Today’s world has marked the dawn of an era where everyone is ‘always connected’ through mobile devices. With businesses increasingly allowing their employees to carry out work-related tasks on their mobile devices and with the growing popularity of the Bring Your Own Device (BYOD) movement, these mobile devices are causing information security concerns for IT teams. While most people know the importance of mobile security, getting a grip on it can be tough. This blog talks about the top mobile security risks faced by organizations and users, and ways in which these risks can be mitigated. Read the full story…
It is imperative to always encrypt sensitive data before storing it on your mobile to protect your privacy.
Use of mobile devices and mobile communications – both for personal as well as business purposes – has become an inherent part of people’s lives today. However, with the increasing use of mobile devices, there has been a corresponding growth in the security risks and threats posed by such mobile devices. As mobile devices pose a frustrating scenario for businesses trying to foil mobile attacks, they offer easy access to your network for hackers and cyber criminals.
Statistical Data from Check Point Survey
In June 2013, Check Point sponsored a global survey of 790 IT professionals based out of U.S., Canada, U.K., Germany, and Japan. The survey findings shown below highlight the magnitude of the relevance of mobile security today and the impact of mobile devices on corporate information security.
- Most large companies say that the cost of mobile security incidents each year exceeds $500,000
- Compared to Apple, Blackberry, and Windows Mobile, 49% of companies stated that Android is the platform with greatest perceived security risk
- 94% of companies stated that lost or stolen customer information is a serious concern in a mobile security incident
- 79% of companies reported mobile security incidents to have taken place in a financial year
- 66% of companies consider careless employees to pose a greater security risk than cyber criminals.
Enterprises that allow their employees to access corporate data from mobile devices should consider adopting innovative mobile security management practices to protect their sensitive data and business reputation.
There are many complexities involved in mobile risk management and businesses will need to ensure that their service providers, technology environments and employees are adhering to their security protocols.
Types of Mobile Security Threats
There are several types of security threats posed when users use their mobile devices for personal as well as work-related tasks. Some of the security threats posed by mobile devices are categorized as follows:
Some of the mobile security threats are posed due to the risky behavior of users, which may cause a serious security concern to sensitive business data. Some such risky behavior includes:
- Bypassing security controls by jailbreaking/rooting devices
- Using unauthorized devices or apps to store organization’s sensitive business data
- Deliberately disclosing sensitive business data with malicious intention
- Using unauthorized cloud-based apps to share and sync data
- Using insecure apps from unauthorized third-party app stores.
Mobile Web-Related Threats
Many organizations produce their native applications to deliver them through online services via web-based applications. Such web-based applications have their own associated security risks, such as cookie stealing, browser exploits, phishing scams, drive-by downloads, and many more that are applicable to mobile devices.
Businesses such as shopping malls, airports etc., provide free access points. Many users connect to these access points. This may sometimes result in opening your device to untrusted networks that increase security risks. It allows malicious parties to access and tap into the transmitted data using Wi-Fi sniffing tools, rogue access points or sophisticated Man-in-the-Middle (MitM) attacks. A MitM attack is a type of attack on computer security where an attacker sends a secret relay between two communicating parties, who are directly communicating with each other. The attacker may also possibly change the communication through this secret relay.
There are several ways in which a mobile device and its data can be compromised such as:
- “Jailbreaking” or “rooting” of devices by taking advantage of its software vulnerabilities.
- Connecting the device to untrusted public networks that may allow unauthorized parties to access sensitive business data.
- Portability and mobility of the mobile devices that make them vulnerable to theft and misplacement.
Native Application-Related Threats
There are several trusted as well as untrusted sources from which users may install and download native applications. These downloaded native applications from untrusted sources pose several security threats such as:
- The downloaded native application may be a malicious software or malware that provides a backdoor to the attacker or executes unwanted actions.
- Insecure mobile applications may be downloaded that may be tampered with or contain code flaws to be used for fraudulent purposes.
- Identity theft or financial fraud may be executed via legitimate applications or spywares by gathering user’s sensitive information.
