What are "secure containers," and what role do they play in mobile security?
Basically, secure containers are an application design framework that's intended to improve security for applications that run on mobile devices. Let's look at some security concerns that are specific to mobile applications and then see how secure containers can help and where they have limits.
Mobile applications have some interesting characteristics from a security standpoint. In traditional Web applications most of the processing occurs on the application owner's Web server and very little information is typically stored on the application user's workstation. However with mobile applications a significant portion of both the information processing and storage occurs on a user-controlled device. This leads to several concerns, such as:
- What if a malicious application user attempts to reverse engineer an application?
- What if a malicious application on the device attempts to access data it is not authorized to access?
- What if the device falls into the hands of a malicious party?
Mobile device operating systems, such as Apple's iOS and Google Android, provide technical protections that attempt to help address these concerns. For example, AppStore-installed applications are encrypted before being downloaded onto iOS devices, and this presents challenges to reverse engineers. Also, Android and iOS both provide file-system encryption capabilities. These security measures would be great, except that the operating-system-provided facilities have been shown on multiple occasions to be subject to bypass.
What the secure container is
So-called secure containers were developed to provide an extra layer of security. Typically a secure container is a framework used when building applications that either provides replacement security features to be used rather than the capabilities a mobile operating system provides or additional security features on top of those the operating system offers. Different containers have different features, but common options that containers make available include alternate "non-sniffable" mobile keyboards, anti-debugging/anti-reverse-engineering for application code, and improved encryption capabilities.
The goal in providing these capabilities is to allow application developers to design and build applications with functionality they might not otherwise feel comfortable with. For example, a developer might feel comfortable storing sensitive data on a device with a secure container that they might not feel safe storing using only the capabilities the mobile operating system provides.
This seems valuable, but it is important for application developers -- and the risk managers keeping an eye on them -- to understand exactly what the containers are able to provide and how these protections might degrade when subjected to the scrutiny of a determined and knowledgeable attacker.
Limitations of secure containers
At the end of the day, most secure containers do not make any changes to the device hardware and are essentially just applications running on top of the mobile operating system that have to play by the same rules as other applications running on the device. As such, they are subject to the same sorts of attacks other mobile applications are subject to. They might provide alternative anti-debugging and code obfuscation capabilities versus those provided by the mobile operating system, but attackers can certainly work to circumvent those protections just as they have attacked the operating system's native capabilities.
Benefits of secure containers
One advantage containers can provide is that the details of their technical protections are probably less well understood than those of the native operating system. As an attacker, if I can find a weakness or a vulnerability in a native mobile operating system then that finding has value for all applications running on that platform. If I find a weakness or a vulnerability in a specific container, then that can only be used against applications that are deployed in that container. This may cause attackers to focus on the operating system platform over any one specific container vendor.
So mobile application developers looking to increase the security of their applications can consider secure containers to see the sorts of mobile benefits the containers provide, but it is also important to understand what protections the container purports to provide and to feel comfortable that those protections are implemented in such a way that they will be harder to bypass than the native operating system capabilities. This is an area where third-party testing of containerized apps can be valuable.
Have a question about software testing, application security or automated testing scripts? Let us know and we'll pass your question on to one of our experts.
This was first published in June 2013