Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Countering The Latest Mobile Device Security Threats

DZone's Guide to

Countering The Latest Mobile Device Security Threats

The proliferation of mobile devices presents a real security problem for most enterprises. Learn how to curb these threats and remain compliant.

· Security Zone
Free Resource

Address your unique security needs at every stage of the software development life cycle. Brought to you in partnership with Synopsys.

Overview of Mobile Device Security Issues

According to reports, for over a decade, mobile device security has been at stake. With the intervening years, security threats have grown at a high pace. The first mobile virus happened in 2004 and affected Symbian Series 60 phones, then in 2009, another worm was discovered that affected iPhones. Further, in 2010, Android phones were affected, and in 2015, an Android virus was released that could capture all your contacts using an SMS containing a link to install a phony Amazon rewards app. By the end of 2016, security threats in mobile devices had increased by almost 30%. 

This transition from PC to mobile is a major switch. However, it has also brought with it a dire need for scrutiny. IT enterprises now have to think of a new approach to defining security strategies and management tools to minimize risk as well as secure the data in mobile devices.

Why Is There a Need for New Security Strategies?

  • To ensure secure access to and transmission of information.
  • To ensure reliable business conduction.
  • To avoid data or identity theft.

Considerations to Take Into Account When Switching to a Mobile Device

  • Bid Goodbye to Old Security Models
  • Inevitably, the old security model— agent-based security method - works very well in the case of a PC operating system event, but when we talk about a mobile-based environment, it is no longer relevant. The reason being, the difference in the design of their operating systems. The mobile operating systems are backed by the sandboxed architecture that demands isolation of associated data as well as apps that need the distinct mechanism to interact and share data. Thereby, there is a high need for security.

  • Say No to Complete IT Control Over Mobile Devices
  • The mobile computing environment is all about the end-users. An individual chooses the platform that best caters to their personal preferences and offers convenience. It is in complete contrast to the PC world, as here, the company provides an approved PC along with pre-selected apps set to the end-users. 

The pace at which mobile devices are accelerating and improving the productivity of business is causing organizations to expose themselves to security threats and risks. As spyware and viruses affect PCs, some security threats affect mobile devices too. Broadly, these mobile security threats are categorized into four vectors—application-based threats, web-based threats, network-based threats, and physical threats. Let’s look at each in detail.

Four Mobile Security Threats Vectors

Type 1: Physical Threats

The most common mobile threat is loss or theft of mobile devices. If we speak from a hardware perspective, then these devices can be re-sold on the gray market, but if we take a look at another aspect, then the sensitive information it contains, be it personal or organizational, and may be misused in several ways. Thereby, physical security is very critical for these smart devices.

Type 2: Network Threats

Both Local Wireless Networks and Cellular Networks support these devices, and each of these network types hosts diverse classes of threats.

  • Wi-Fi Sniffing
  • In this process, the data is seized when it journeys wirelessly amid devices and Wi-Fi access points. The reason being not every web page and application uses proper security measures.  Thereby, the unencrypted data can easily be intercepted or stolen by cyber criminals.

  • Network Exploits
  • In this process, the advantage of flaws in the mobile application, software, and operating system are being taken into account. During connection, malware gets installed to the device unawares. Other network-based threats can be due to Rogue access points and Man-in-the-Middle (MitM) attacks.

Type 3: Application-Based Threats

Applications have some security issues associated with them. While these malicious apps appear perfect on a site, however, they are meant for committing fraud. Further, these apps have the power to exploit legitimate software for fraudulent actions.

Four Categories of Application-Based Threats

  • Spyware
  • It typically collects as well as uses your personal information without your awareness and agreement. The significant chunk of data targeted is user location, email, contact list, browser history, private photos, call history, and text messages. It is stolen for financial fraud and identity theft purposes.

  • Malware
  • This software gets installed on your device and executes malicious actions without your knowledge. Malware can perform several actions such as: sending unsolicited messages, making changes to the data, or most dangerously, providing control to the attacker.

  • Vulnerable Applications
  • These apps are flawed. They are misused for malicious tasks, eventually, resulting in intruders or hackers gaining access to sensitive information, inhibiting the app's functionality, executing objectionable actions, and downloading apps to the device without your awareness.

  • Privacy Threats
  • These threats are produced by applications that may or may not be malicious. They gather your sensitive information and execute their function.

Type 4: Web-Based Threats

Unquestionably, the web-based threats are a serious subject of concern for mobile devices. The reason being the stable connection of mobile devices to the internet and the frequent use of web-based services.

  • Drive-By Downloads
  • This is an event in which when you encounter a web page that includes an application which will automatically download onto your system. In some cases, this auto downloaded application runs on its own, and in some, you have to take action to run the downloaded applications.

