface has increased, points of vulnerability have increased
• Need to be vigilant: Ourselves need to be vigilant
• Security as practice: On own is definitely very important step
• Need KYC: Not only of own self, but KYC of devices as well
• Need trust: Like Satyendra saying - confidence, authorization, approval or authentication was one part, but now need to have trust on device
• Trust needs to be built: Which will give confidence that when using device, safe, privacy and security is safe

Mr. P. Panini Prasad (NCCS) - Government Perspective:

Government Initiative:

• Good trend: Started in discussion
• From government perspective: Two days in discussion, many security experts, evangelists, activists - all need to support government initiative to ensure good secure ecosystem is built
• Broader visions: Digital India, bringing host of e-government services onto mobile so can be reached far and wide across country
• Various departments: Including Department of Telecom taking initiatives
• Cyber SOC: From MeitY or BIS setting some standards
• Department of Telecom focus: More focused into getting equipment tested and certified against security standard
• Telecom domain: Coming under Department of Telecom - focus has been more specific and purposive

NCCS Organization:

• Separate office: Setup under Department of Telecom
• Mandated: To develop security standards
• Device has to be trusted: As Sumit Monga was telling
• Multiple approaches: Manufacturer says “I have inbuilt these security standards”, policy advocacy groups give advocacy to end users, guidelines issued by various organizations/forums
• But: Whether device meets guidelines, to what extent device meeting whatever is claimed has to be verified - then only can say can believe device has basic security functionality built in

NCCS Process:

• Coordinate and collaborate: Conduct various meetings, stakeholder consultations
• With all participants: Be it OEMs, device suppliers, operators, even end user forums
• Collect inputs: Have basic security standards outline made against each device (similarly for mobile)
• Save their inputs: Because whatever specify in end, they are to be tested and certified
• Implementation issues: Can be over specification or missing certain critical aspects of security
• Take inputs, evaluate: Internally have multiple committees represented by various security experts from various ministries and educational institutes of repute
• Telecom Security Assurance Requirements: Mobile device has been made in that fashion
• Published: At website nccs.gov
• Soon going to: M-panel labs where at designated labs, any manufacturer can get equipment tested and certified
• Certification: Against baseline security requirement improves ecosystem of country
• Aspects checked: Many apprehensions of poorly designed mobile, to what extent sandboxing in device is done
• Mobile device: Has more rapid advancements than computers - every day there is update, end user doesn’t know technicality, but as user of app tries to upgrade, one app may try to sniff other apps information
• Aspects in device checked: So work on trusted platform
• Many measures: Taken by government - this is one of important measures NCCS going to do
• Request: All panelists and participants online for workshop can visit website nccs.gov
• Seeking stakeholders input: Participation in developing test methods for certain tests including mobile device - can freely participate, improve documentation of policies making

Anujan Shali (PhonePe) - Fintech Perspective:

Topic Apt for Discussion:

• Trying to attack problem: In different forums - telco order network security and app security, applications itself
• Biggest problem: In each builder ministry (respective departments) trying to tackle problems by defining baseline or guideline
• When citizen comes into play: Things change slightly
• Why things change: Historically had more financial institutions (banks, etc.), had telecom/phone used for very specific purpose (calling, sending SMS, receiving codes)
• Past half decade: With convergence of APIs, convergence of fintech startups coming in, merged three identities into single thing
• Mobile has become: Primary identifier - can have Aadhaar, Parivahan app, DigiLocker, any accounts - everywhere mobile is primary identity

Company Level vs. Citizen Level:

• Within itself: Can take care of respective at company level
• At citizen level: If expecting they have understanding and wherewithal to go and understand each specific of every app that comes (either pre-installed or get installed), it is far-fetched environment
• Point of contention: Why this is apt topic - seeing technologies brought in for convenience also getting misused (fraud, account takeover scenarios)

Examples:

• AnyDesk/TeamViewer: Built to offer remote support - see them getting installed on mobile devices, getting special permissions, then somebody doing account takeover is primary example
• Loan apps (last year): Spurt of loan apps coming in - convenience at fingertip (install app, upload basic data, get approved for loan, gets credited in account)
• Till interest rates begin: Unable to pay - that’s where mobile security comes into play
• User unknowingly gave access: Or maybe in need - gave access to all photographs, all contacts, almost all stored somewhere
• Happy case scenario: Yes, all for good purposes
• But harassment started: People actually lost lives because of that
• Is it under control of user?: Technically answer could be yes - clicked on permission, but do we really understand what going behind each of this?

