A Peek Under the [Data] Hood: DNS Security is Now Available for Mobile Devices
By Will Chow, Mobolize | CTO, Co-Founder
Modern mobile operating systems have done an excellent job of protecting users from harm. But like many things, this is a case of good news and bad news. The good news is that app stores prevent most bad apps from getting onto the device and app sandboxing limits the damage from bad apps that happen to sneak into the app stores.
The bad news: app sandboxing. The same security mechanism that prevents a bad app from accessing data of other apps has also literally boxed out traditional security apps from being able to detect these bad apps. This means that if an app sneaks past the Google or Apple review process, we can be pwned. Unfortunately, this has occurred far too many times, not just with Android (e.g. Stagefright exposed >1 billion devices to takeover via a single MMS), but also iOS (e.g. XcodeGhost trojan horse found in >4000 apps.) These attacks will continue because the rewards are simply too great and, frankly, Google and Apple need help.
The solution? Guard the “front door” of a device with DNS security. After all, when an iPhone or Android is first turned on, it is new and clean (of any malware) and the only way it can be infected is through the Wi-Fi or cellular network. For decades, malware and phishing attacks have been effectively blocked on PCs by using a “filtering” DNS provider that detects malware, phishing sites and other undesirable content before they can be downloaded to a computer. The problem is that one can’t just point a mobile device at the filtering DNS provider of choice since DNS settings are also locked down, ostensibly to prevent malware from changing a device’s DNS. But this also prevents enabling the DNS protection service of choice on ones’ own device.
Well, we at Mobolize have an app for that and this little app (e.g., just 6 MBs on Android) contains our patented Data Management Engine that enables our partners to seamlessly connect their cloud-based services, such as a filtering DNS protection service or Secure Web Gateway (SWG), to any mobile device. By hooking into the network stack using our SmartVPN® technology, our engine has the unique advantage of handling all IP packets on Wi-Fi and cellular traffic without needing a VPN server and can thus support any internet protocol, including TCP, UDP and DNS.
That means the Mobolize Data Management Engine enables our partners to provide a wide range of services, such as encrypting traffic on public Wi-Fi’s, reducing data consumption on cellular networks, and (back to the topic of this blog) protecting users from malware and phishing sites.
Because of this ability, the Data Management Engine becomes a smart data traffic manager that ensures the best connectivity and security on mobile devices, including the ability to leverage third-party DNS protection services or SWG threat and DLP scanning. By routing all IP traffic through our engine, intelligent packet-level decisions can be made regarding malware, phishing and inappropriate content filtering at a fine-grain level that provides real protection against threats on mobile devices.
A major advantage of our seamless integration into the mobile device’s network stack is that it provides protection for both native apps and web browsing across all user activity on any cellular or Wi-Fi network, supporting both standardized protocols (i.e., DNS over HTTPS or TLS) and proprietary protocols used by our partners. Another major advantage is that no MDM is required, so protection is extended to all types of users, thus allowing enterprises to protect BYOD devices and carriers to protect consumer devices.
With this new approach, our partners now have the ability to bring their SWG or DNS services to the mobile world. An example is, in partnership with Akamai, CIRA Canadian Shield offered by the Canadian Internet Registration Authority (CIRA.) It’s a free DNS protection service that provides online privacy and security to individuals and families across Canada.
With CIRA Canadian Shield, Mobolize is the first company to bring a full-featured DNS protection service to the everyday mobile user. The user can select the protection level they want from simple private DNS service without blocking to DNS blocking of malware, phishing or objectionable content.
Now, the Mobolize Data Management Engine not only enhances and optimizes your mobile’s network connection, it also provides the best – and only – platform for extending the next generation of security services to the mobile device. That’s smart. Mobolize smart.