Closing the mobile security gap

The best hope for enhanced mobile security lies in building security into the application development life cycle, says Godfrey Kutumela, head of the Security Division at IndigoCube.

Godfrey Kutumela, IndigoCube, head of the Security Division
Godfrey Kutumela, IndigoCube, head of the Security Division

As business goes mobile, hackers are following the money. All stakeholders need to take heed, says Godfrey Kutumela, Head of IndigoCube's Security Division.

The mobile revolution has placed mobile devices at the centre of modern business, right at the sweet spot where big data meets social business. Customers, business partners, employees - all the key components of the business value chain - are using mobile devices to access corporate systems.

And as business goes mobile, hackers are following them. The bad news is that mobile devices are extremely vulnerable. In 2014, for example, 5.2 million smartphones were lost or stolen in the United States, and Trojan attacks on mobile banking increased by a factor of nine as compared with 2013. US mobile malware rates are growing by 75% year on year, and 25% of all mobile devices encounter a threat each month. More statistics, equally disturbing, are freely available on the Internet.

Hackers typically hone in on three prime targets, typically using malware - which is exactly why malware attacks are increasing rapidly:

* Data. Smartphones contain sensitive data like credit card numbers, authentication information, calendars, contacts, notes and so on.
* Identity. Because they are highly customisable, the device and its contents contain the "virtual DNA" of the owner, which is thus available to hackers. Hacked identities can be used to commit other offenses.
* Data and airtime. Smartphones are always on, even when the owner is otherwise occupied or asleep. Idle smartphones that have been hacked can be used as zombies - and consume the owner's data and airtime, to add insult to injury.

Unfortunately, mobile phones are currently ill-equipped to repel malware attacks. They have relatively low processing power, and so cannot cope with conventional anti-virus packages. By contrast, malware is small in size, and thus execute well on mobile platforms.

Most malware exploits the simple on/off access model found in most mobile operating systems. Thus, for example, a particular app might ask for access to a user's photographs in order to operate optimally, but in the process gain access to all the data stored on the phone, not just the photos.

Apps are thus the number one vulnerability in the mobile world, with research showing that dating apps are by far the most dangerous. According to IBM, 60% of at-risk apps are dating apps, and the vast majority of them have access to past and current geo-location as well, so stalking is an issue.

Corporates have the resources to implement automated mobile data management programmes that enable users to limit access rights to each app as appropriate, and to specify the encryption of sensitive information. Nothing like this is currently available for the man in the street.

Bluetooth and WiFi contribute further to the vulnerability of mobile devices. One way is for a hacker to set up nearby a popular free WiFi point, such as a coffee shop, or even in a municipal area, such as Tshwane, which recently launched its WiFi access. By mimicking the legitimate service's credentials, and not asking for the usual log-in information, these poisoned WiFi connections can fool phones to connect automatically if they have WiFi sense turned on.

Failing a mobile data management solution, the best defence for individuals is awareness and monitoring. Only apps from reputable companies should be downloaded, and users should be wary of how much personal information they reveal to each app - and they should not store sensitive information, such as PINs, on their phones. All online accounts should have unique passwords, and users should find out how to monitor their data use to see whether apps are using what seems to be exceptionally large amounts of data.

The best hope for enhanced mobile security, however, lies in building security into the application development life cycle. Just getting developers to design app functionality with user privacy very much in mind would go a long way to making apps intrinsically more secure. Changing the culture of app development will require a collaborative effort by all stakeholders.

As Apple CEO Tim Cook has said: "If those of us in positions of responsibility fail to do everything in our power to protect the right of privacy, we risk something far more valuable than money. We risk our way of life. Fortunately, technology gives us the tools to avoid these risks. And it is my sincere hope that by using them and by working together, we will."

Read time 4min 10sec


IndigoCube helps organisations to improve the quality of their software. It does this by enabling and improving the agility, productivity and security of the application life cycle. It specialises in agile transformations, business analysis, software testing and application security. The application of best practices and the development of requisite skills is core to all its solutions and it partners with some of the world's leading vendors. IndigoCube is ideally positioned to boost productivity and long-term return on investment in its focus areas.

Editorial contacts
CommunikayKaren Heydenrych(083) 302
IndigoCubeGodfrey Kutumela(011) 759
Godfrey Kutumela
leader of the cyber crime and security division at IndigoCube.

Godfrey Kutumela has over 16 years’ experience in security consulting and engineering, having conducted high-end security consulting engagements, and designed and delivered technical solutions on three continents. Driven by his passion for securing online and mobile applications in this new era of the Internet of things, he made a strategic move to join the newly formed IBM Security Systems Division in 2012. His role at IBM was as leader and evangelist of IBM’s application security, security and threat intelligence portfolio for the Middle East and Africa market. Kutumela joined IndigoCube in June 2015 as the leader of the cyber crime and security division. His responsibilities include bringing application security integration practices to the local market and helping organisations protect their critical applications and generated data. He has also served as membership chair for the (ISC) 2 Gauteng Chapter since May 2015.

Have your say
a few seconds ago
Be the first to comment