Two-Sided Attack Vector:

• Needs to get tackled: One is at user privacy level, user consent level - what apps can detect, what apps can store becomes very important thing that needs to get educated, needs to get regulated
• Second part: What are technical capabilities available? Who’s thinking about it?
• From perspective of domain: “Hey my app is doing work supposed to do”, telco says “My system is working as per requirement”
• Combination: Either would call it as not loophole but basically people who could gamify entire system to take innocent citizen for ride
• Point where need to start thinking: How will all of us come together so what was used for convenience doesn’t become much bigger nuisance problem in terms of people stopping to use all technologies for convenience, going back to old levels

App Side:

• Still uniformization: Of extracts itself needs to happen in terms of what data can access, what is level of system
• As sir was mentioning: Somebody can sniff data on somebody else’s app, somebody can send push notification which acts like coming from authorized source
• Lot of issues: Need to get tackled
• Becomes difficult: For somebody crawling on Facebook or browser, video pops in, next instant app opened up, making payment
• For you: Was seamless experience, but didn’t know where boundary ended (browser to social media to application using to bank)
• Need to figure: How this can be kept

Shubo Haldar (Appnox) - Application Security Perspective:

Appnox Introduction:

• On-demand mobile application security platform: Helps businesses detect and fix security vulnerabilities using automated security testing suite
• Successfully doing: For past 8 years - digging deep into applications, figuring out security issues

Simple Example:

• Very easy to say: Securing apps, remove vulnerabilities for application
• Very big problem: Once application goes out into Play Store, lose control over application
• Example: If application has vulnerability, goes out in Play Store, n number of people installs application
• Tomorrow if fix: Vulnerabilities, still duty of users (unless already selected settings that every app needs to be updated automatically)
• Make sure: Connected to internet, in Wi-Fi network so app gets updated
• So many conditions: Come into picture to make sure if push out update with security issue fixed, has been spread across successfully or not
• Google today tells: Has kill switch to remove application if has malware (will delete every application from all devices)
• But does not have: Magical switch to update application on demand - that’s not happening, still under you
• One of biggest problems: Businesses faces

Website vs. Application:

• Very easy for website: If vulnerability in website, fix it, history of that is gone, vulnerability patched permanently
• For application: Very difficult to make sure if once make mistake, very difficult to correctify that mistake

Appnox Approach:

• Try to make sure: At least client side part of code which goes out of mobile devices are secured enough
• At least: Software development life cycle done in proper way that 90% of code makes sense, does not exploit things, has no insecurity, has no privacy issues

Recent Research:

• Top 50 fintech apps: From US region (not India region)
• Small research: On top 50 fintech application for Android
• Believe me: 90% of them has basic security problems
• Awesome part: Three-fourth of those vulnerabilities found could have been fixed
• Bad part: Even if fix it, rollout of application to citizen will still take lot of time
• Exercise: Pick up phone, go to settings or app store/Play Store, go to updates tab, see how many applications pending for updates
• Do you know: Why those updates are there? So many security issues being fixed, been pushed out in production, but needs to be understood that user needs to make sure it’s all updated

Project Focus:

• Should be taken care: Not only device security (device is just platform, security of that very paramount, that’s what OEMs make sure - device security already there)
• But application security: Also very important - OEM does not have hand hold over application developers or companies building application
• Application part of security: Also very important for this project

Anant Shrivastava (Android Security Researcher) - Independent Researcher Perspective:

Interesting Panel:

• People from: Device manufacturer, government, fintech, application assessment company
• All trying: To do right thing for citizen
• Where feel whole connect: Very important - all of us need to work together to get to point
• For citizen: Does not matter if device is all tested, verified, validated but using app which is vulnerable, or updating all apps but device is not certified one, or have all other pieces in picture but UPI app using has some flaw in it
• All of us need to work together: To reach point where citizen can have that kind of confidence

Android Ecosystem Journey:

• Involved since 2010: When basically using Android as play thing, experimenting with it, figuring out what exactly makes this stick
• From that point to now: Operating system is like backbone for large chunk of operations
• What seeing now: More and more people (as Anuj mentioning) - people not exploiting operating system, people exploiting applications intended functionalities and trust that people have
• Where trust getting deteriorated: Right now if look at it, all apps might actually be suggesting or people might be suggesting “Don’t use AnyDesk, don’t have TeamViewer, if have TeamViewer installed, if have AnyDesk installed, you are at problem”
• It’s not: These applications flaw - effectively way it is being used
• Where citizen starts having distrust: Issues with applications, with environment

