Smartphone Security: Changing Every Day
By:Mike Bailey
Mobile devices changed the game for information security. There are new app stores, new rules with these devices, and critically they’re tied to most end users 24 hours a day. I already discussed how physical and cyber security (with mobile devices) are tied together at the hip (link once the blog is up). Let’s take a look at some current vulnerabilities with these devices.
App Stores and Smartphone Security
To date in Apple’s app store there are 1.2 million apps and users have completed 75 billion downloads. Apple has tried its best to brand itself as the safer alternative to Google’s equivalent “Play” store, but that doesn’t mean that either are safe.
Network World reported that in a recent study by HP, they found that 90% of iOS apps had serious security vulnerabilities.
“More specifically, HP said that 97% of these apps inappropriately accessed private information sources within a device, and 86% proved to be vulnerable to attacks such as SQL injection.”
Things don’t look great for Google Play either. RiskIQ noted in its own study that the percentage of malicious apps on the Google Play store has grown 388% from 2011 to 2013. Even worse is that in 2011 Google was able to remove 60% of malicious apps, which has dropped to only a 23% removal rate in 2013.
The overall findings point to mobile application stores as being very dangerous, not only due to malicious apps but also improperly designed apps housing important company data. Your end users should be trained to avoid these malicious apps, and avoid apps (like email or file-sharing apps, for example) that are unsafe to use for company accounts unless approved by IT.
Device Locks- or lack of them
Apple has done a commendable job of bringing a higher level of security to mobile products. They recently reported at WWDC 2014 that 83% of users are now using “Touch ID”, a fingerprint scanning technology to unlock their devices, where previously less than 50% of users were using passcodes to unlock their devices. Samsung has also put fingerprint sensors into its newest phones.
Despite this, you need to keep your user base in mind, who are likely using older or different devices. If end users are using passcodes, are they good passcodes? Are users leaving their device unlocked in heavily trafficked areas? Are the passcodes something as simple as 1234 or the user’s birthday? Are users making sure there aren’t social engineer “shoulder surfers” looking as they enter a code? All good questions for security professionals to ask.
Portability
“Shoulder surfers” who are looking as users type in passwords or other sensitive information represent a clear and present danger for end users. But even more so, the portability of devices means there are many situations that can be dangerous.
Consider the following:
- An end user leaves his phone on a table at a busy coffee shop to walk a few feet and grab his coffee.
- An end user leaves her company smartphone on the hotel bed when she goes to the gym.
- An end user accidentally leaves Bluetooth “on” on their company phone and in “discoverable mode.”
These are situations that don’t follow the best practices to keep the devices from being stolen and/or having sensitive data compromised and end users will encounter these situations hundreds of times throughout the year.
Sharing: Digital and Real-life
Our lives have become infinitely shareable- now that there are social networks for everything. Sharing is an inherent vulnerability due to the types of data attached or associated with certain messages. It can happen unknowingly.
Let’s say, for instance, an executive of your company visits another country to meet with a potential investor. They take some pictures because of the great view from the investor’s office and post them to Facebook.
Unknowingly Facebook attached their specific location to the photos, and due to lax personal privacy settings, the whole world now knows the investor this person is visiting, months before there was supposed to be any announcement.
Or imagine an employee answering a phone call in a crowded airport talking about a potential upcoming merger. Someone sitting nearby works for a competitor and takes note of the discussion.
There are endless possibilities for end users when sharing content, or simply having a phone call.
Smartphones: The Double-Edged Sword
Smartphones represent a huge amount of benefit for end users. Convenience, speed, mobility and many other factors make them wonderful work devices. But smartphone security issues also create a more complicated atmosphere for information security programs. It never hurts to reach out to your end users to improve awareness and eventually provide training- thousands of top companies are proactive about investing in their people to improve IT security.