-
Home
-
Knowledge Base
-
Caleb Hill
- Mobile Device Security: A Moving Target
Knowledge Base
Mobile Device Security: A Moving Target
The Cost of Connectivity
Introduction
Fun fact: I didn’t own a smartphone until my senior year of college. During my late high school and early college years, my brother and I would alternatively share the latest in our littered line of abandoned phones. Smartphone technology was always upgrading to the latest and greatest (and constantly being pushed by service providers), so my parents, mainly against their will, were dragged onto the most recent iterations of several standard Android models. We were not iPhone aficionados. From a security perspective, Androids are not ideal regarding how they secure app stores and how much control they give users, but we’ll get to that later.
 |
For now, risk in computing is not a binary choice: though it runs on zeroes and ones, the risk always lies somewhere in the middle, between the certainties of never and always. I’m often reminded of the Charlie Brown strip where ol’ Chuck stares at the ceiling in contemplation, wondering whether life is a true-false or multiple-choice question. The voice that answers him out of the dark confirms his sneaking suspicion that life is an essay question.
The same is true of cyber risk. Seventeen-year-old me, careless and phone-less, was impervious to mobile device vulnerabilities. Friends and co-workers navigated the murky waters of malicious apps and buggy Bluetooth. At the same time, I stuck to the more familiar world of notebooks, laptops, and the great outdoors (that last one had its bugs, unfortunately). This article attempts to answer the essay question of mobile device risk. Some statements will be fairly straightforward, with yes or no answers, while others will explore multiple choices. Still, all will include the shades of meaning and subtlety that are common to both language and cyber security. As a friend once told me, my job is to provide what information and insight I can; your job is to use the intelligent brain you’ve given to do with it as you see fit. Together, I believe we can make our mobile devices more secure.
Vulnerability Discussion
However, before we protect our devices, we need to know what we’re protecting them from. Smartphones are the same as computers, just smaller. They run applications on top of an operating system and hardware like computers. Also, like computers, they are vulnerable to various attacks, including malware, OS vulnerabilities, browser attacks, and vulnerabilities in services such as Wi-Fi and Bluetooth. One thing that mobile devices are especially vulnerable to, which is not as often a concern for PCs and laptops, is theft. Whether targeted intentionally by thieves or left behind and taken from a public place, smartphones are physically smaller and easier to lose track of than their other computing counterparts.
One of the first basic distinctions between phones and their vulnerabilities is a familiar one: Android vs. iPhone. The way the iPhone operating system (iOS) runs and installs smartphone applications is much more secure than that of Android. iOS runs apps in a sandbox environment that severely limits how much damage a potentially malicious app could do even if it were downloaded (source). Additionally, the Apple iOS infrastructure only allows apps to be installed on iPhones from the official Apple App Store, which will only publish apps if they are rigorously vetted.
While Android applies its own set of security controls to limit app permissions, nearly 84% of smartphone malware attacks are still perpetrated on Android OS-based devices. Android is also much laxer in its vetting process for the apps it publishes on the Google Play store (the Android equivalent of Apple’s App Store). This allows for more variety and ease of access to applications on Android devices, but their corresponding “cybersecurity score” takes a hit.
One of the app exploits that takes advantage of the different ways in which iOS and Android verify and publish apps is often called phishing or scam apps, which are fake versions of real Android or Apple apps that are uploaded to the respective app stores and manage to pass the vetting process without their malicious intent being detected. This is generally easier to do in the Google Play Store than in the App Store because of the difference in requirements. However, even Apple can fall victim to this. For a while, several fake versions of the widely-used MFA app Microsoft Authenticator published for Android and iOS were optimized so that they would actually come up before the real Authenticator app when searched for. These harlequin hacks attempt to paywall every QR code scan, store information about any MFA code added, and force users to upgrade to a paid subscription.
Malicious apps can also be loaded onto phones in more complicated ways. A phishing campaign in Korea directed users to malicious links that mimicked legitimate app download sites to install copycat versions of popular messaging apps. Not only that, but they also took advantage of other apps’ security certificate infrastructure to install the dastardly versions even on iOS-based iPhones. Long story short, iOS has better security practices than Android, but their smartphones are not foolproof.
As we have learned through all the blunders in human history, from opening the Trojan horse to selling Alaska, nothing is foolproof. Those of us whose profession is information technology have a plethora of fond nicknames for human error, but we can’t say them too harshly: we make our fair share of mistakes as well. Unfortunately, smartphones often make human errors easier to commit. Due to the smaller screen size and less immersive interface of mobile phones, hidden links and other malicious content are more challenging to see, making browser-based attacks a particular threat in the mobile device threat landscape (source).
Malware for mobile devices, like PCs and laptops, comes in many shapes and sizes. Hackers use fake apps in the app store (as discussed above), malicious ads, social engineering, and unsavory URLs to deliver malware to phones. Many types of malware range from banking trojans (which steal banking information, bypass bank 2FA, and steal funds) to mobile botnet malware, which recruits your mobile device’s system resources to be used in the background for sinister purposes such as distributed denial of service attacks. Code to install these different types of malware can be hidden in advertising apps or installed via operating system backdoors.
The following attack vector, Bluetooth, is unique to smartphones and mobile devices in many ways. While used by laptops, Bluetooth is less prevalent and central to functionality than it is for smartphones. Additionally, Bluetooth contains many unique vulnerabilities to attacks such as Bluebugging and Bluesnarfing (neither of which, unfortunately, involve Smurfs). Bluesnarfing allows attackers to exploit the OBEX protocol to access sensitive information on the phone, such as calendars, contacts, and emails. Bluebugging uses phones with Bluetooth set to discoverable and takes control of many core phone functions, even allowing the hacker to eavesdrop on calls.
