As the number of mobile device users increases each year, the concern of mobile security becomes more critical than ever. Mobile security is the protection of portable devices such as laptops, smartphones, tablets, and smartwatches from threats and vulnerabilities. Now, people are commonly using mobile devices for tasks that involve sensitive data like credit card numbers, social security numbers, and important banking information. According to data from Ericson and Tune forecasts, the number of smartphone users will increase by approximately 800 million users in 2017 alone. This creates a larger target for hackers and significantly more sensitive data to be stolen.
What You Need To Know
There’s no argument that the growth of mobile technology is transforming our world. While our untethered “new normal” presents significant opportunities and advantages for businesses and individual users, the opportunities extend to people looking to use those advantages for crime as well.
However, mobile risks and threats don’t have to be roadblocks to implementing mobile computing and achieving its business benefits. Not if you take the appropriate steps to secure your mobile devices. In this two-part article, we provide some high-level essentials for helping you understand the risks of the mobile platform – and provide countermeasures for embracing mobile technology more confidently and securely in your environment.
A Brief Mobile Primer
Just as servers and desktops offer different operating systems (Linux, UNIX, Windows, Mac OS, etc.), mobile devices have operating system options including the most prominent: iOS (Apple) and Android (Google).
Similar to servers and desktops, Apple and Android mobile devices each have distinct user interfaces and coding languages (primarily Objective-C for iOS and Java for Android). Both support a variety of mobile applications each designed to deliver specific functionality (“There’s an app for that!”) contrary to the more integrated functionality of desktop software packages (e.g., Microsoft Office or Adobe Creative Suite).
As a result, there are differences in mobile application development requirements and best practices across the mobile platforms as well as across the main types of mobile applications. Below are three of the main types of mobile applications that you may run into:
- Native Applications – are purpose-built for a specific operating system (e.g. iOS).
- Hybrid Applications – are built to be used on multiple platforms and use web technologies to access native device capabilities.
- Mobile Web Applications – run code in the device’s browser and allow the user to interact with a website as if it were a native application (e.g. Amazon.com), but do not reside on the device itself.
Due to the nature of how mobile devices function, they tend to have unique vulnerabilities when compared to desktops and servers, each with its own idiosyncrasies, built-in defenses, attack vectors, and threats. For example:
- Physical Size – The small size of mobile devices enables their distinctive portability – but makes them more susceptible to being lost, stolen, or temporarily misplaced. Once a mobile device is out of the authorized user’s hands, the device’s stored user credentials, personal and corporate data, and gateway applications (such as VPN) for authorized access to corporate systems are at risk. In addition, the smaller screens and keyboards of mobile devices often force developers to make security trade-offs to accommodate a better mobile user experience.
- Mobile Connections – Mobile devices connect through a variety of networks to access, receive, or transmit data – sensitive or otherwise. Networks include GSM, 3G, and 4G; Bluetooth, 802.11-based wireless networks, and SMS and MMS texts. Each has its own security strengths and limitations, and each is a vector for remote exploits including data leakage or interception by malicious users – particularly if the mobile user isn’t aware of the dangers or vulnerabilities.
- Data Privacy and Security Concerns – Mobile applications can take advantage of mobile-specific capabilities such as precise and continuous device location information (a weather app that uses device location to display local weather), physical sensor data (Touch ID), personal health metrics (Fitbit), and photos and audio about the device’s user. The data collected by, stored in, and often transmitted by these mobile applications, though, raises privacy and security concerns if that information is exposed via these applications to unauthorized users.
- Mobile Risks and Attacks – Mobile applications are implemented in many of the same languages as their desktop and web counterparts (e.g., Objective-C and Swift for iOS, Java for Android), and therefore are susceptible to many of the same vulnerabilities and attacks associated with those languages including infection and compromise by malicious software including spyware, Trojan horse programs, worms, and computer viruses. Phishing and other social engineering tactics prey on the weaknesses of the users. Other attacks target the mobile application itself, the server to which the mobile application speaks, unprotected internal APIs, alternate routes through and around security checks, and open server ports.
As with any technology channel, there are risks and threats associated with the mobile platform. It is possible for organizations to mitigate the potential risks and vulnerabilities during the development of mobile applications by establishing (or optimizing) formal security policies, procedures, and standards; education and training; and security engineering activities. These strategies are discussed in more detail in Mobile Risk and Threats, Part Two: Implementing Countermeasures.