Challenges in Mobile Security

Smartphones are an essential part of our lives today, taking care of everyday activities from getting to work on time to communicating with people. These devices transmit hundreds of messages, store memories and use location services throughout the day, admittedly making lives a lot easier but inadequate privacy laws and open security issues remain a cause for concern. Employee productiveness and responsiveness has improved by flexible practices such as bringing mobile devices in workplaces, usage of enterprise applications over these devices and the BYOD (Bring-Your-Own-Device) trend but has created major security challenges for enterprises.

This is part of a series covering topics in Information Security:

1. Introduction to Information Security
2. Security in the Cloud
3. Challenges in Mobile Security (this post)

Challenges for enterprises in the mobile landscape include:

1. Security of endpoint device and data
   This covers the separation of personal and corporate data, device wipes, preventing data leakage and introducing data policies to keep data secure.
2. Developing secure applications
   This includes carrying out static and dynamic analysis on application code, introducing security early in the application development lifecycle, and creating application policies to protect end-users, for example — only vetted and web-store signed applications are installed (as in Apple mobiles).
3. Securing access to enterprise applications and data
   Strict authentication on the device (biometric, multi-factor authentication etc), encryption of data over the network and at rest, strict user policies and secure APIs can help protect unauthorized access to applications.
4. Adapting to the BOYD (Bring-Your-Own-Device) trend
   With multiple providers and platforms on the market, creating a unified solution to provide defence from all devices is quite difficult. Securing endpoints in a business environment, sandboxing applications, employing defence in depth and managing devices through a central service can add a layer of security.
5. Practising an Adaptive Security Posture
   Using security intelligence, examining logs and creating strong policies with respect to geolocation services and user roles leads to more secure systems.

Attacks in the mobile landscape

Malware can be disguised as a legitimate application on a trusted or un-trusted application store or embedded into its files and unknowingly downloaded by the user. Social engineering or phishing is another popular technique to infect users devices with malware and then propagate over the victim’s friend lists by inviting them to download it. They may collect user data, monitor transactions and payment information or cause harm to the user’s devices. Other types of malware, such as adwares show advertisements and send the victim to malicious phishing links while auto-rooters gain root-level access privileges of the phone.

Listening in on a user’s traffic (an eavesdropping attack) can give away a lot of information and possibly intercept sensitive data if not properly encrypted. Eavesdropping is a passive attack where the attacker monitors network traffic from a victim’s mobile device to a wifi hotspot. Attackers may provide free wifi hotspots to encourage users to connect to them and then spy on information sent by the device as the victim browses the internet.

Best practices for Mobile users

1. Change passwords regularly and do not use any factory passwords. Use biometric authentication if possible.
2. Keep the OS up to date, installing system updates and security patches as soon as they are available.
3. Use a dedicated email address for authentication and pin requests.
4. Be careful while installing applications from unknown sources, especially free versions since they are popular carriers for malware. Download vetted and signed applications through official web stores.
5. Limit permissions of applications, especially regarding geolocation services. Provide permissions to only verified applications and only if necessary.
6. Do not access sensitive information or payment portals over non-secure public WiFi.