MDM Studios Presents…
Now that we’ve dipped our minds into the manifold waters of mobile device vulnerabilities, how do we address this exploit-riddled security section? There are a variety of solutions, some of which are very well-developed and mature from a cybersecurity perspective. The advent of mobile device management (MDM) systems such as Microsoft’s Intune has made it much easier for companies to mitigate the security threats to which mobile device usage makes them vulnerable. MDMs utilize agent applications downloaded to smartphones that a company uses, whether they are company devices or integrated BYOD-style, which then reach out to a centralized set of policies and regulations that specify what applications are white- or blacklisted, as well as what settings the smartphone OS should have to make it more secure. Microsoft Intune can control what apps can run on the phone, identify information proprietary to your company, and manage where it is allowed to go.
The capabilities available to a competent team of information technology professionals are nearly limitless:
- Security policies can be defined and pushed out to differing groups of devices depending on the operating system (e.g., one approach for Androids, another for iOS).
- Antivirus software can be required on all devices.
- Updates can be mandated so that smartphones dealing with company information stay up-to-date and secure.
To combat the threat of device theft, Intune offers another configurable MDM feature: the ominous-sounding “remote wipe.” This does exactly what it sounds like it does. In the case of device theft, an administrator can go into the Microsoft Intune portal, select the stolen device, and wipe any confidential or all data from the storage system.
Microsoft Intune and other MDM solutions are designed to configure and manage all security controls to keep smartphones safe from a centralized location. This allows companies to inventory the devices in their environment, verify that they are configured securely, and monitor activity on them. All of these controls could be managed manually by each respective IT department. Still, the amount of work that would go into using the manual method compared to the number of details that would still slip through the cracks makes such a herculean effort unlikely to pass a decent cost-benefit analysis.
One more software-side solution that integrates well with MDMs but is a separate and essential piece of the mobile device security puzzle is everyone’s favorite malware-murdering buzzword: antivirus. A good antivirus will go a long way toward helping smartphone-saturated security professionals sleep easy at night. No antivirus is foolproof (a brief cameo from the introduction), but not all fools are antivirus-proof. The harder it is for bad actors to compromise your devices, networks, and data, the more likely they are to target someone else. Water flows downhill, leopards don’t change their spots, your new white hoodie will get stained, and hackers take the path of least resistance. It’s worth mentioning that the path of least resistance rarely includes smartphone antivirus.
Practical Matters
The last (but far from least) section of mobile device security to explore is policy and usage. Employees ought to be educated about the risks of mobile device use and made aware of the measures they can take to avoid compromise so that they can increase security for both their work and personal lives, whether their devices are locked down via an MDM or not.
On the work side, companies should address the use of mobile devices within the organization using a policy specifically designed to describe proper mobile procedure, including an acceptable use agreement and the required registration of any mobile devices used for work purposes. This policy will communicate the company's expectations for their employees concerning securely using mobile devices. This policy can also contain good advice for mobile browsing and usage habits and ways to set up the phone itself more securely.
After the policy is written, it’s time to put the gritty in the nitty of employees' understanding of basic good practices for smartphone security.
- This almost goes without saying (but now I’ve said it, so it can’t), but devices should be passphrase, passcode, or passkey protected. These could include biometrics such as face, fingerprint, or iris recognition or PINs that use a string of numbers, letters, or a geometric pattern.
- Connected to the recommendation above, devices should be set to lock themselves after a reasonable period. I accidentally put my phone to close every 30 seconds: the decreased security risk did not likewise decrease my blood pressure. A device lock of two to five minutes strikes a near-ideal balance.
- Update your applications and OS. Most devices are very (if not overly) faithful to remind users to update their operating systems. Just make sure you don’t put off the restart for too long. Updating apps can be a little more involved, but not much more. To update apps on your iOS device, see these instructions; to do so on your Android device, use these.
- Disable Bluetooth when you’re not using it. Hackers can’t compromise what they don’t have access to.
- Lastly, encrypt your device. When you are signed in with your Apple ID, the information is encrypted whenever your phone is locked. Most Android devices are also encrypted by default, if you have set up a lock screen with the passcode feature.
In conclusion, security for mobile devices is the product of the intermingling of multiple layers of interaction, from applications to operating systems, MDMs to antivirus, and administrators to end users. Policies, blacklists, remote wipes, browsing habits, and employee education all play a role in hardening the multivariate paths that bad actors must travel to compromise a mobile system. The path of least resistance principle still applies: there will never be zero hackable paths, but an aware, layered approach can make those paths consummately unappealing to those who wish to exploit them. An intelligently designed mobile security strategy with well-implemented solutions can allow your business to take advantage of the increased productivity of smartphones while keeping your cyber security team’s blood pressure under 120/80. I know I’d certainly appreciate it.
Cybersecurity Awareness Poster
 |
Click here for a cybersecurity awareness training poster that Intrada Technologies clients may print and post to meet cybersecurity insurance requirements. |
About the author
Contact Us
|
Contact Information: |
Hours of Operation: |
OUR FOCUS
Intrada Technologies is a full-service web development and network management company with a focus on creating ongoing, trusted partnerships with each of our clients.
We make sure our clients have what they require to run their businesses with maximum efficiency and reliability, as many of their needs are mission-critical.
Our unique, collaborative partnerships allow us to provide our clients with the assurance that we will be there when they need us.