The art of securing mobile devices
Cyber criminals are targeting mobile devices as popularity explodes
By Troy Gill
Although mobile malware is a relatively new concept for some, the number and severity of mobile threats is on the rise and shows no sign of relenting anytime soon.
As more consumers rely on mobile devices to conduct business and banking transactions, cyber criminals will increasingly find ways to exploit such devices. That's why mobile malware is on the rise with no end in sight. In fact, there are entire Web sites full of rogue apps, many of which are designed to intercept banking credentials and token codes so that theft may occur.
The vectors for infection are very similar to those that have been used to infect PCs. Threats can exist on Web sites or within search results, e-mails, seemingly innocuous downloads, text messages and insecure public Wi-Fi hotspots. The most common method of infection (right now) is via app installation.
Cyber crooks are infecting popular mobile platforms through malicious applications and, unfortunately, no mobile platform is immune from the destruction it can cause. Although some form of malware has been found in all popular operating systems, the majority are now found in the Android market.
Android's open source software is something that gives the platform great appeal, but it is also the basis of its vulnerability. Users may enjoy the freedom to acquire apps both inside and outside the Android Market, but it doesn't come without risk. The Android Market allows developers to upload apps without first running through an established screening process like one that you might find at Apple's App Store or when using RIM's application for BlackBerry. As a result, Google detected more than 50 malicious apps within the Android Market, downloaded to approximately 260,000 Android mobile devices. (Google later remedied the infections remotely via an auto installed software update.) However, more malicious apps continue to be found, the majority of which are in the Android market.
While Google's remote "kill switch" might have been effective at removing the rogue apps, it was reactionary in nature and not a permanent solution to the underlying security problem. What's more, human nature is typically the weakest link in security. Many of the dangers surrounding malicious apps can be avoided with more scrutiny from the start.
Though the most recent malware outbreak was found on the Android platform, it is important to remember that there is malware readily available for every platform.
Users must also be aware of malicious apps designed around SMS fraud. Such apps send text messages from a victim's mobile device to numbers that are charged a premium, so make sure to look carefully at your bill each month.
There are many ways to tighten security on mobile devices. Today, BES and (provisionable) ActiveSync devices can be configured for policy management to effectively enhance mobile device security. For example, BES has hundreds of policies that can be controlled and used to help lock down devices via passwords, password policies, device encryption, remote data wipe, Web browsing, Installed applications and application specific settings, controlling device hardware (Bluetooth, camera, GPS, etc), employee monitoring, (txt, GPS) or Smart cards.
Additionally, here are some other key points to keep in mind (and share with your users) when securing mobile devices:
• Reputable Source—Avoid downloading apps from unknown sources and instead seek out official marketplaces.
• Review the Reviews—If you are downloading an app from an established marketplace, learn what others are saying first about the app in the review section.
• Permissions—Be aware of the permissions an app is asking for during install.
Safe Browsing Habits—Remember, the same dangers that exist on the Web (e.g., black hat SEO poisoning, social media, e-mail and SMS) can also exploit a mobile device. Remain vigilant about all Web surfing activity.
• SMS or VM Phishing—SMS and voice mail are common vectors of attack for phishing scams. Always call the institution directly and verify the information whenever responding to a questionable voice mail or text.
• Password Protection—Lost or stolen phones likely contain personal information, such as stored logins to banking or social media sites and could provide someone with access to sensitive information. Minimize this threat by password protecting your mobile device.
• VPN Access—When accessing corporate network resources via smartphone, utilize a SSL VPN connection to secure the session.
• Wi-Fi Hotspot Security—Nearly all smartphones are now equipped with Wi-Fi functionality, making them highly vulnerable to attacks. There are various tools available that allow even the least talented hacker to exploit Wi-Fi hotspots and intercept Web traffic. Avoid accessing any password-protected site or one where you will give any personal information (e.g., Facebook, Banking, Paypal) when connected to an unsecured Wi-Fi hotspot, such as those in a coffee shop or at the airport.
• Remote Wipe & Encryption—Utilize encryption software on smartphone devices to protect data in the event a device is lost or stolen. Consider using a remote wipe to brick the device remotely.
• Utilize Security Apps—While the offerings are not as robust as the anti-virus offerings available for PCs, there are still some very good security apps available on the market for mobile devices.
• Update—Always remember to keep mobile device operating systems and software up to date.
Smartphones have placed the power of personal computers in the palms of our hands. But it takes smart usage and strong security practices to keep personal data out of the wrong hands.
Troy Gill, GPEN, is a senior security analyst for AppRiver, which provides e-mail and Web security solutions to more than 45,000 corporate customers. Gill monitors customer data to identify cyber threats, methodologies or vulnerabilities that present threats to IT operations and identifies methods for blocking them. For more information, visit the AppRiver Web site: www.appriver.com.