Growth of mobile malware, blasé attitudes to downloading apps and user ignorance to security is putting consumer handsets at risk. If those consumer handsets are also used for work by an employee or belong to a customer, then this puts the business at risk also. Businesses that recognize the risks not only need to secure employee handsets and the networks/systems accessed, but should also rethink their mobile app strategy. If employees and customers require download apps, then an enterprise (or private) app store is a good way to control distribution of apps.
How many smartphones have security software installed?
• According to research from Canalys (October 2011), only 4 percent of smartphones and tablet computers shipped in 2010 had some form of mobile security downloaded and installed.
• This is remarkably similar to findings from Juniper Research (August 2011) that less than 1 in 20 smartphones and tablets have third-party security software installed in them, despite a steady increase in threats.
To get the lowdown on mobile security from the experts, you should also read mobiThinking’s new Guide to mobile security.
So what the problem with smartphones and tablets? Smart devices are:
• Powerful little computers that can run all sorts of computer programs – including bad ones, such as viruses and malware used by hackers to break in, spy and steal.
• The ultimate communications tool with email, text, instant messaging, social networking, voice and video calls and more, together with lots of contacts. These all provide plenty of opportunities for malicious software to propagate.
• Always on, always with us and often always connected.
• Used for making purchases, banking and other activities involving and storing personal and financial information.
• Used for work – with or without consent of the IT department – accessing (and storing) corporate email and other systems, perhaps the entire corporate network.
• Easily lost and a soft target for thieves.
Thus consumers and business users should be more security conscious about their smartphones than their PCs. But they are not.
• People do not consider phones as computers with the same needs for secure passwords, encryption, anti-virus and firewalls as a PC.
• A lost/stolen phone is seen as an inconvenience, albeit an expensive one, not a security threat.
• People will browse the Web, click on links and download attachments within email, IM, social networks, practices that they wouldn’t on an unsecured PC.
• People regularly download and run applications – i.e. computer programs – that they know little about, from companies they know little about, downloaded from third-party Websites, referred to as app stores. Even on their secured PC, the same people would only download computer programs infrequently and with caution.
Is the treat theoretical or real?
Taking a laissez faire attitude to security is all fine as long as: a) the authors of destructive, hacking or spying software don’t turn their attention from PCs to the vast numbers of smartphones; and b) thieves just steal phones to resell, without looking for confidential emails, contact information, banking information, m-commerce apps with retailers that store credit card details, or easy access to corporate systems. But this is wishful thinking.
Estimates for the amount of mobile malware (as the security experts collectively call all the different types of malicious software) vary greatly, but all conclude that it is growing very fast.
• In Growing threat of smartphone hackers, BullGuard identified a staggering 2,500 different types of mobile malware in 2010.
• IBM X-Force named 2011 the year of the security breach, predicting that “exploits targeting vulnerabilities that affect mobile operating systems will more than double from 2010”.
Symantec’s A window into mobile device security gives the following examples of recent mobile malware attacks on Apple and Android devices (though all types of mobile device are susceptible to attack):
• iPhoneOS.Ikee.B and iPhoneOS.Ikee are computer worms which spread over the air (via mobile networks) targeting ‘jailbroken’ Apple devices – jailbreaking removes Apple’s restrictions on how the phone is used. Both worms could have been far more malicious in their actions, but clearly demonstrated the dangers associated with the common practice of jailbreaking.
• Android.Pjapps, Android.Geinimi, AndroidOS.FakePlayer, Android.Rootcager and Android.Bgserv targeted Android phones via mobile apps downloaded from app stores. These were either legitimate, popular apps that had been compromised (the apps were downloaded, the malicious code was inserted, then reposted to app stores) or fake apps masquerading as legitimate apps. Mostly these acted as trojans – a hidden software program that allows a criminal to use the handset at will – perhaps to steal sensitive data, monitor phone usage, attack other computers or make expensive calls.
Why are Android apps in particular an attractive target for criminals? Android is now the most popular operating system among new smartphones, overtaking Nokia’s Symbian earlier this year (according to Gartner). Downloads of Android apps also recently overtook downloads of Apple apps (according to ABI Research). As well as being considerably larger than Apple, the Android environment is more relaxed, compared with Apple’s authoritarian approach. The Android operating system is used by lots of different mobile manufacturers, arguably leading to fragmentation, and Android apps are available from multiple app stores, which is much harder to police than Apple’s monopolistic App Store.