Security Slips to Avoid on Your Mobile Device
Most people have started using their smart mobile devices for business purposes, such devices today pose serious security threats and can have serious ill consequences for both your personal privacy and security, as well as for your organization’s sensitive data. The following are some of the worst security slips that most people make with their mobile devices and how you can avoid them:
Accessing doubtful content: You should always avoid opening links from sources that you do not identify. Another security slip that you should avoid is downloading apps from third-party app stores.
Using open, public or insecure Wi-Fi: You should avoid using public or insecure Wi-Fi networks and instead stick to using your phone’s data connection. If Wi-Fi use is needed, you should make sure that the Wi-Fi network you are accessing is a secure network with WPA2 encryption. Insecure or public Wi-Fi can allow attackers to hijack your device through your apps.
Not locking your device: Locking your device can help provide you with the first line of defense that keeps your lost phone protected long enough so that you have some time to track it down or wipe it out remotely. You can use various mechanisms to lock your phone including simple ones such as a PIN or a password, or advanced mechanisms such as a fingerprint scanner.
Not following your organization’s security and social media policies: You should always avoid sharing sensitive business data over social channels such as messengers. You should also be diligent about not sharing sensitive information about your organization in your social media circles such as the hiring or resignation of top management people, etc.
Using an unauthorized device to store sensitive, work-related data: You should avoid storing as well as accessing your company’s sensitive business data on unauthorized personal devices.
Having out-of-date versions of your apps: You should always make it a point to keep all your apps updated to their latest versions. Keeping your apps updated can help you to overcome earlier version’s vulnerabilities and security flaws that the designers try to fix with each new version release.
Top Enterprise Mobility Security Issues
The growing use and popularity of mobile devices for business purposes has given rise to a host of enterprise security issues. Let’s look at the top enterprise mobile security issues that businesses and you may face.
Leakage of Sensitive Data
There are various ways – such as through the poor implementation of authentication credentials or of apps usage of device information – in which leakage of sensitive data of your mobile devices may take place. Sometimes, the leakage may be accidental or through a side channel.
Inadequate Authorization and Authentication
Another top security issue is the inadequate authorization and authentication of the apps, and the systems that the mobile devices connect with. Proper authorization and authentication are crucial as it makes sure that the users, devices, and systems are authorized to transfer data in the app’s workflow. It also helps to identify and block unauthorized users, devices, and scripts.
Unauthorized SMS, Dialing, and Payments
There are various ways in which unauthorized Short Message Service (SMS), dialing and payments may pose a serious security issue such as:
- SMS text messages may be used as a means for spreading vector for worms.
- Unauthorized payments may be used by attackers to directly generate money through a compromised device.
- Unauthorized dialing may lead attackers to make premium rate phone calls, premium rate SMS texts, and mobile payments on compromised devices.
Insecure Data Storage
Insecure data storage may lead to loss of data in various ways:
- For a single user: Data loss may occur if the user has lost his phone.
- For multiple users: Data loss may occur if an app is improperly secured, which leaves all users at a security risk.
Time Bomb or Logic
Logic or time bombs is also a common security risk posed by mobile devices. Logic or time bombs are classic backdoor techniques. They set off malicious activity based on a specific device usage, event, or time.
- Developers of mobile operating systems generally use hardcoded passwords or keys as a shortcut to ease the implementation, supporting, or debugging of the application.
- Attackers may use reverse engineering to discover these hardcoded passwords or keys, which significantly hampers the security of the application or the systems. It makes the authentication with the hardcoded passwords and keys ineffective.
Poor Control Over Lost/Stolen Devices
Another top mobile security risk is posed by the common problem of losing your device or stealth of the device. Many people just leave their mobile devices open to loss or theft. These mobile devices may not have built-in enterprise server control and remote management. Hence, if such mobile falls into malicious hands, you cannot remotely wipe or lock them.
Insecure Transmission of Sensitive Data
Mobile devices pose a great security risk when the sensitive data is not encrypted during transmission and is open for invasion by attackers. Mobile devices are extremely vulnerable to this threat as, many times, they use insecure public Wi-Fi. Some other ways in which attackers may compromise mobile security is through a downgrade attack that allows degrading HTTPS to HTTP. Also, they may carry out a MitM attack through invalid certificates.