Citizen Trajectories:

• Find citizens going: On different trajectories
• Someone would be like: “Yeah my data is already out, might as well give it to 10 and 10 more applications”
• Other side: “I’m not even going to give my data to anyone, I’ll be very paranoid about what install”
• Both detrimental: To whole view want to have where digital economy flourishes
• To have that way forward: All of us will have to establish that trust

User Awareness Disagreement:

• General consensus: Generally comes up is user needs to be aware, user needs to be proactive, user needs to do n number of things
• Disagreement: With that situation comes because in decade or more of experience with information security
• User should not be: Person making right calls
• Should be assisted: Should be provided inputs
• Attacks should be prevented: Before even get to point where user has to make judgment call whether click on URL or not
• That’s kind of: What looking at as collaborative effort

Moderator’s Concluding Remarks:

Six Vectors:

• If draw parallel: Have six kind of providers part of whole mobile ecosystem:
  1. Telecom network provider
  2. Hotspot providers
  3. Device OEMs
  4. OS/Play Store companies
  5. App companies
  6. Online/offline service providers
• Then have: Government and smartphone user
• In end: Three players among whom whole mobile ecosystem security rests upon - who does what at what stage

Spread of Responsibility:

• Huge: Because spread of technology is huge
• Within government: Seven different type of organizations looking after mobile security part
• Six out of which: There are six ministries
• Some of them look after: Some part because that is what mandate is
• Everybody doing good job: But however there is no single organization who can look towards if there is loophole left out because departments are spread out
• So many departments: Within these ministries involved

Relationship Between Three Players:

• Ideally: Provider supposed to serve citizen smartphone user, government supposed to regulate them
• Government supposed to tell: Citizen “This is how we are regulating, this is how you’re supposed to protect yourself”
• Information and education: Corrective cycle happens when citizen becomes aware of what steps has to take
• However: There is parallel provider which are rogue providers which exist
• They also fraud: Citizen smartphone user
• Government has no control: No regulation on it
• Citizen smartphone user cannot correct: Because not part of market

Most Effective Part:

• Government informing and educating: Smartphone user is least intrusive and most cost effective method to go ahead
• Information education today: Only via websites especially focused on organization, none of them are multilingual

What is Possible:

• So much information out there: App testing platforms, device testing labs, open source information, public knowledge, government departments, news updates
• If somehow can collect: Collate them, tag them (tag for devices, tag for app specific)
• Put out: All this information in readable format, accessible to user on mobile phone as app or through desktop sites

Government Project:

• Government already looking into it: Project directly controlled by National Cyber Security Coordinator is underway as we speak
• IAMAI has been asked: To execute it with help of all of you
• Only when: All ministries, all departments, all industry bodies come together (as spoken today in panel), only then this kind of initiative can succeed
• Will end up: All organizations and industry being connected to various teams at this level
• Base platform: Which will hold this information will ultimately give out information in form of APIs which can be delivered to citizen

Key Insights:

• India is mobile-first country - mobile security is cybersecurity
• Average citizen uses budget smartphone as family device, not proficient in English, mostly unaware of dangers
• Six vectors: network, device, OS, application, user actions, offline processes
• Confidence requires trust in entire ecosystem: device manufacturers, OS companies, app developers, play stores, telecom, ISPs, internet companies, six ministries
• Eight countries involved in one mobile phone, hundreds of component manufacturers
• Threat surface increased with multiple devices, always logged on scenario
• Need KYC of devices, not just users
• NCCS developing security standards and testing/certification labs
• App security critical - once app in Play Store, lose control, updates depend on users
• 90% of top 50 US fintech apps have basic security problems
• User should not be making right calls - attacks should be prevented before user judgment needed
• Government project underway to collate and deliver security information to citizens via APIs

Actionable Takeaways:

1. Mobile security is cybersecurity in mobile-first India
2. Need collaborative effort across all stakeholders
3. Device certification important - NCCS developing standards
4. App security critical - 90% of apps have basic security problems
5. App updates depend on users - major challenge
6. User should not be making security decisions - attacks should be prevented
7. Government project to deliver security information to citizens
8. Need multilingual, accessible information for citizens
9. Trust needs to be built across entire ecosystem
10. Rogue providers exist outside regulation - need to address