  • Phishing Scams
  • In this event, a trick is used to get sensitive information, like account numbers or passwords. It is taken into consideration using text messages, emails, Twitter, and Facebook to direct you to websites. These sites or messages look similar to legitimate sources.

  • Browser Exploits
  • Here, the advantage of an image viewer, PDF reader, flash player, etc., which are launched by the browser, are being taken. It is executed directly by surfing an insecure web page. The reason being they trigger browser exploits, which in turn, install malware and execute actions.

Different Mobile Device Security Risks

  • Client-Side Installation.
  • Unsatisfactory Server-Side Controls.
  • Broken Cryptography.
  • Unprotected Data Storage.
  • Poor Agreement and Verification.
  • Inadequate Transport Layer Protection.
  • Poor Session Handling.
  • Security Decision Using Unauthorized Inputs.
  • Leakage of Side Channel Data.
  • Disclosure of Sensitive Information.

Counter Measures to Prevent Data Loss on Mobile Devices

  • Say No to Data sharing.
  • Say Yes to Authentication.
  • Say Yes to Application lifecycle management.
  • Say Yes to Secure Operating System Architecture.
  • Say Yes to Remote wipe.
  • Say Yes to Network Security.
  • Say Yes to Encryption.
  • Say Yes to Secure browsing.

Various Mobile Security Protocols 

  • Virtual Private Network (VPN)
  • These networks deliver security and encrypt applications. The main aim of this network is to confirm that only legitimate and accredited users access the network. You can easily access this network without installing any add-on software to the end-user's device. Thereby, an individual can easily access, as well as share, data securely via security and encryption applications operating on the VPN.

  • Network Access Control:
  • In general, it is the usage of the defined set of security policies and specific protocols enforced by an organization for accessing a network. These rules, as well as policies, determine what an end-user can do along with the mobile device over the network.

  • Mobile Device Management
  • When it comes to the safety of mobile devices, mobile device management is a much-needed concern. The good thing is many of the mobile device management products comes with an in-built basic security functionality. This feature enables application provisioning, policy configuration, compliance reporting, and centralized visibility for any device that has the right to use your network resources. All of these functions are key security controls, and centralized management helps ensure security.

  • Data Classification
  • It is one of the best practices to avoid data leakage. Most of the mobile DLP technologies even rely on it. You simply have to create a standard Data classification and implement it. This scheme includes the broad categories - Secret, Top Secret, and Confidential – which state how to treat the information.

  • Mobile DLP Software
  • The key aspect of Mobile DLP is a monitoring facility. It allows IT to have a glance at the data that a mobile user accesses or downloads from the corporate server. The major benefit of this feature is that it generates warning signs. Owing to this signs, IT can act upon in policy infraction or data breach scenarios.

Tips to Ensure Data Protection in Mobile Devices

  • Be suspicious of unknown sites
  • Update your phone regularly
  • Use official App stores only
  • Ensure that you turn off MMS setting to auto retrieval
  • Do not open messages from unknown parties or portals
  • Use inclusive security software
  • Provide Apps security as well as privacy reputation

As none of the above solutions is foolproof yet all of these are quite efficient in offering significant protection.  Further, there may be scenarios where you have lost your data, and you need it critically, and none of the above-stated measures does not work efficiently.  In that instant, Data recovery services play a vital role.  While numerous companies ensure to deliver best mobile data recovery, yet Stellar Data Recovery stands apart from the crowd. With its assurance of maintaining the confidentiality of your data and restoring data while keeping the original format, this smartphone data recovery service.It Also complies with several international regulatory standards such as Personal Information Protection, Electronic Documents Act, California Security Breach Information Act, and Gramm Leach Billy Act (GLB), to name a few.

Final Thoughts

In this on command, on-demand environment, inevitably, smartphones, tablets, and other mobile devices are the remarkable tools for staying connected and keeping yourself updated. The reason being, the flexibility of choices starting from paying bills, shopping, to accessing emails, and much more. Now, if we look at the other side, we will learn how intruders or hackers are attacking mobile devices for fraudulent purposes. This threat is evolving at a high pace. Thereby, there is a high requirement for security, protection, management, and awareness for end-users.

No doubt, this pressure for mobile security is a challenge, but with these simple tips and countermeasures, you can easily limit your security vulnerabilities.

Find out how Synopsys can help you build security and quality into your SDLC and supply chain. We offer application testing and remediation expertise, guidance for structuring a software security initiative, training, and professional services for a proactive approach to application security.

Topics:
security ,mobile security ,security compliance ,insider threats

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}