Mobile security: embrace or die

The mobile device revolution is arguably the most significant change in computing since the mainframe shift more than 20 years ago. Mobile devices and their rapid innovation and development are already enabling busy professionals and home users to conduct business and manage their lives on the move.

And they are enabling a whole host of new business models and services. As such, they are set to be the linchpin of future economic growth. But what are the key technologies driving evolution of the mobile, what happens next, and what are the security implications?

New problems
Inevitably mobile devices will grow more powerful and become ever more integrated into our personal and work lives. Greater computing power and downsizing will make these devices an increasingly viable replacement for the conventional PC.

While many of us naturally worry about traditional attacks like malware and phishing on these new devices, new functionality breeds fresh opportunities for the bad guys. New features like augmented reality, facial recognition and integrated social media could leave users open to new kinds of abuse.
Augmented reality, for example, connects location information with a user’s social media “friends”, enabling them to identify digital contacts nearby. This in turn opens up new prospects for social engineering.

Near Field Contact (NFC ) technology is another interesting example of innovative technology aiming to deliver convenience for consumers. Built into mobile devices, it will enable users to make payments or pass on personal information with a simple swipe of a mobile device over a reader, further transforming the mobile into the single device from which most aspects of your life are driven and making it even more attractive to cyber criminals.

Alongside these radical technology changes, business expectations have also changed. Only a few years ago enterprises wanted to block social media sites and non-standard, unmanaged devices. Now we are all consciously trying to embrace these technologies. These changes in technology and business expectations mean a new attitude is needed to information security. Embrace or die.

There have of course been examples of malicious code on a variety of mobile platforms but this is still minimal when compared to that targeting the conventional PC. Android, in particular, remains likely to suffer more attacks from malicious code due to its more open application market, although even those with a strong security reputation like BlackBerry have been victims too.

Mobile malware we’ve seen to date include fake internet banking applications which steal your credentials and your money, and in some cases your authentication token code sent by a bank via SMS. Many assume these devices are eminently secure as they’ve never experienced malware. However, now that these devices contain valuable assets the bad guys are paying attention.
We can expect a significant increase in the volume of malware targeting these devices over the next year or so. Anti-virus capabilities will be important, though the defence technologies will work differently to the PC — focusing more on reputation and behaviour rather than traditional content security.

Pace of development
Perhaps the most significant challenge to mobile device security is the pace of innovation and development on mobile platforms. Where traditional computers at best might evolve on an 18-24 month cycle, mobile platforms are undergoing significant change on a quarter-to-quarter basis.
As a result, new applications and ways of sharing data will often be adopted by large numbers of users before the security community has a chance to vet it and understand the privacy and security implications.

Security practitioners need to keep re-evaluating these devices and applications to identify new evolving risks and security solutions will need to be designed to be agile and updated faster than ever before as new issues come to light.
While applications and services on the device are updated, often automatically, many users have chosen to jail-break their iPhones. Jail breaking allows users to customise their device more than Apple allows and run pirated applications — it is a fairly widespread practice. But it also leaves them open to vulnerability which could be used for user-undesired malware. The infrastructure for updating and patching security vulnerability in mobiles has much to learn from the traditional computer industry over the years.

The user perception
We’ve all been using smartphones for some time now and have very quickly grown used to buying applications, music or even banking online, but it seems that using a mobile device doesn’t raise the same security concerns as a PC with end users — they seem to feel immune. I suspect that this is primarily the result of users having experience of scams or malware on their PC, but not on their mobile device.
The problem is that users may view these devices as eminently secure, when in reality they are just waiting to receive more attention from cyber criminals. When the tide turns and mobiles are more closely targeted, there could be a significant lag time while the user community at large is educated on the threats.
Overall, the mobile security market today is relatively immature and there is a lot of work to do to develop the right security controls on mobile devices. Priority one is to get the basics under control — despite all the hype most data breaches occur due to basic configuration failure: poor passwords, lack of encryption, poor patching or social engineering. You can find more details on how to protect yourself on sophos.com.

— The writer is Director of  Technology Strategy, Sophos. His Twitter handle is @jameslyne.