New │ Establish a third-party smart phone information security evaluation lab to help test commercially available mobile devices, and promote app data security regulations.
Impact │ To assist businesses strengthen their information security defense capabilities, and to enhance the security of products and services.
Key │ To establish the framework, procedures, and methodologies for evaluating the security of smart portable devices based on international testing standards.
Evidence │ To establish a spin-off company to drive the development of information security industry. At the end of 2014, the biggest news in international entertainment was the hacking of famous Hollywood celebrities. Many private photos stored on their Apple iCloud accounts were leaked on public websites. This incident demonstrated the fact that as the number of mobile applications on peoples' hand-held devices increases, the risk of information security also increases. During the first quarter of 2014, the number of malware and high risk applications for mobile devices has reached over 2 million. The adequate storage and protection of personal data have become an issue of utmost importance.
To satisfy the information security requirements of international clients, domestic network communications and mobile phone providers must provide valid test certifications before shipping their products. For these vendors, however, information security is an unfamiliar territory, which is why their internal staff is usually ill-prepared to deal with this requirement and needs outside assistance. The Institute of Information Industry (III), with many years of experience, knowledge, and know-how in information security testing technologies, through the establishment of the Security Evaluation and Assurance Lab (SEAL), began to offer embedded equipment software/hardware information security testing for Taiwan's major network communications providers in 2013. Testing and scope of service will gradually expand to include mobile devices as well as mobile apps. Collaboration with several major mobile device manufacturers in Taiwan are also underway to establish III as an information security partner, which will further enable government agencies to conduct operation oversight and security control over smart mobile devices.
Conduct Information Security Tests Based on Hacker Mentality
This service is similar to health exams, various tests are performed on smart devices and apps to detect potential information security risks. The tests are developed by III based on the standards specified in the "Top 10 Mobile Risks" published by the internationally renowned Open Web Application Security Project (OWASP), as well as the "NIST (SP) 800-163, Vetting the Security of Mobile Applications" published by the U.S. National Institute of Standards and Technology (NIST). These two publications provide the bases for developing the framework, procedures, and methodologies for conducting security tests on smart devices. Our testers, with many years of experience, use internationally developed automation tools in combination with testing tools developed by III, to conduct evaluations based on hacker mentality.
At the end of 2014, III assisted the Industrial Development Bureau, Ministry of Economic Affairs in the deliberation and drafting of a fundamental mobile application software regulation, which seeks to regulate basic security requirements for universal non-native and non-domain specific apps. The draft is fully compatible with the five major and 17 minor information security requirements recognized by domestic app developers and experts in the field. The purpose of this regulation is to promote industry development, and to encourage app developers to conduct autonomous referencing and management. Information disclosure further enables consumer involvement to strengthen security awareness within the app development industry.
Strengthen Product Information Security, Improve Product Competitiveness
The smart device and mobile app information security evaluation service established by III has already been commissioned by the internationally renowned smartphone manufacturer HTC, to provide data security test and consultation services for its newly developed smart phone models. These services are being used to help test and authenticate HTC's new mobile products. D-Link, the world famous network communications equipment manufacturer, has also commissioned III to conduct security authentications for Android applications developed by the company to enhance app security. In 2014, the National Credit Card Center launched a cash flow payment system designed for smart portable devices. To ensure software security for the front-end app, as well as the back-end cash flow payment operations, III was also commissioned to conduct security evaluations on smart portable devices and relevant apps.
In addition, III has worked closely with government agencies to assist the National Communications Commission and the Department of Consumer Protection of the Executive Yuan, to conduct information security tests on the best-selling smart portable devices. Risk analysis results allowed government agencies to require device manufacturers to make product improvements, thereby ensuring the personal data security of all users.
To successfully implement the commercialization of the R&D results, the CyberTrust Technology Institute SEAL team at III has accumulated vast experience from assisting Taiwan's communication product providers by offering third-party information security evaluations. On October 1, 2014, Onward Security Ltd., a spin-off company, was established to drive industry efficiency and further develop mobilized information security testing technologies and services.
III hopes that by continuing to provide information security testing services for smart portable devices and mobile apps, collaborating with research institutes and businesses, and by actively participating in associated international information security organizations, III will be able to establish testing parameters that are on par with international standards. This will increase both the quality and volume of information security testing services in Taiwan, thereby effectively improving the information security standards of the MIT app development industry. _
Future Vision
Information security evaluation services are like health exams; they protect the security of smart devices and mobile applications, as well as increase product safety and quality. The service can help prevent a user's personal data from being leaked, allowing the user to browse the virtual network without any worries.