As recently as a year ago, if you asked security, operations and development teams whether the risk from mobile malware was real, you received a mixed response. If you ask the same question today, there is universal agreement that the malware risk is real and growing.
A quick search on mobile malware risk provides countless pointers to both vendor and analyst reports highlighting the growth in this industry. So why have perceptions changed over a short period time?
One of the key contributors to the threat from mobile malware is the proliferation of applications that conduct real business using access-sensitive and confidential information. Typical users may have banking, credit card, hotel, airline and corporate applications installed on their mobile devices. This access is secured, at minimum, with username and password controls.
Cybercriminals are practical actors; they follow the money. They are turning their focus and attention to the mobile platform because of the growth in mobile devices coupled with the opportunity to harvest a wealth of information from each device. Unlike work desktops and laptops, which typically contain only job-related information, mobile devices often combine work and personal information and applications.
The weakest link in security is the user. Cybercriminals are now using attacks and techniques initially targeted at desktop users in the mobile channel. They are experts at social engineering and are executing targeted spear phishing attacks.
Common targets include executives in hopes of stealing usernames and passwords to access valuable confidential information. However, no one is immune. Enterprises should invest in basic mobile security awareness and training for all employees. Best practices include mandating that mobile apps can only be downloaded from public app stores such as the Apple AppStore or Google Play.
There are also popular best practices if your organization has adopted an enterprise mobility management (EMM) solution. Organizations can enforce their own mobile security best practices on mobile devices they manage. This includes requiring a strong device passcode and ensuring devices are running authorized versions of operating systems.
Market-leading solutions also offer advanced mobile threat management capabilities that can detect mobile malware and automatically take corrective action to protect corporate information. Tight integration with other security products such as identity and access management solutions is also an important consideration.
Organizations need to identify the mobile apps that require additional security measures. Not all mobile applications necessitate the same level of security testing and protection. For example, a business-to-employee (B2E) conference room reservation app may not need stringent security controls.
However, all apps that access sensitive information should be built securely and protected once they are released. Some apps support businesses and consumers in regulated industries such as health care, where patient information must be kept private. Organizations should take a pragmatic approach to mobile application security and prioritize the most sensitive apps.
The pace of mobile application development is frenetic. There are multiple platforms and operating system releases to support each year. Take a look at the version history of some of the most popular mobile apps. Many released 10 or more updates last year — and that’s on a single mobile platform! The continuous release cycle puts pressure on developers, who in turn may make mistakes in their haste.
There is no malice here, but simple mistakes such as not encrypting data at rest may expose sensitive information to malware. Organizations should adopt automated mobile application testing solutions to quickly isolate and remediate these vulnerabilities.
Not all mobile applications are installed on devices with EMM solutions; many are on devices that may be insecure. Business-to-consumer (B2C) or business-to-partner (B2P) mobile apps will be on devices that an enterprise cannot manage.
Furthermore, enterprises have no control over the applications that will be installed on the same device with their corporate program. They also won’t be able to tell if a device has been rooted or jailbroken. This lack of visibility makes it imperative that the data these applications use be protected.
Protection requirements extend to the mobile application itself. Cybercriminals can easily download mobile applications. Once they have a copy of the mobile app, readily available and free tools can reverse engineer apps to uncover sensitive intellectual property.
Malicious actors also look for vulnerabilities such as unencrypted data, and there is even a risk of repackaging a mobile app with malware. They may use spear phishing attacks to direct users to bogus app stores to download valid apps packaged with malware. To avoid this risk, all mobile apps that access sensitive information or are targeted at users on unmanaged devices should be hardened against tampering.
No organization wants to make headlines for a breached website. Why isn’t there the same level of concern and attention placed on mobile applications?
The risk from mobile malware is real. Organizations should take a practical approach to mobile security and educate users, development teams and IT operational professionals. The mobile security investment should be a function of the risk and regulatory requirements. Focusing on features at the expense of security is not a viable strategy.