In Part I of our look at mobile security threats, we took a look at the most dangerous threats mobile devices are facing: network threats.
What About Apps?
Downloading apps is another potentially dangerous practice for mobile users. While we recognize that (unlike Windows) the security controls in place in official app stores such as Apple’s App Store and Google Play are quite effective, with millions of apps available, a percentage of malicious apps are potentially slipping past those filters.
Despite these advanced controls, every so often a threat appears unexpectedly. As an example, this was the case for thousands of applications developed using XCodeGhost around 2015. XCodeGhost was a light, unofficial version of Apple’s official XCode development environment. This development environment included spyware automatically added to apps without the developers’ knowledge. While this is one well-known example of malicious code being delivered through legitimate app providers, as malware tactics evolve, the potential for these attacks still exists.
Unofficial stores pose similar threats to mobile app security, though many users still download apps through these channels. These unofficial channels rarely offer the same guarantees as their official counterparts; as well, it’s likely applications on these stores do not meet the standards for official outlets. Even if the initial reason for rejection from official channels isn’t security related – for example, due to the app’s profit model or copyright protection – once included in an unofficial store, the temptation to make extra income through malicious means increases, resulting in theft of personal data, invasive advertising, etc.
Even if an app exists in both official and unofficial stores, there is no guarantee that the version available through the non-official store will be the most updated version, or that the app will include defenses against new vulnerabilities.
Many applications collect location information; However, some publish them in such a way that that create security vulnerabilities. This information can be used to perform “passive intelligence,” such as knowing if you have visited a potential client or site. These apps, though seemingly safe, can have serious negative impacts, even if they are not designed with malicious intent.
For example, in early 2018 it was discovered that the Strava fitness application, a popular training app for runners and cyclists that features locational tools, published its global usage maps. While this feature is handy for finding other enthusiasts in your area, it unfortunately had some concerning military implications. Looking at available maps in Iraq and Syria revealed isolated pockets of users. These corresponded to American soldiers using the app while training at their bases. These maps inadvertently revealed the location of these secured bases, causing potentially serious issues for deployed soldiers and contractors.
As with any operating system, occasionally iOS and Android will suffer vulnerabilities. Unlike Windows – which issues security and usability patches with some regularity, sometimes several in a week – often the time between updates for mobile apps is quite long. For example, Android apps issue updates only monthly.
Worse yet: the monthly patching mechanism was only recently launched; most of the devices currently on the market do not have regular updates.
In contrast, at the application level, the pace of updates is permanent, and many vulnerabilities at the operating system level are solved at the application level, at least if we talk about the applications of the most important providers such as Facebook, Google, etc.
A final point to take into account when protecting yourself is the use of unsecure configurations. As we’ve mentioned above, avoiding downloads outside of official stores is best practice for minimizing threats. Configuring your settings to disallow this type of download is key, but the OS you start with is equally important to the downloads you make.
Jailbreaking is another big concern in phone security. “Jailbroken” or “rooted” phones are devices in which the manufacturer’s operating system (Android/iOS) has been replaced by an unofficial version, in order to access additional functions and bypass the standard permissions of a normal user. With these unauthorized versions, applications may be able to access more information than would be allowed by the security settings of an official OS configuration. A compromised app could potentially access protected information of the phone.
This access is not solely sought by bad actors like hackers or thieves; it may be the device owner themself seeking access to information or settings, without fully understanding the consequences. In terms of enterprise mobility management, when talking about a provisioned device (provided by an employer) or a BYOD scenario, there are no plausible reasons for an employee to use a phone with these unauthorized modes enabled.
Finally, take a moment to consider the physical security of your phone. Mobile devices are, by their nature, susceptible to being stolen or lost. The best way to ensure that a missing phone doesn’t become a security issue is to ensure its data cannot be accessed by someone in possession of the phone.
In our next post, we will review all the precautions you can (and should) be taking to protect your devices and enterprise against the security threats facing smart devices.
In Part 3 of our Series
If you want more information on about how to protect against mobile threats, you can read Part III of our series on mobile security threats.