8

Well, about six months ago I had pleasure to meet Harald Welte and when he talked about m-banking (banking via smartphones) he said that the most people thing it's safe while, in fact, mobile providers reject all data which is unreadable to them (encrypted).

However, from several others sources which I found reliable, including this site as well (e.g. this topic), I got impression this is not fully true.

So, question would be, is sending encrypted data over mobile infrastructure less secure then sending it over "standard" internet wire (considering cutting edge technologies in both sectors and the most commonly used practise)?

StupidOne
  • 2,812
  • 22
  • 35

3 Answers3

10

The claim that "mobile providers reject all encrypted data" is not accurate. To my knowledge, mobile carriers don't block SSL connections or VPN connections. Perhaps there was a miscommunication or misunderstanding of what exactly Harald meant.

On the other hand, here's one thing that is true. Many cellular standards include some kind of link-layer encryption for the voice or data as it is transmitted over the wireless link between the phone and the base station. However, major flaws have been found in these encryption standards. Also, many mobile carriers will allow governments to tap into this data at the central office, after they have decrypted it. There have also been carriers who have turned off the link-layer encryption, and governments who have required carriers/equipment vendors to turn off the link-layer encryption locally (or when exporting cellular equipment).

But, if you have a smartphone, you can still use your own end-to-end encryption to protect your own connections -- mobile carriers don't block this. And if you use your own end-to-end encryption, or if you use apps that implement their own end-to-end encryption, those link-layers weaknesses and backdoors don't damage your security, because you've eliminated the dependence on the mobile carrier's link-layer crypto.

It is true that sending data over a mobile phone is likely to be less secure than a wired connection. This is because most phone apps don't use end-to-end encryption, and most data is sent without any end-to-end encryption. (For instance, most websites use unencrypted HTTP connections, rather than end-to-end HTTPS encryption.) Therefore, most data sent from your phone is only as secure as the cellular link-layer encryption -- and that isn't terribly secure.

D.W.
  • 98,860
  • 33
  • 271
  • 588
  • 3
    The other thing that is true is that typically mobile carriers also control the software stack on the phone. Most mobile providers don't block SSL, but it seems that some have tried to insert their own CAs into the list of trusted roots on the phone and exploit that to get a MITM attack. See [How feasible is it for a CA to grant exceptions to the verification process? Which default trusted root certificates should I remove? - IT Security - Stack Exchange](http://security.stackexchange.com/questions/2268/how-feasible-is-it-for-a-ca-to-grant-exceptions-to-the-verification-process-whi/2273#2273) – nealmcb Aug 15 '11 at 14:21
3

My mobile provider, for example, gets to suffer my tethering a VPN connection through my phone. Data that is encrypted via SSL or a VPN... or any other method for that matter, should pass through.

There are certain types of identified traffic that providers often block (e.g., bit torrent), but I see no particular increase in risk between cellular data and WiFi other than range / power. All that means is that if I had the technology to mess with your signals over the air, I could do it from further away.

Jeff Ferland
  • 38,170
  • 9
  • 94
  • 172
2

The security risk in normal network and mobile data network are almost same and implementation have to take this into consideration while designing the communication. In example of mobile banking application, I would say mobile banking can be made more secure than the browser based banking because of the following reason:

  1. If the source is an application, it can be managed to handle server certificates in your own way. A browser can be compromised to some extent and users can misguided to an hacker site. In mobile you can have a strict rule of which certificate is to be accepted while performing SSL handshake. The SSL sessions if used with optimum strength possesses the same strength irrespective of the channel of communication.
  2. If there is a way to host your mobile server in conjunction with the telco, than it could be possible to trace the source of request like IP address and mobile number. This could provide you with an excellent validations like checking mapping of registered user Id and mobile number. Yeah but this approach is not always feasible as tying up with multiple telco is not practical and economical.
  3. Attacks like key board listener are comparatively less in mobile device because of the platform limitations of such devices. Though the current mobile devices like IPhones and Androids which are full featured OS can be attacked.
Mohit Sethi
  • 692
  • 4
  • 7