Hi, what are you looking for?

RBI Will Issue Whitelist of Lending Apps Allowed On Google Play and Apple App Store: Finance Ministry

What Are the Six New Principles that Will Shape US Tech Policy Going Forward?

Exclusive: Behaviour and protest monitoring a part of Jabalpur Municipal Corporation’s surveillance tender

Supreme Court Issues Notice in Tamil Nadu Government’s Challenge to Quashing of ‘Online Gaming’ Ban

J&K police floats tenders to branch out its CCTV surveillance network

The IT Ministry has released draft security guidelines for mobile devices and services open for public consultation until September 21, 2022

Update (6 September, 1:40 pm): MeitY has taken down the draft MSG guidelines from its website. It’s not clear if the guidelines are still open for consultation or/and if MeitY will reupload the draft. 

The Ministry of Electronics and Information Technology (MeitY) on July 20 released draft security guidelines for mobile devices open for public consultation until September 21, 2022. Called the Mobile Security Guidelines (MSG), the document outlines various voluntary measures that participants in the mobile ecosystem can adopt to ensure the security of mobile devices, applications, networks, and services and the privacy of users. “Mobile application-based services in every domain including education, health and social media have become integral part of daily life of Mobile Users of all age groups and genders. The exposure risk of Mobile Phone Users gives rise to security threats of sensitive information loss and misuse of personal data by adversaries. Therefore, privacy and personal data protection of mobile user are of utmost importance. […] The central objective of MSG is to ensure privacy, protect sensitive data and provide security of transactions of every mobile device user, by following the mobile security control measures prescribed for various stakeholders involved in the mobile service ecosystem.” — MSG Draft

“Mobile application-based services in every domain including education, health and social media have become integral part of daily life of Mobile Users of all age groups and genders. The exposure risk of Mobile Phone Users gives rise to security threats of sensitive information loss and misuse of personal data by adversaries. Therefore, privacy and personal data protection of mobile user are of utmost importance. […] The central objective of MSG is to ensure privacy, protect sensitive data and provide security of transactions of every mobile device user, by following the mobile security control measures prescribed for various stakeholders involved in the mobile service ecosystem.” — MSG Draft

Who prepared the draft: The draft has been prepared by the Working Group on Mobile Device Security (WG-MDS), which was set up by MeitY, in coordination with the Centre for Development of Advanced Computing (C-DAC) and Standardisation Testing and Quality Certification (STQC).

How to participate?: Interested stakeholders can submit their feedback to Pallavi D, Joint Director, CDAC Pune and Member Convener of the Working Group at the email-id: pallavid[at]cdac[dot]in and cc to headits[at]stqc[dot]gov[dot]in.

FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox.Advertisement. Scroll to continue reading. Who are these guidelines for? Manufacturers of mobile phones, hardware components, peripheral equipment, etc. Developers of mobile software services like applications, APIs, operating systems, browsers, etc. Service providers of software, applications, app stores, government and non-government bodies providing m-Governance and mobile services, social media services, etc. Network providers such as mobile network operators, providers of internet, satellite, and Wi-Fi services, etc. Regulatory bodies such as regulators, standardisation bodies, and enforcement agencies. Testing agencies such as mobile security testing labs and forensics organisations, quality assurance bodies, etc. Academia and researchers Mobile users and subscribers What’s the goal of MSG?

Mobile Security Guidelines (MSG) are prescribed to ensure the achievement of “mobile security goals” and protect the “data privacy of mobile users“: Mobile security goals Confidentiality: Ensuring confidentiality means ensuring the secrecy of information such as login credentials, passwords, personal files or photos, transaction information of payment details, location data of MD etc. Techniques based on information hiding, coding, encryption and decryption can be used to achieve confidentiality. Integrity: Ensuring integrity means maintaining the original data, message or information, accurate and intact without any change, modification, tampering or alteration at the stored, transit or transmission state. “For example, if a customer sends mobile payment instruction of Rs.50 and Rs.500 is debited from his account, it is integrity violation,” the draft states. Standard Hash Functions and checksums can be used for integrity checks. Availability: Ensuring availability means making the services or resources available for access to users from anywhere and anytime without any disruption. It can be ensured by maintaining all hardware bug-free, performing hardware repairs immediately when needed and applying system and security upgrades periodically. Authentication, authorisation and access control: This refers to the verification process to check whether a claiming entity is genuine or not before granting permission to access entitled resources. Subsequent to authentication, an authenticated entity is stopped access from using any other resource, to which it is not, entitled to or authorised to use. For example, a rogue mobile app trying to collect mobile users’ data should be stopped. On the other hand,  a genuine entity should not be denied access to a privileged service. This is achieved by access and permission controls, monitoring state changes, movement of the entity and detecting misbehaviour. Non-repudiation: It means that an entity cannot deny if it has actually done a transaction or genuinely did an action. This can be achieved by using Public Key Infrastructure (PKI) with digital certificates & digital signatures issued to mobile users. Traceability: It means that the actual path traversed for the completion of a transaction from source to destination is traceable. This is feasible using position, time, and status logs. Accountability: It means that an entity involved in the mobile ecosystem is responsible for the actions that it has performed as per its role, rules of service and prescribed guidelines. Trust and reliability: It ensures that the participating entity is or publicly evolves to be trustworthy. An entity’s past actions of adherence to rules and positive traits count in declaring an entity as trustworthy. An entity is considered reliable provided it is trustworthy. An entity may be assigned trust and reliability scores of low, medium, and high based on various past factors. Data privacy

