What’s with the whole mobile craze lately? Don’t get me wrong – I love the mobile advantage. I am that stereotypical guy who always has his cell phone within arms reach (when it isn’t in my hand, anyway). When something like the report by the Pew Research Center comes out saying that 64% of American Adults own a smart phone, I don’t find it hard to believe. What I do find difficult to accept is that few people seem to take the mobile security aspect of this crazy seriously.
Of course, the convenience of owning and using a smart phone is a huge part of the recent craze. As a culture, we seem preconfigured to search out the simplest way of doing something and then latching onto it. However, I think it is high time to call out some of the major mobile security risks to show, once and for all: a little bit of effort goes a long way.
Just take a few minutes and head over to your good friend Google – or hop onto your cell phone and chat with it (Ok, Google…). The notion of mobile security risks is nothing new, it’s just creeping up into the news more often lately. I read an (albeit brief) article by Bruce Schnier about some recent research done on the typical shapes of smart phone unlock patterns.
The article was nothing new, certainly. There are only so many combinations you can choose from, after all, and there have been plenty of sources stating that they are not 100% secure (but if you know me, you know that I don’t believe in perfect security anyway). I mean, some smart phones will even tell you if you are choosing a potentially weak security method!
Regardless, Schneier got me thinking: mobile security is a huge, largely unrecognized issue. With the ever-increasing amount of end-users and employees bringing cell phones into and out of the workplace, the risk of data loss or security breaches has only increased over recent months. To that end, I’d like to review some mobile security concerns that you, as an end-user, an admin, or an employee, should be mindful of.
Android Mobile Security – A Penny or Two For Your Thoughts
The month of August 2015 has been hell for android vulnerabilities. Much like the comparison of Windows to Mac; Android’s customizability also opens the doors to various risks and vulnerabilities that might not be inherent in the iPhones and other Apple products. It’s a real shame, but one that I (as an avid Android guy) am fully intending to suffer through. It’s the reality that we live in – users will take risks for the sake of convenience, and therein lies the problem: we need a better understanding of mobile security if we intend to continue living by and through our phones.
To that end, I observe these recent discoveries on the android end as a good thing – the more vulnerabilities that we can find, the more insight we have into how to appropriately protect our data online. I would like to add my own thoughts to this insight, in the hopes of locking down mobile security and safeguarding all of our most precious, personal information.
Top 3 Considerations for Mobile Security
It’s not Just Hardware, but Software too
You hear it all the time: “iPhones don’t get hacked,” or the more prolific, “Apple is better than Droid!” While I’m not here to rain on anyone’s parade – your preference is yours alone – these types of statements avoid the fundamental truth about mobile security: people are silly.
It’s not just about what phone you have. The built in processor and various NFC and IR components do play a small role in introducing vulnerabilities to the phone, but the biggest issue is the user. In a way, Shakespeare’s Hamlet had a point the holds true to mobile security today:
Whereas android users can simply check the box in their settings that says, “Allow installation of apps from sources other than Google Play Store,” iPhone users have to go ahead and Jailbreak their phones to get access to more applications – and many users see no problem in doing so. This behavior transcends the hardware of the phone in question – coming from the desires (or thoughts as Hamlet might refer to them), of the user.
Opening yourself up to more freedom can inadvertently open more backdoors for attackers and various mobile security threats.
The Cloud is Awesome – When Used Correctly
Another example of convenience working against mobile security is the overabundance of cloud services (SaaS, IDaaS, etc.). Earlier this year, Forbes published an article discussing a State of Cloud Report and its findings. The bottom line: 82 % of the organizations surveyed have a hybrid cloud strategy. That’s interesting data, and it helps to illustrate the importance of cloud storage and access to the end users. Cloud services are becoming widely available, and that presents a new challenge for mobile security.
Again, cloud services are not inherently a bad thing – but they need to be used appropriately or they open users up to a new level of data theft and attack. Take the subject of this Dark Reading Article for example: Man-in-the-cloud attacks.
The article doesn’t mention using a smart phone as an access point for attack, but considering the ease with which most cloud services synch to mobile phones, the chance for a breach is right there. Fortunately, most companies limit cell phone access or write/transfer access to particularly sensitive files – but this topic is one that perfectly illustrates how dangerous convenience can be.
Mobile phones are a substantially viable target for attackers, and misuse of cloud services can open up mobile security in ways that would make an attacker think that Christmas had come early.
Be Smart, not Lazy
Now, on to my final point!
I’m all for convenience (and hey, I can be a bit of a couch potato too – it’s only natural), but there is a very fine line between convenience for the sake of usability, and downright laziness.
Unfortunately, mobile security risks arise because too many users cross that line without even bothering to look where they are headed. There are many innovations being developed every single day to help improve mobile security and reduce the risk of data loss or theft. It is up to the end user to make appropriate and intelligent use of these developments before it is too late.
Take the Nexus 6, for instance. Part of Google’s flagship series of cell phones, the Nexus 6 comes out of the box with default full disk encryption. Why: because encryption offers a substantially stronger way to secure the data that matters most to you and your company.
Of course, Google’s plans to introduce full disk encryption to all android phones rocking the Lollipop OS took a pretty rough detour, but the rationale behind the encryption makes a lot of sense. In the modern world, data is more valuable than cash – and often used to make a pretty sizeable pile of it.
So what’s my point; why do I bother with these jabs at convenience and the need for better awareness of mobile security? It’s quite simple really (elementary, you might say…): convenience could cost you everything if you don’t make use of it securely. Today, you can’t get very far on a computer without installing or activating some form of antivirus or antimalware to protect you, why wouldn’t you do the same thing for your phone? It’s simple tactical strategy: cover all of your entry points before the attackers have a chance to find them.
Best of Luck to You
There you have it: three of the most recent topics relating to mobile security risks that end users can address on their own. It’s a crazy, risky world for enterprise smartphone users out there, and we should do everything in our power to keep mobile security as tight as can be. Stay tuned – I’m sure I’ll have more for you in the future. Remember: mobile security is only one layer in authentication and identity security. If you have any questions about either, give us a call or shoot us an email and we will be happy to help!