Talking About Mobile Security
There is an undeniably huge increase in mobile devices and their acceptance in the workplace. Along with this IT now has to take on the responsibility of managing and securing them. I hear a lot of talk about mobile security, but it is pretty confusing. Can you help break down the areas of risk and how to address these?
When talking about mobile security, there are primarily three different contexts.
1. Restricting access to the device itself, much like locking your desktop with a password so the applications and information stored in them cannot be readily accessed)
2. Preventing infection of that particular device (malware, viruses, etc). Some examples of this in the mobile world:
a. Spyware, etc: that can mine data on the device and send it back to the hacker. If you think that this is a stretch think about how applications are typically installed, and information is collected to sent back to the developer about errors, performance, etc. This is one of the avenues a hacker uses except the information they are sending is likely identity, credential and cache related.
b. Trojans: Hacker writes a Trojan, device gets infected via infected URL or email. An example may be that all this Trojan does, is send SMS messages to an international phone number that they own and piles up those bills – that you pay for. Oh yes, and their code knows how to suppress the SMS’s from showing up as sent on your phone. This could go on all month until you get that $10,000 bill from your service provider. Not fun.
c. Malware: Man in the middle attack: Where the hacker’s application lets him intercept your web session (when you log into your bank account), get your legitimate credentials to only go log into your bank themselves to move dome cash around. Meanwhile, they may send you to a different page that may look legitimate so it doesn’t set off any alarms.
3. There is a subset to #2 but is significant on its own. If I do not have adequate virus protection on my mobile device, I may very well (likely) pass that virus along to someone else. This is the classic case that exists with Mac’s. Many organizations are under the impression that a Mac is inherently more secure so they don’t install security applications on them (debate security of Mac’s another time ). The Mac user may be entirely safe when they have an email sent to them that is infested but not written for a Mac, but the poor colleague or customer that is windows based is in a bad position when it is forwarded to them as part of normal communication. This isn’t good for business. Mobile phones are in a similar position in that many viruses are not written for them, but they can sure pass them on and can undermine security in general.
4. Regardless if either of the above is happening, ensuring that to whatever system a person trying to access from a mobile device (to another app/server on the corporate side) is secure so it cannot be accessed and compromised.
I must confess that what makes this a confusing topic to the reader is that most vendors speak about mobile security with a great deal of high-level anecdotalism, which males it hard to grasp what the actual risks and solutions are. The other challenge is that that while mobile devices are on a rocket ship adoption trajectory the options available to implement sound security are not commensurate. So lack of information to understand the problem, vendors not doing a good job educating about the problem, and few solutions to the problem create a perfect storm for confusion.
In general, options are limited in the market at the moment due to mobile OS’s a) having unique architectures from one another, which makes applying a vendor solution unique for each and b) the mobile vendor hasn’t really met third parties halfway to interface with them in all three areas. Lets take two examples, Apple on one side of the spectrum and Android on the other. Apple has a “sand box” approach where one application is restricted from accessing data inside of another application. This makes it fairly secure because it is hard for spyware or malware to execute effectively. However, the same model that makes it more secure out of the box, makes it inflexible to accommodate a third-party application from a security specialist vendor that might do it more effectively. Android on the other hand is a completely different model. Much like a desktop OS, once you are in, apps can share data, etc. Less restrictive but is already wide open and easy pickings for anyone wanting to particularly execute #2. We are starting to see some of this but we also see vendors able to built apps that can detect and mitigate much like on the desktop so Android has an upside as well.
For #1, as an alternative to using a 4 digit PIN to access your device… the options out there are fairly anemic. Support for strong two-factor authentication such as smart cards and PKI as an alternative aligns with Government Standards for Identity and authentication, yet currently lacks vendor support at the mobile OS level. This will eventually change through the demand of the government and enterprises and standards will help influence this. Standards, such as PIV, are critical as they help pave the way for feature improvements by having a community of 20 million asking for it, rather than individuals sending a letter to the company begging.
Clearly there haven’t been too many wide-scale recognized outbreaks of vulnerabilities on mobile platforms but you can bet it is coming. There is speculation that it is not a new breed of hackers writing these exploits, but rather the same developers that did so for legacy (but more popular at the time) OS and are just applying similar threats to newer OS’s (I guess they had enough downtime). So they are familiar, capable, and have a much broader base to attack in a world where downloading apps is the name of the game and tagging along for the ride in order to slide in incognito is pretty easy.
In the meantime, the best thing to do is execute common sense.
1. Only purchase apps for your phone from reputable app stores.
2. Practice the same web surfing behavior as you would on your desktop. Any legitimate site can be infected and your screen doesn’t have to flash and alert you that it happened!
3. If there is an AV app (as there are more and more), give it a try.
4. Always PIN protect access to your device, and all applications within it individually if they allow you to do so. Don’t use patterns, repetitive numbers close together, and pick a number at a higher range so anyone just going 1-9999 doesn’t hit the jackpot in the first five minutes.
5. Protect the corporate jewels: If part of an Enterprise, it is imperative to employ non-password-based strong authentication to protect server side intellectual property by thwarting man-in-the-middle interceptions and leaching of text-based credentials for later use and gain direct to your server-based applications. There are some great solutions from idOnDemand in this area– Click here to read about some of these.