The MSG draft state that the personal data of a mobile user is to remain private to the mobile user and protected as per the Personal Data Protection (PDP) Act 2019. Interestingly, the PDP Bill was withdrawn from the parliament a few days after these guidelines were published. Nevertheless, the MSG draft adopts many of the data security and privacy measures proposed in the PDP Bill including rules around consent, purpose limitation, transfer of sensitive personal data, transfer of data to third parties, etc. A few of the privacy measures include: No personal data of a mobile user shall be processed by any person, except for any specific, clear and lawful purpose. The consent of the data principal should be explicitly obtained in a clear, informed, specific, and free manner. The personal data should be collected only to the extent that is necessary for the purpose of processing such personal data and should be deleted at the end of the processing. Every data fiduciary should inform the data principal or mobile user information on the purposes for which the personal data is to be processed, the nature and categories of personal data being collected, information of the right to consent, and the individuals or entities with whom such personal data may be shared, etc. The data fiduciary should take necessary steps to ensure that the personal data of mobile users processed is complete, accurate, not misleading, and updated. What are the types of mobile security risks? Device-based: Mobile devices store a significant amount of sensitive data, which can get compromised due to vulnerabilities in insecurely designed devices that lead to unauthorised access to data. Network-based: Mobile devices are constantly connected to the internet. The end-users might use untrusted public networks enabling malicious parties to access and intercept transmitted data through rogue access points, Wi-Fi sniffing, eavesdropping, skimming, and sophisticated Man-in-the-Middle (MitM) attacks. User-behaviour related: End-users might indulge in risky behaviours primarily due to a lack of awareness that could compromise data. Risky behaviours include jailbreaking/rooting devices to bypass security controls, using unapproved cloud-based apps to share and sync data, using unapproved productivity apps that maintain copies of corporate data, using malicious apps from unapproved app stores, etc. Third-party apps related: Malicious apps and mobile malware can steal sensitive data and collect user data. What are the types of mobile security threats and vulnerabilities?

Threat actors, which includes adversaries, attackers, hackers, intruders, interceptors, impersonators, eavesdroppers, malware, spyware, virus etc. intend to identify vulnerabilities in the mobile ecosystem and exploit them to gain unauthorised entry into mobile devices. Vulnerabilities are weaknesses, gaps or loopholes in protective systems or mechanisms or interfaces, which can be exploited by threat actors. The MSG draft classifies mobile device security vulnerabilities as: Device-based vulnerabilities such as the use of a mobile device without any or with weak password protection may provide a way for an adversary to easily enter into and steal secret information and do identity theft. Communication-based vulnerabilities such as weak transport level security, rogue Wi-Fi devices, untrusted Bluetooth devices, and misuse of specific electromagnetic waveforms of mobile antennas to spoof and inject commands via the audio interface. Mobile service-based vulnerabilities such as security vulnerabilities present in old versions of mobile web browsers, operating systems, applications, APIs and mobile interfaces, and unencrypted data storage. What are the prescribed mobile security control measures?

Mobile Security Control Measures (MSCM) are countermeasures to prevent mobile security threats from adversaries and to avoid exploitation of mobile security vulnerabilities. These measures are classified into three categories Policy-based measures: This includes regulatory guidelines, security policies, and mobile security standards. Technology-based measures: These include measures to fulfil the “mobile security goals” outlined above using technological solutions. User-oriented measures: These include measures to increase user awareness of mobile device security. Technology-based measures

The MSG draft predominantly focuses on technology-based measures, which are further classified as:

Mobile Device Security: These measures apply to mobile hardware, firmware, operating system, and pre-installed apps. The measures especially focus on threats applicable to the operating system and SIM. “As Mobile Operating System and Subscriber Identity Module (SIM) are significant, so their security threats, vulnerabilities and control measures are presented in separate sections. SIM is a gateway for a mobile device connected world and a potential target by adversaries to steal mobile user identity and commit frauds, so it needs to be properly protected,” the draft states. Some of the prescribed measures include: Sharing of data with apps: Mobile app permissions should take into consideration data minimisation, control, and transparency and apps should be isolated from each other so as to prevent data leakage between apps. Apps must seek explicit permission to access resources like location, camera, and microphone. Apps being installed on a mobile device must come from a valid and trusted source and this should be verified by the OS. Support for VPN: There should be built-in support for Virtual Private Network (VPN) clients which in turn support different profiles such as personal and work. “This helps the business-related applications to secure their assets and data on a mobile device. This also helps in addressing the privacy-related concerns of mobile users. Even though it is possible for some mobile users to misuse the VPNs to access banned content and hide their identity, use cases of the VPNs outnumber the misuse cases and hence need to be supported by the Mobile operating system with care,” the draft states. Remote wipe features: If a mobile device is lost, users must be able to remote wipe the device. Kernel level measures: The guidelines also prescribe various steps that can be adopted at the hardware level to ensure secure boot loaders, robust security at the kernel levels, enabling secure device drivers, full-disk encryption, etc. SIM security measures: The guidelines prescribe various measures to secure SIMs and eSIMs including measures to ensure safety in the production and supply chain of SIMs.

