protecting-your-apps-from-the-free-public-wifi-threatWe’ve all heard the guidance to never connect to public wifi without using a VPN, or to avoid it completely if possible. I’m sure that those of us that are security professionals are pretty good and paranoid about it. But what about the general public?

New research done by OWI Labs paints a pretty grim picture. They did a poll of individuals in the U.S., France and Germany about their use of public Wi-Fi networks, and the results are downright scary if you work in Infosec at any kind of organization. I encourage you to follow the link to read the details, but I’ll highlight what stood out to me:

  • 81% in US use public wifi systems
  • Only 1% do so while using a VPN

In the good old days, organizations could get around this issue by restricting employees from connecting to enterprise resources only while using the corporate VPN. But as more and more services have migrated to the cloud, and employees just aren’t willing to put up with the inconvenience of using VPNs, or refuse to deploy MDM on their phones, this issue is a huge concern. And what of customers? If you’re a bank, a healthcare provider, or even a retailer that has a mobile app or website that displays sensitive information or allows transactions (basically, everybody), this is a pretty big headache for you. And blaming your users isn’t the answer.

TLS Isn't Enough

Network threats that steal passwords, tokens and data, or man-in-the-middle your users connections by hacking that public wifi or setting up fake wifi access points should be a real concern for organizations. And while it is great that there is such a push for organizations to HTTPS All The Things, there is a reason we tell people to use VPNs even when connecting to https sites. TLS isn’t the silver bullet that people think it is. So an interesting consequence will emerge that as more and more people get educated to look for the green lock (or the broken lock), they’re going to assume that this is all they need to check for (witness the proliferation of phishing sites that have valid SSL certificates). With mobile apps, they don't see proof of the TLS connection, but are way more likely to assume that the app developer has taken care of the security. Consequently, they will be way more likely to not bother setting up or starting a VPN session, creating more of a network attack exposure for you.

The concept of the identity-based perimeter that allow you to get rid of VPNs by focusing on identity-based access are great, but they are incomplete because they have a fundamental vulnerability - they depend on the TLS connection being uncompromised. Break that, and you have a problem. This is where Uniken can help.

REL-ID Invisibly Protects Against Network Threats

With REL-ID, we focused on creating a true identity-based perimeter that doesn’t stop at authentication but actually leverages identity down to the network connection. REL-IDs mutual authentication based on related and individualized cryptographic keys not only authenticates the two parties to each other (avoiding network attacks like DNS poisoning and MITM), but also creates a MITM proof encrypted channel between the two parties, without the need for VPNs or pinned certificates. It flips the “connect-then-verify” model of TLS on its head, enforcing a “strongly authenticate-then-connect” paradigm for your apps that dramatically reduces your attack surface. With the REL-ID SDK embedded in your app, it’s essentially like having an invisible VPN built into your app - one that adds no friction to the user experience because your employees/customers never see it, don’t even known its there, but always gives them and you the protection of its unified defense-in-depth. Even when they connect to that suspicious “Free Airport WiFi 2” hotspot or a spoofed “Google Starbucks” access point.

Plus, with built-in endpoint threat detection, REL-ID can even detect when that wifi connection is dangerous (by identifying a variety of threats like known malicious IPs, usage of SSL Strip, or ARP spoofing), shutting the connection down before it even starts. It's a truly innovative approach to identity-based security, one that has led to Uniken being recognized by Gartner as a 2018 Cool Vendor in Identity & Access Management as well as by One World Identity as a top 10 featured IAM company.

So connect with us to find out how the identity-based perimeter can help your organization, and to see how we can help lock down your mobile app against every major vector of attack and fraud (not just these network threats), and extend its protection across your omnichannel enterprise.

contact-uniken