In 2004, Kaspersky Labs discovered a virus “Cabir” which it believed to be the work of professional virus writers in an attempt to prove that no technology/devices were safe from their attacks. The virus infected Nokia phones running on Symbian operating system. It was the beginning of a new threat and now we are about to see its dark side.
Mobile apps increase productivity but can also leave a user with all kinds of security and data privacy risks, including loss or theft of devices, data leakage, the spread of malware and unauthorized access to enterprise networks and systems. Adding to concerns about mobile security is the bring-your-own-device (BYOD) culture.
According to Ravikumar Sreedharan, VP, Application Services & MD, Unisys India, "Enterprises need to ensure that they secure both corporate issued and BYO devices. Companies should consider building enterprise application stores as a way to improve distribution of both corporate custom apps and sanctioned consumer apps that can help users conduct business on mobile devices. They also should encrypt enterprise data (while leaving out personal data on BYO devices) besides enforcing app passwords and remotely erasing enterprise data in cases of theft of corporate issued devices."
Increasing usage of mobile devices around the world has brought web threats from conventional PCs to our smartphones. App stores are software download hubs, while mobile apps serve as programs we download onto our mobile devices.
Users who download from app stores may end up downloading malware instead and because of this, mobile apps are the new frontier for threats.
In light of smartphone consumerization and lack of awareness amongst the users, cybercriminals are taking advantage of this trend by creating malicious apps for mass-scale distribution.
Why mobile apps are being targeted?
The demand for mobile applications is growing with increase in smartphone usage and consumers can choose from Android Play Store, the iTunes App Store, Windows Phone Marketplace, BlackBerry App World and Samsung Apps depending on their OS.
According to Gartner, by 2017, the focus of endpoint security breaches will shift to tablets and smartphones, and already there are three attacks to mobile devices for every attack to a desktop machine. Also through 2017, 75 per cent of mobile security breaches will be the result of mobile application misconfigurations — such as the misuse of personal cloud service through apps residing on smartphones and tablets — rather than the outcome of technical attacks on mobile devices. Android which is an Open source OS is considered vulnerable.
According to Tarun Wig, Co- Founder Innefu Labs, "Open-source software allows third parties to view, modify and even relicense the software. The security of open source software is a key concern for organisations planning to implement it as part of their software stack, because Source code is publically available and accessible to hackers and malicious users."
Android vulnerability
Android smartphones are very popular all over the world and 57.29 per cent of the world population uses it followed by iOS and Windows. The Android platform, has become the target of continuous cyber-attacks due to its app distribution model that makes it open to any developing parties.
According to Symantec’s Internet Security Threat Report (ISTR.20), 17 per cent of all Android apps (nearly one million total) were actually malware in disguise. This includes 46 new families of Android malware in 2014. In addition, there are perhaps as many as 2.3 million “grayware” apps that, while not technically malware, but display undesirable behaviour, such as bombarding the user with advertising. A number of new Android vulnerabilities could allow remote attackers to compromise affected devices by simply sending them a malicious multimedia message (MMS).
According to Ritesh Chopra, Country Manager, Norton by Symantec, “A recent Android vulnerability was Stagefright. These vulnerabilities pose a threat to Android users since in most cases, the victim simply has to look at the malicious message to trigger an exploit. The Google Stagefright Media Playback Engine Multiple Remote Code Execution Vulnerabilities affect an Android component known as Stagefright, which is responsible for handling media playback. Successful exploitation of any of these vulnerabilities could provide an attacker with remote code execution capabilities. This could enable an attacker to install malware on the device and steal data from areas accessible with Stagefright’s permissions.”
Risks of downloading from app stores
In more recent times, the focus has shifted from quantity to quality to provide a greater end user experience. While the use of mobile apps is necessary for end users, their use should come with a serious health warning. In 2014, Symantec’s ISTR.20 found that grayware apps, which aren’t malicious by design but do annoying and inadvertently harmful things like track user behaviour, accounted for 36 per cent of all mobile apps.
We have seen time and time again that a significant proportion of mobile app developers do not follow best practices when it comes to information security. In a research by Symantec on the security of popular health and fitness apps, it was found that many mobile apps do not securely handle user credentials and actually compromise user or device security and privacy in various ways. “Many mobile apps can unintentionally leak other personal data because of how they execute their functionality. Mobile apps also have their fair share of exploitable vulnerabilities which could allow attackers to steal information and perform other malicious activities,” said Ritesh Chopra of Norton by Symantec.
Other risks to security may include unwanted activities such as accessing premium rate services, click fraud, virtual currency mining, and other undocumented features like back doors.
Thus, while Apps are fun, boost your productivity and make your life easier, certain “Rogue” apps carry significant risks.
How to tackle smartphone security threats?
With the increase in the popularity of smartphones/tablets, hackers are increasingly turning to mobile devices as hacking them is quite easy when compared to a laptop. We have faced the expensive and embarrassing consequences of not taking security seriously before and it’s always better to learn from the mistakes of the past.
Here are a few tips by Sridhar Iyengar, Vice President, ManageEngine, which users can follow to protect their devices:
Mobile Containerization: Corporate information is stored in secure, encrypted containers while the mobile end-users’ personal space is left completely unhindered is what containerization is all about. The enterprise IT admins get full control of the container, to which they can silently push applications and monitor the flow of information. This is one of the top mobile security practices, especially in BYOD and COPE environments.
Device Encryptions: Data encryption stands crucial for many industrial sectors such as law, healthcare, and government as they have quantum of highly confidential information. This security method is still important as ever, as it renders the mobile phone data as useless for the hacker or mobile device thief.
Selective Wipe/ Remote Lock: These options are pertinent for enterprises who permit BYOD programs. Selective wipe can be used to erase only the enterprise information on the employee-owned device when he or she decides to leave. Remote lock can be immediately enabled when employees fear that their devices are lost.
Awareness/Education: A lot of security practices deal with communicating the awareness to the device end-users. To have them educated about certain practices such as enabling user authentication services like having a strong password, PINs and setting up VPN to access corporate data has high importance in leveraging adequate mobile device security.
To Conclude…
Security should be the key focus point for developers when developing new apps and operating systems. It is a highly attractive selling point in this connected age and improves the reputations of developers, leading to future sales, and avoid damaging publicity or even law suits.
With every business having its own dedicated app it will be necessary for security managers to make a clean and comprehensive assessment of their security risks as the future depends on it.