How do we address mobile security?
In an ideal world every device would ship with robust security software. While including security packages is an obvious value-add (as well as a good investment) for mobile operators and handset manufacturers, this isn’t a widespread practice. The onus has been placed on consumers and businesses to buy third-party packages [there are lots – see this useful comparative review by Top Ten Reviews], but clearly the stats suggest that the message isn’t getting through.
What is the impact on businesses? How should businesses address this?
Business should view this from two directions: a) the risks associated with an employee device being compromised/stolen; b) the risks associated with a customer device being compromised/stolen.
a) Employee devices:
IT departments are being pressured to allow employees to use consumer devices for work. This is often referred to as the consumerization of IT or bring-your-own device and is the antithesis to way that corporate IT has been run to date. Enabling employees to access company email, corporate networks and systems, on the same device they use for personal use, downloading apps, social networking and IM, taking to the pub or on holiday requires an unprecedented level of education, rules, handset and network security and device management.
Demand for security software is expected to soar, as companies invest in security for employee handsets.
• Canalys expects that US $759.8 million will be spent on security in 2011 alone, growing at 44 percent annually to be worth US $3 billion in 2015.
• Juniper estimates that US $3.7 billion will be spent on mobile security software in 2016, of which 69 percent will be sales to business.
Companies are expected to set up enterprise app stores, their own internal store, to supply employees with relevant, vetted and secure mobile apps, perhaps banning the download of apps from third-party stores to devices that have access to the corporate network.
• Canalys: “Over the next two years, Canalys expects device management to drive adoption of mobile security-related products, with businesses deploying solutions to track, monitor and authorize corporate data access, as consumers bring their devices into the workplace. These solutions will increasingly be tied to enterprise app stores, so that only approved apps can be downloaded and only devices with approved apps installed can access corporate resources.”
b) Customer devices
Businesses must design their mobile app or Web-based services to minimize risk to the customer and the business when a customer device is compromised or stolen. Apps/sites that store passwords, credit-card information or personal information unnecessarily and insecurely either on the handset or server and do not query unusual behavior will make it easier for criminals to assume the identity of the customer to defraud the customer and business.
Businesses must also consider that criminals may target weaknesses in their mobile app (as shown in the Android examples above) to compromise a customer or business partner (i.e. supplier, client) device. Where app development is outsourced and distribution of apps is via third-party app stores, it is harder for companies to ensure that downloading their app doesn’t put customers at risk.
One answer is to bring apps in-house – the development of apps and/or the hosting/distribution of the apps. If companies are building enterprise app stores behind the company firewall in an effort to keep employee handsets safe (as predicted by Canalys), then why not allow customers and business partners to download apps from the same store?
The other answer is reducing the amount of code that needs to be downloaded to the client device. Advocates of browser-based apps argue that it isn’t necessary for any of the app to reside permanently on the handset.
All businesses should help educate their customers about mobile security. For any company that does m-commerce, m-banking etc, education should be a priority – arguably they should be providing free or discounted security software (perhaps via their enterprise app store) to customers.
Just to end on a positive note, here is an opportunity for you:
Wondering what freebie you should give away to help promote your mobile site/app, increase mobile sales, reward loyal mobile customers or enhance your reputation as a thought leader, then consider this… what would be more useful to your mobile customers this Christmas, another novelty app/game or a year’s free subscription for a mobile security package?
Need to know more? Read this:
Mobile device security: the insider’s guide. Opinions and tips from the world-leading experts.
• Be the first to know about mobiThinking news, guides, competitions etc… follow mobiThinking on Twitter: @mobithinking.
• Nine video interviews with leading mobile experts
• What makes EMEA the world’s most exciting mobile market? Interview with Paul Berney, MD, MMA EMEA
• Compelling content: tips for making useful, sticky mobile Web sites and apps (part 1)
• The mobile city project – the blueprint of a truly mobilized city
• The insider’s guide to device detection: give your Website visitors the site they deserve
• The insiders' guides to world’s greatest mobile markets • Latest country guide: Brazil
• Guide to mobile agencies • Latest agency profile: Grupo.Mobi
• Guide to mobile ad networks
• Guide to mobile industry awards • Latest winners: Mobi Awards
• The big compendium of global mobile stats
© mobiThinking. Feel free to reference, quote and paraphrase mobiThinking articles, clearly stating and linking to mobiThinking as the source, but reprinting or republishing the whole piece without permission will not be tolerated.