How secure is surveillance data accessed on mobile apps?
Mobile apps that can provide access to security solutions have become a standard facility for most solution providers. Such ‘on-the-go’ access does raise some concerns, however, especially with regard to protecting surveillance data from unwanted, third-party access. Solution providers, on their part, are looking at various options to make mobile access as secure as possible. There are several variables to be considered, ranging from the kind of data that is being accessed to the kind of operating system the mobile device is running. We talked to several security companies to know how they see this issue and their efforts to offer the best options to the customers.
Ensuring authorized access to data
Enabling access from remote locations may be the main attraction of these surveillance apps, but this shouldn’t in any way compromise the security of the data. The first step in this regard is to ensure the apps are designed with strict authorization procedures that will ensure access to designated users alone. Explaining the system followed by apps from his company, Dean Drako, President and CEO of Eagle Eye Networks said all the authorization processes are done at the server level.
“The client app has a user interface to display the request, transmit it to the server, and then returns the response message or the requested video asset,” Drako said. “Permissions can be set by user, time of day, camera, etc.”
-Dean Drako, President and CEO, Eagle Eye Networks
John Zhang, CEO of Drive Headquarters, explained this further, pointing out that the user makes the first move by attempting to sign into the app. “The authentication request is processed by our server,” Zhang said. “Users can access and manage their own cameras (acting as his own camera administrator). A user can share his cameras with other users. Other users can only view the camera(s) shared to them (acting as viewer).” Speaking along similar lines, Joacim Tullberg, Global Product Manager for Video Management Systems at Axis Communications, added his company bases authentication and access on user level access. “The authentication is performed by the central system (VMS),” Tullberg said. “The level of access a user is granted is configured in the central system which also can be a part of an Active Directory.” Active Directory is a Microsoft service that authenticates users in a network. Daniel Wan, Channel Marketing Manager for the U.K. and Ireland at Honeywell Security, said his company’s app allows administrators to set up and manage different properties and user-specific groups on the go, so that the security systems can be kept up-to-date at all times. Some companies have made use of functions outside their apps to authorize access. Connolly said his company ensures secure access to administrative and development functions through their secure browser-based user interface instead of the app. However, strict authorization procedures are only the first step in ensuring security. Given the high-level nature of mobile operating systems, apps have to be designed to ensure the data is protected from any hacking attempts.
Maintaining data security
Mobile devices are increasingly falling prey to hackers who attempt to access personal information. Considering the sensitive nature of surveillance data, it is imperative that surveillance apps are developed with a high priority for data protection. Most solution providers realize this and have taken steps to minimize the risks. Drako explained some key measures in this regard, including the use of https encryption for transactions for mobile access, just as web browsers use them for banking and stock trading. “[The questions to be considered are] Does the app have password access? Does it have an option to require re-authentication when launching the app from an unlocked phone? Does the surveillance system have an on-premise device such as a bridge which acts as a firewall to your cameras, so that outsiders cannot connect directly to the cameras?” Drako said. Others gave more specific details on the measures they have taken to protect data. Connolly said his company has added a two-tier security (device security and application login) to the CudaCam app. Tullberg said all communication between the mobile app and their central system is encrypted and the account credentials are safely certified and encrypted in the mobile device.
Android and iOS are the two most popular mobile OSes at present. Some studies have shown the former to be more at risk of malware, but in terms of the safety of surveillance apps, most security solution providers dismiss the difference as insignificant.
Then there is also the issue of the overall safety of an operating system (OS). Android and iOS are the two most popular mobile OSes at present. Some studies have shown the former to be more at risk of malware, but in terms of the safety of surveillance apps, most security solution providers dismiss the difference as insignificant. Security concerns aside, Tullberg pointed out that his company designs apps in native languages to fully gain control of the OS as per recommendations from companies like Apple and Google, and this could cause short periods when there is a difference in functionality. Drako took this point a step further, explaining that given the differences in the OSes, the apps have to be designed with a clear understanding of best practices that are unique to them.