Part 4/8: SCA Industry Challenges - the Mobile OS Headache
First published: 03/02/2020
When providing strong customer authentication (SCA), smartphones with outdated OSs are one of the major hurdles that have to be addressed. Should these users be opted out, forced to update, or is it possible to find a different alternative altogether?
At the beginning of February 2020, there was a news item that got some traction: WhatsApp, with more than 2 billion users, was ending their support for older versions of Android. While the version they ended support for made up only 0.3% of all Android devices, we are still talking about as many as 6 million users.
Why Did the Support Stop?
Everyone doesn’t have the luxury of disabling 6 million devices from their platform, but it is interesting to speculate why WhatsApp chose to do this. Our guess? Security is probably the most likely cause.
The version of Android they stopped supporting, version 2.3.7, was released back in December 2011. Since then, there has been a large number of vulnerabilities found in Android, from remote exploits such as “Stagefright” to yet another issue with Bluetooth. Needless to say, these vulnerabilities have not been patched on a 10-year-old version of Android.
How long can users expect to receive updates for their Android phones? According to an article by “The Verge”:
“Google’s contract with Android partners stipulates that they must provide “at least four security updates” within one year of the phone’s launch. Security updates are mandated within the second year as well, though without a specified minimum number of releases.”
If you work in IT and replace your phone every two years, there is no issue. But for most consumers, it might be an unpleasant surprise that they have to buy a new phone to get updates. We estimate that as many as two-thirds of Android phones don’t get regular security updates.
We would like to mention, however, that for iOS users, the situation is a bit better: all phones released in the last 5 years (iPhone 6s and newer) still receive updates.
How to Deliver SCA on Outdated Devices?
We’ve already written about what “malware” can do, so this puts banks and fintechs in a bit of a bind. What do you do when a large percentage of your user base, potentially even the majority, runs a mobile operating system that is no longer receiving updates?
The majority of today’s users are doing their banking on a single device, and it is useless to expect any of them to go back to using a PC + phone. The two obvious alternatives are to either opt-out the users, or force them to buy a new phone.
Yet neither case is very appealing, especially when you think about what that may entail: once you have customers who have deposited money, blocking them from accessing their accounts is at its best, very inconvenient, and at its worst, questionably illegal.
With Okay, we provide an alternative: a secure execution environment that aims to be as independent from the operating system as possible. We even assume that the user’s device has been infected with malware and that malware is actively trying to attack your application.
While WhatsApp has to protect their entire application, we have the luxury of only trying to protect the most sensitive parts: authentication and transaction verification. This can help you avoid making hard decisions about opting out large numbers of users.