Identity theft, malware and stolen data are now well-known threats in the mobile world. While security will continue to play a major part in the mobile app testing strategy of brands for the foreseeable future, a new tool from IBM could act as a safety net in the event that a vulnerability (or hacker) slips through the cracks.
Before we explain its long-term significance, here’s CSO Online with the details:
IBM researchers have developed a technique that website operators, cloud service providers and mobile application developers could use to spot a fraudster who has stolen an account holder’s credentials.
The patented technology builds a profile on each person using a site or app based on his navigation habits recorded through the browser. Metrics are collected through the computer mouse and keyboard and the touchscreen on a tablet or smartphone.
This is certainly an interesting concept (it remains in the conceptual phase, by the way), but the more one reads about how it’s being developed, the more promising this technology seems. The article continues:
The analytical software that would compare activity to an account holder’s profile could be on the web server or somewhere else on the network. If the percentage of matching activity fell below a pre-configured threshold, then the site could ask for the answer to a security question or perform some other type of authentication.
The sensitivity of the trigger would depend on the transaction. For example, a banking site could require near 100 percent identification of the user for transfers involving large amounts of money.
At the beginning of this post, I mentioned a potential use case for this type of technology: in the event that a hacker or intruder is able to bypass the existing security framework. It’s important to recognize that most security testing practices are focused on prevention, as opposed to mitigation. In other words, testers primarily ensure that criminals cannot access user data, whereas they tend to focus less on how to reduce the amount of damage said criminal can do once they have the information. There’s a huge difference between the two.
In the future – and ideally, with the help of technology like this – perhaps they can shift their focus. As we’re starting to see, preventing fraud and criminal behavior is virtually impossible. It is, however, possible to prevent them from doing maximum damage.
How do you see this technology shaping the future of mobile app security testing? Be sure to share your thoughts in the comments section below.