Activity Monitoring and Data Retrieval
Another top security risk posed by mobile devices is through activity monitoring and data retrieval in the following ways:
- When attackers are listening to your phone calls or simply through an open microphone recording.
- When attackers make sure that the email sent from your devices is also being sent to a hidden third party address.
- When attackers retrieve saved email, stored data, messages, or contact list.
System Modification (rootkit, APN proxy config)
- Rootkit behavior, where malicious applications often try to change the system configuration to conceal their presence.
- Such configuration modifications also allow the possibility of certain other attacks such as:
- Changing the device proxy configuration.
- Setting up e-mail forwarders to trace copy received messages.
Unauthorized Network Connectivity
Following are some of the ways in which unauthorized network connectivity may pose a security risk to mobile devices:
- The user may authenticate himself and end up sending his credentials to an attacker.
- Your mobile device’s web view applications may be a proxy to a legitimate website.
- Attackers may carry out phishing attacks that pose as the website of a bank or online service.
- When mobile devices communicate with other systems, several possible vectors may be used by a malicious app to send data to the attacker.
- An attacker may use exfiltration to benefit from spyware or other malicious functionality.
- Attackers may use a malicious app to create an imitation of a UI that looks like the phone’s native UI or the UI of a legitimate application.
Rogue Apps and Malware
One of the top security risks faced by mobile devices today is the growing emergence of new and evolved malware that are well disguised as Android applications. As more and more devices and technologies are emerging in the market, so are the chances of them being a target for malicious attacks also increasing.
Insecure Sensitive Data Storage
Mobile devices that do not use any form of encryption to store sensitive data, which makes it vulnerable to retrieval by attackers, pose another security risk. There are various kinds of sensitive data that may be stored on a mobile device, such as credit card numbers, service passwords, banking and payment system PIN numbers, etc. It is imperative that sensitive data should always be stored using encryption or on removable media such as a micro SD card.
How Can Organizations Protect Mobile Devices, Data, and Privacy?
The following are some simple measures that organizations can follow to protect their mobile devices, data, and privacy:
- Record the IMEI number of the mobile device
- Protect phone backups in a safe location
- Keep a check on the use of third-party software
- Perform regular mobile security audits and penetration testing
- Create distinctive and secured mobile gateways
- Wipe out any data from old mobile devices
- Install proper antivirus and anti-malware software on mobile devices
- Enable the remote wipe facility, if it exists
- Always make sure to dispose of mobile devices safely without exposure to any data theft
- Download apps from only trusted and reputable sources
- Always use a strong authentication mechanism on mobile devices
- Provide encryption and strong authentication for secure mobile communications
- Choose secure mobile devices
- Encourage users to lock their mobile devices when not in use.
Mobile devices, such as smartphones and tablets, offer a wide range of privileges – always being online, mobile lifestyles, entertainment, messaging, communication tools, a range of apps – and enrich your lives. However, in exchange for these privileges, you have to give up your privacy, sensitive information, and identifiable data. Hence, it is crucial for both enterprises and individual users to understand the relevance of mobile security and follow security practices to protect privacy and data.
ExterNetworks is a single source provider for end-to-end Managed Wireless and Mobility Solutions that addresses your mobile device risk management challenges. ExterNetworks seamlessly delivers Mobility Solutions for a broad range of applications, technologies and enterprises by providing you access to experienced resources with specialized skills.
We assist you in rapidly mobilizing your business by reducing complexity, time-to-set-up, and infrastructure costs. We implement and deploy your mobility security solution that has augmented security and controls, while our advanced reporting tools provide you a comprehensive report for operational visibility. We carry out 24x7x365 proactive analysis to identify potential issues before they can pose a problem to your business. We also initiate maintenance, based on advanced diagnostic tools, when we identify a problem and help to improve service levels by quickly identifying the root cause of incidents.
Subscribe to our Newsletter andNever Miss a Post!
Get the latest content from our Managed Services Blog.Subscribe