We sometimes hear military leaders voice concern about "fighting the last war." Security professionals worldwide make this same mistake when it comes to mobile device security -- clinging to strategies and tactics that proved successful in the past even though conditions have changed.
Mobile devices represent a unique and quickly evolving attack surface. As Android and iOS tablets and smartphones become more integrated into business environments, CISOs are scrambling to put in place effective countermeasures. But too often their efforts are largely focused on combating the wrong enemy. While malware remains a concern, an effective mobile security strategy must also address application data leakages, advanced adversaries and insider threats. Evolving attack techniques require new ways of thinking about security.
Mobile malware advances
While there's a lot more to worry about than malware, it isn't going away. Attackers will continue to use malware to steal sensitive data. As mobile devices and digital environments evolve, so too will malicious software. With the rise of virtualization, we're already encountering sophisticated malware that can detect if it's being run in a virtualized environment and change its behavior accordingly.
Any smartphone can also double as a recording device; advanced attackers can bug corporate board meetings with the click of a button.
Because mobile devices possess sophisticated sensors, we're also seeing programs designed to behave like perfectly benign applications until the device sensors detect that certain parameters have been met. Imagine this admittedly cloak-and-daggerish scenario: You install an off-brand clone of Angry Birds. This application behaves like a perfectly normal game ... until the geolocation sensors on your phone tell the application that you are within 500 feet of FBI headquarters in Washington, D.C., at which point it begins logging all the Wi-Fi networks or discoverable Bluetooth devices in range.
Malware has received a lot of attention from the media and IT professionals alike, as it's a rather familiar foe. Android devices in particular have a reputation for vulnerability thanks to their ability to run applications delivered outside the Google Play store. Malicious actors have also come up with clever ways to bypass Google's security. Android malware dubbed BadNews was spotted in 32 Android apps available for download in Google Play last April. It circumvented Google's Bouncer server-side scanning and its local Verify Apps feature on Android devices because it was distributed to mobile devices "at a later date" via an ad network. (At the RSA Conference in February, Google announced plans to update Verify Apps so that it will work on non-Google Play applications.) The malware has the ability to download additional apps and it prompted its victims, primarily in the Russian market, to install "Critical Updates," allegedly for premium-rate SMS fraud. Google immediately removed the apps once it was notified about the alleged malware.
According to the Cisco 2014 Annual Security Report, 99% of mobile malware in 2013 targeted Android devices. Statistics tell a more nuanced story. Google's lead engineer for Android security, Adrian Ludwig shared a study in October, which showed that of the 1.5 billion installs the company analyzed -- let that number sink in for a moment -- only 1,200 (about 0.00008%) were deemed potentially harmful. In spite of the perception -- and evidence -- that Android has been more heavily targeted by malware, its popularity and market share have grown rapidly worldwide.
Conversely, Apple does not generally allow installation of applications from outside the App Store, so it's normally much harder to distribute malware for iOS devices. But this same secure "walled garden" drives many users to jailbreak their devices, and the recent evasi0n jailbreak for iOS 7 was originally reported to harbor malware. Though it was denied by the creators and largely debunked, there is no question such jailbreaks could contain attacks.
Vulnerable applications pose high risk
Malware gets the most press, but researchers know it is not the only threat in town. Just because an application is not designed to be malicious doesn't mean it's safe. Focusing exclusively on malware ignores a more pervasive, though less publicized, threat -- data leakage due to unsecured applications.
We recently tested 100 popular applications (50 iOS, 50 Android) for man-in-the-middle and SSL attack vulnerabilities, whether they stored passwords and other sensitive data in their memory, and other common security concerns. We found that most applications (75% iOS, 59% Android) received a "High" risk rating in one or more categories, as shown in Figure 1.
Appthority did a similar study and found 95% of the top 200 free Android and iOS applications exhibited risky behavior. No application category seems to be immune. IOActive recently surveyed 40 consumer mobile banking apps from the world's biggest financial institutions and found 90% of them vulnerable to attack.
Advanced adversaries attack mobile
Nation-states and other advanced adversaries represent another growing threat in the mobile arena. Much was made about the dangers Olympic athletes and visiting press in Sochi might face from Russian criminals in the form of Wi-Fi honeypot traps and other nefarious schemes. However, the pervasive surveillance network the Russian government created to monitor all email, calls and text messages going in or out of Sochi turned out to be the real concern.
Exploiting the USB hardware of a mobile device can transform a smartphone into a hands-on keyboard that circumvents firewalls and other traditional defenses.
In China, corporate espionage has become an art form, and malware is just one tool in their arsenal. Chinese ZTE phones -- the Score M and Skate models -- were found to include a hardcoded "sync_agent" root backdoor. Vroot, a Chinese program ostensibly created to help you easily root your Android device, will also install a bundle of malware at no extra charge.
Any smartphone can also double as a recording device; advanced attackers can bug corporate board meetings with the click of a button. The built-in camera can similarly be remotely repurposed as a corporate espionage device. Exploiting a mobile device's USB hardware can transform a smartphone into a hands-on keyboard that circumvents firewalls and other traditional defenses. All IT professionals know that data on a smartphone can be compromised, but few are aware that, thanks largely to its hardware being remotely controllable, the mobile device itself can be used as an attack vector.
The enemy within
A comprehensive mobile security strategy must also address threats from within your organization. Protecting yourself from this type of threat is notoriously difficult. Mobile devices often traverse many networks, operating on both sides of your firewall. There are minimal management options, limited visibility of activity and no privileged accounts.
Some companies have invested in sophisticated technologies that can, for example, prevent certain email or files from being forwarded to anyone outside a designated network. That's a great deterrent, but smartphones have a screenshot feature so someone wishing to share sensitive data need only capture its image in order to share it with whomever they choose.
Proactive strategy built on mobile security 2.0
So how can you protect your organization from all these various threats? The bad news is that there is no magic bullet. But the good news is that you can take steps to make your organization more secure. Too often security professionals have relied on static signature security measures. But these aren't scalable for mobile.
Instead, your mobile security strategy should proactively assume a defensive posture. This includes developing a mobile kill chain to thwart hostile actors at any stage of an attack. When travelling abroad to countries that may place you at risk for corporate espionage, your employees should use devices clean of any sensitive information.
More broadly, maintaining mobile security means increasing visibility. Mobile devices and applications must be proactively monitored. You should know the following:
- What are employees doing on their phones?
- How is the information being stored?
- Where is data being sent?
- Are employees sending sensitive information over HTTP instead of HTTPS?
You are looking for patterns of behavior and anomalies. Does a certain user typically upload large amounts of data to Dropbox just after the quarterly financial reports are compiled? That's the kind of action you need to know about.
Enterprises must adapt to the ubiquity of mobile devices in the workplace. Ignoring the threat they represent means exposing your organization to data breaches, loss of customer trust, loss of revenue and violation of compliance and regulatory statutes. Security professionals must move beyond focusing on malware and enact proactive strategies to counter the whole host of threats mobile represents. Hostile actors will continue to evolve their methodology -- unless yours is also evolving, you may be in danger of fighting the last war.
About the author:
Andrew Hoog is CEO and co-founder of viaForensics. As a mobile security researcher and computer scientist, he has spoken at major banking, security and forensic conferences. He is the author of two books on security, iPhone and iOS Forensics and Android Forensics, and has two patents pending in the areas of forensics and data recovery. Hoog holds a bachelor of arts degree in computer science from Saint Louis University and is completing a master of business administration degree from University of Chicago's Booth School of Business.
Send comments on this article to firstname.lastname@example.org.