The mobile OS headache
When providing strong customer authentication (SCA), smartphones with outdated OSs are one of the major hurdles that have to be addressed. Should these users be opted out, forced to update or is it possible to find an alternative?
At the beginning of February this year there was a minor news item that got some traction: WhatsApp, with more than 2 billion users, was ending their support for older versions of Android. The version they ended support for is only 0.3% of the Android devices, but we’re still talking about as much as 6 million devices.
Why did the support stop?
Everyone does not have the luxury of disabling 6 million devices from their platform, but it is interesting to speculate why WhatsApp chose to do this. Security is probably one of the main reasons. The version of Android they stopped supporting, version 2.3.7, was released back in December 2011. Since then there has been a large number of vulnerabilities found in Android, from remote exploits such as “Stagefright” to yet another issue with Bluetooth. Needless to say, these vulnerabilities have not been patched on a 10-year-old version of Android.
How long can we as users expect to receive updates for our Android phone? According to an article by “The Verge” “Google’s contract with Android partners stipulates that they must provide “at least four security updates” within one year of the phone’s launch. Security updates are mandated within the second year as well, though without a specified minimum number of releases.”
If you work in IT and replace your phone every two years there is no issue, but for most consumers, it might be an unpleasant surprise that they have to buy a new phone to get updates. We estimate that as much as 2/3rds of Android phones don’t get regular security updates. For iOS, the situation is a bit better, with all phones released in the last 5 years (iPhone 6s and newer) still receiving updates.
How to deliver SCA on outdated devices?
We’ve already written about what “malware” can do, so this puts banks and fintechs in a bind: What do you do when a large percentage of your user base, potentially even the majority, runs a mobile operating system that is no longer receiving updates? Today the majority of users are doing their banking on a single device, and you cannot expect users to go back to using a PC + phone to do their banking. The two obvious alternatives are to opt-out the users, or force them to buy a new phone. Neither case is very appealing. Once you have customers who have deposited money, blocking them from accessing their accounts is at best very inconvenient, and at worst possibly of questionable legality.
With Okay we provide an alternative: We provide a secure execution environment that aims to be as independent from the operating system as possible. We even assume that the user’s device has been infected with malware and that malware is actively trying to attack your application. While WhatsApp has to protect their entire application we have the luxury of only trying to protect the most sensitive parts: authentication and transaction verification. This can help you avoid making hard decisions about opting out large numbers of users.