Millions of new smartphones and tablet devices will be activated over the next few days and long after the giftwrapping is recycled and the Christmas tree is dragged to the curb, cybercriminals and overzealous app makers will be looking to make money off of what many people consider to be sensitive information.
Never fully trust that the activity on your mobile device is secure.
The bow may be bigger than the box, but in this case, size doesn't matter. Devices are now powerful enough to support a range of new features. Near field communication (NFC) technology can enable mobile payments simply by holding the device to a reader, potentially exposing sensitive financial information and geolocation data, often tied to a number of unassuming apps, pose data privacy issues.
Last year experts estimate that 6.8 million mobile devices were unboxed and activated at Christmas and with new models constantly coming to market the growth rate continues to climb. Often those getting a new device fail to consider ways to mitigate the privacy and security risks introduced when activating it for the first time, according to Trend Micro. The security firm issued an infographic outlining some basic steps new device owners can implement to provide adequate protection.
Smartphone apps make the device powerful. While the device browser can be used to make purchases or log into most online banks, applications provide additional functionality and ease of use beyond the device browser. There is cause for concern, experts say, because a number of studies have documented the wide range of data being collected by legitimate smartphone applications. The data, from contact information and location data to browsing history and device usage statistics, can be shared with third-party advertising and marketing firms, prompting fear from privacy advocates that controls are needed to restrict intrusiveness.
Top 5 mobile threats:
Mobile malware may capture the bulk of the news headlines regarding enterprise mobile security, but the threat of data leakage and device loss and theft may be just as, if not more, important.
- Device loss
- Device theft
- Application security
- Data leakage
- Malware attacks
These were among the chief concerns of respondents to SearchSecurity.com's2012 enterprise mobile security survey, which was conducted in the second quarter of 2012.
In an interview at the 2012 Black Hat conference, Domingo Guerra, president and founder of Appthority stated the problem clearly: "Developers want to monetize, consumers want free apps and ad networks will pay developers to get all that juicy data from developers," Guerra said.
When an application is installed, users should pay close attention to the permission requests of that app, experts say. Depending on the application, users can choose to simply grant permission to certain data or reject permissions. Keep in mind that rejecting permission often limits the functionality of the app. Trend Micro points out that some gaming apps request location data simply to provide advertisers with the information. Before installing an app, check out its rating and ensure that it comes from a legitimate developer.
Introducing a smartphone to a teenager? Free apps aren't necessarily free. Some games limit the functionality of the app, prompting users to make in-app purchases that can quickly rack up credit card charges. Nearly all devices contain a feature to disable in-app purchases.
Security experts are also advocating better password management to limit the damage if your email and account credentials are stolen. Use a different password for every social network and service that requires credentials. Use a combination of letters, numbers and characters. Consider managing complex passwords with a password manager app.
Lost, stolen device? Contact corporate IT first
Many experts say a lost or stolen device currently represents the biggest threat to data security. While most thieves will attempt to wipe the device and sell it, a smartphone or tablet that isn't passcode protected provides open access to anyone. Apple, Google and Microsoft provide a device location finder feature, but in most cases, the functionality has to be enabled.
Remote wipe capabilities are also available. Some security apps provide remote wipe capabilities. For example, in addition to finding the location of the lost device, San Francisco-based Lookout Inc. can remotely lock and wipe Android devices. It can even wipe the device's SD card, which commonly contains personal data.
Do NOT immediately contact your carrier if the device is lost or stolen. If your device has access to corporate information, such as work contacts, work applications and email, enterprise CISOs have been increasingly advocating that employees should contact corporate IT first. Contacting the carrier first could remove the device from the carrier's network and eliminate the ability of IT from wiping any corporate data from the device.
Security researchers have uncovered vulnerabilities tied to the implementation of the new technology in devices supporting NFC. Researcher Charlie Miller found that the default settings on some devices keep an open communications channel that under certain conditions enable NFC to be used by a savvy attacker to gain access to the device. He demonstrated how the weakness can be used to gain access to the browser and steal passwords and other account credentials.
NFC is designed to enable devices to communicate wirelessly within a short radius to provide a variety of features. It can be used to simply share a file, such as a photograph or digital business card between two devices. The payment industry sees its potential as a digital wallet, enabling device owners to make everyday payments by simply holding the device up to a payment kiosk. Miller was able to demonstrate a successful NFC attack on two Android-based Nokia N9 and Nexus S Samsung smartphones. The technology is supported in a number of Android devices and the latest Windows Phone device from Nokia.
Experts say the risk of being targeted with an NFC attack is low due to the need for an attacker to be within a short distance of the victim. Patch management is the first mobile security tip consistently advocated by experts. Keep the device updated with the latest firmware – sometimes easier said than done. Ensure that smartphone apps that use NFC are also updated. Enable the device locking feature, setting a passcode to gain access to it. By enabling the passcode feature, device owners also enable encryption.
Limit trust, always verify
Smartphone operating systems have been built with security in mind. Sandboxing has been introduced to make it difficult for attackers to break out of a browser and access running processes, apps are required to have a digital certificate so the device can verify authenticity and mobile app stores typically vet applications for serious threats. With that said, malicious applications – mainly from third-party app stores – and mobile device attacks – SMS Trojans designed to rack up premium text charges – have been detected by security firms.
Establishing basic security measures can help mitigate the potential of becoming a victim. Never fully trust that the activity on your mobile device is secure. Don't click on links from untrusted sources. Get a random link or attachment from a friend or colleague? Check-in with them first before clicking the link or opening the attachment. Verify the website in your mobile browser is legitimate, especially if it is requesting credentials. Use strong passwords and restrict permissions for certain applications.