The state of the mobile security landscape - particularly smartphone platforms - is an increasingly common IT security concern, and is becoming an important focus for operators, smartphone vendors, businesses and consumers alike.
A survey conducted in January by Dimensional Research explored the impact of mobile devices on information security in corporate environments, noting that 94% of companies have seen an increased number of personal mobile devices, such as smartphones or tablets, connecting to their corporate networks.
The survey that ran on ITWeb in July revealed similar results, says Doros Hadjizenonos, South Africa sales manager at Check Point Software Technologies. In addition, the survey uncovered that most South African companies are already allowing the use of mobile devices to connect to the corporate network and to store corporate data on the devices. Increased employee productivity and mobility are the main benefits for organisations that allow these devices in the workplace, but those benefits come with their own set of risks.
According to Hadjizenonos, mobile security has improved greatly in the last two years; Apple and Google have worked hard to combat mobile security threats. Both Google and Apple actively scan all officially hosted apps for malware signatures. “Although the Apple App Store is tightly controlled, getting malware onto an Android device can be a lot easier. Android is particularly vulnerable to rogue apps, as there is no restriction (beyond a checkbox in the OS) to installing apps from any source or developer.”
Although this is seen as a positive feature by many, at the same time, it greatly increases malware risk when compared to a single distribution source. “Thus, it is important that Android users understand permissions and the source of applications. iOS malware typically will only affect 'jailbroken' devices, and users should be aware about the dangers of doing so, as it opens them up to new vulnerabilities.”
“Threats associated with mobile devices can come in many forms,” says Hadjizenonos, including the mobile operating system. Every OS, including Android, iOS, BlackBerry and Windows, comes with its own set of security challenges. Threats can originate from mobile apps, the mobile browser, as well as insecure Bluetooth and WiFi hotspot usage.
They can also come from employees, he continues. “The lack of security awareness among employees is often the leading factor impacting the security of mobile data. Many employees simply aren't aware of the mobile security risks and corporate policies associated with mobile devices, such as storing corporate data, customer information or access to business applications.”
The consumerisation of IT, or bring your own device (BYOD) trend, brings forth another layer of complexity, as more employees want to leverage their personal mobile devices for business purposes, he says. “While companies begin to accept the BYOD trend, there are significant concerns about the privacy of sensitive data stored on the devices that IT must handle.”
He says, as with PCs, smartphones can be leveraged in several ways for fraudulent gain. Beyond the physical security risks (GPS location awareness and lost or stolen devices), smartphones are also susceptible to the usual gamut of malware. There are mobile rootkits, mobile worms, mobile botnets and mutating malware designed to avoid mobile anti-virus detection.
“Smartphone owners can be targeted by both incoming and outgoing 'premium' text message scams. These text messages are sent en masse by computers, so once your number has been compromised, you have little recourse beyond complaining to your cellular provider. This scam requires no malware or trickery beyond obtaining the victim's cellphone number. Smartphone malware has also been discovered sending outgoing premium text messages. These charges can be legitimate, too - charity donations by text message, reality TV voting, etc.”
In addition, as smartphones are being used increasingly for e-commerce, application security is recognised as being necessary to protect payment information (usernames, passwords, credit card numbers), but this is not widely enforced. “Quick response (QR) codes are also predicted to increasingly be used by criminals to trick users into going to malicious Web sites, and users should be warned about the dangers.”
As people all over the world are increasingly connecting and communicating through their mobile devices (often exclusively), new laws pertaining to cellphone and location monitoring are in motion in many countries. “Being connected to your friends, family, job through your smartphone is also very convenient. But with that convenience comes risk,” he concludes.
Share