Mobile Communication Security: These measures aim to address mobile communication-based vulnerabilities. “In general, mobile devices are constantly connected to the internet. The end-users might use untrusted public networks, which may enable malicious parties to access and intercept transmitted data through rogue access points,” the draft states. Communications security involves defence against the interception of communication transmissions through means like crypto security (encryption or decryption), transmission security, emission security, and physical security.

The guidelines state that the evolving and latest standards issued by standard-setting bodies like the ITU, IMT, 3GPP, ETSI, TSDSI, IEEE, NIST, LORA, NFC Forum, and Global Platform need to be followed for the various aspects of mobile and wireless communication such as WiFi, Near Field Communication (NFC), Radio-Frequency Identification (RFID), Bluetooth, QR code, GPS, GSM (3G/4G/5G), SMS, Voice over Internet Protocol (VoIP), etc.

Mobile Services Security: Mobile service-based vulnerabilities include security vulnerabilities present in old versions of mobile web browsers, operating systems, applications, APIs and mobile interfaces, unencrypted data storage, etc. Measures to address these include: Regular updating of apps to fix vulnerabilities For cloud-related services, the guidelines prescribe that cloud service providers store data of Indian users in the country. For app-related security concerns, the guidelines prescribe better restrictions by OS on what apps can and cannot be installed, and more accountability from app stories, including by registering in India, as a legal entity with the appointment of a nodal officer and grievance management facility. Following recommended security settings by browsers and OS Not clicking on suspicious links The guidelines also outline best practices in cryptography, which is used in a variety of security functions. For app developers, the guidelines prescribe secure coding practices such as reviewing source code before using them in an app, ensuring the APIs used are safe, secure sharing of data across apps, providing regular updates, etc. Framework for mobile device security testing

The draft guidelines outline requirements and operating procedures for mobile device security testing and mobile device forensics. These are primarily targeted at mobile device security testing organizations and labs. “Mobile Security Testing is necessary to gain the confidence that the mobile device, Firmware, OS, mobile communication and mobile apps within the mobile device are able to counter the various threats and vulnerabilities highlighted in MSG,” the draft states.

In addition to outlining how to carry out testing and the various methods and tools, the guidelines also discuss how to carry out mobile forensics for data recovery for cybercrime purposes and cryptanalysis, which is the study of cryptographic security systems to gain access to encrypted messages, even if the cryptographic key is not known. Checklists

The MSG draft guidelines conclude by providing comprehensive checklists (based on measured outlines throughout the MSG) for all the various affected stakeholders such as device manufacturers, mobile users, app developers, network providers, regulators, testers, etc.  “The adoption of the prescribed guidelines with checklists provided for each category of entities would ultimately ensure enrichment of mobile user’s experience towards secure and trust-worthy mobile services with privacy protection,” the draft states.

This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.Advertisement. Scroll to continue reading.

Also Read MeitY Releases Draft Guidelines On Data Anonymisation For E-Governance For Public Consultation Govt To Enforce Mobile Security Standards For Device Makers In India Government To Verify Mobile Devices For Providing Information On Privacy And Security How India Can Improve Its Cybersecurity Directions #NAMA

You must be logged in to post a comment Login

You must be logged in to post a comment.

Studying the 'community' supporting the late Sushant Singh Rajput (SSR) shows how Twitter was gamed through organized engagement

Do we have an enabling system for the National Data Governance Framework Policy (NDGFP) aiming to create a repository of non-personal data?

A viewpoint on why the regulation of cryptocurrencies and crypto exchnages under 2019's E-Commerce Rules puts it in a 'grey area'

India's IT Rules mandate a GAC to address user 'grievances' , but is re-instatement of content removed by a platform a power it should...

There is a need for reconceptualizing personal, non-personal data and the concept of privacy itself for regulators to effectively protect data

Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...

135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...

Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Copyright © 2021 MediaNama. Made in India.

Subscribe to MediaNama Pro to gain access to actionable reporting, analysis and insights on what is shaping technology policy in India, and reshaping the world of technology.

Subscribe for all access to MediaNama stories for 1 year

Support MediaNama's work by subscribing for 3 years.

Keep your organisation up to date with the latest developments, with a dashboard to manage your team's access to MediaNama.