Mobile Device Privacy and Security – Challenges and Recommendations

finjanmobileBlog, Mobile Security

mobile device privacy

With some analysts predicting that by 2018, 25% of corporate data will pass directly between mobile devices and the cloud (avoiding network security perimeters) – and with an alarming 35% of workers in a Bank of America study admitting that their first thought of the day is to their smartphones, rather than their partners – it’s obvious that mobile technologies are now an integral part of work and daily life.

And with the data resident on mobile devices or passing through unsecured networks now a prime target for hackers and cyber-criminals, it’s worth having a look at some of the issues facing the privacy and security environments of which so many of us have become a part.

Challenges to Physical Security

Mobile devices are small, lightweight, and convenient – especially for thieves and pickpockets. Even laptops with moderate form factors, tablets, or notepad computers are easy enough to steal.

And if your desktop isn’t protected by a password, lock screen, or biometrics, it’s a straightforward matter for anyone who gets their hands on your device to gain unauthorized access to a treasure trove of confidential data, intellectual property, software, and messaging functionality. With weak passwords relatively easy to guess or hack, thieves may hijack your email or other accounts, giving them the ability to extend their haul to the data and assets you may have resident in the cloud.

Remote data wiping facilities are often available to the administrators of corporate BYOD (Bring Your Own Device) and mobile device management (MDM) schemes – but even here, the security benefit on a stolen device is only as good as the data shredding algorithm used by the wiping tool. There’s software readily available out there for forensic data retrieval – the kinds of tools that are a lifesaver in cases where crucial files were mistakenly scrubbed or a power surge causes file corruption, but which are also a valued asset for cyber-criminals wishing to reconstruct data from poorly deleted files.

Inadequate Infrastructure and Services

There have been issues in the past with vulnerabilities associated with software and system tools contributed by third-party developers to the likes of Windows Mobile and Symbian OS. More recently, mainstream operating platforms like Android and iOS have been targeted by cyber-criminals who are deploying an increasingly sophisticated range of techniques and malicious code.

With so many mobile device users on the planet (estimates are in excess of 1.5 billion, and climbing), there’s a multitude of operating system versions in widespread use. Android, in particular, has proven worrisome, as it’s an operating platform that’s gone through several iterations – many of which are out of date, riddled with security holes and vulnerabilities, and still being routinely used by device owners in geographically dispersed locations.

It may be weeks or months before consumers are offered access to security patches and updates for their devices. And even when they are, these updates may have gone through a tiresome process of negotiation between the parent company of an OS and various device manufacturers, who need to modify the code to suit their various hardware models.

It then falls to the mobile network carriers to test these updates and transmit them out to their customers. All of which takes time, within which exploits of system vulnerabilities may be running rampant – and older device models may be excluded from the update picture entirely, if manufacturers stop supporting them. And it’s not only operating systems that can remain out of date, as many mobile apps aren’t patched or revamped over extended periods, either.

Mobile Malware and Malvertising

Sources of malicious code designed specifically for the mobile environment continue to proliferate, with malware being concealed in otherwise legitimate-seeming games, utilities, security patches, and productivity apps. Ransomware is a popular choice for cyber-criminals, along with the more traditional key loggers and spyware enabling perpetrators to record user activities and collect credentials and sensitive data.

Malicious advertising or malvertising for the mobile landscape is also on the rise, not so much for its ability to distribute malicious payloads directly as for its power to tempt users on to special offers, web sites and resources where the hammer may be dropped on them at the destination. And with the concept of mobile anti-virus and anti-malware applications still relatively new to most users – and with such tools lacking as in-built on so many devices – protective tools are thin on the ground.

Device Attacks and Takeovers

Perpetrators typically target devices in order to take control over them, steal data from them, or use them as tools in a larger attack (such as a Denial of Service or DoS). Mobile browsers remain vulnerable, along with SMS (short message service) and multimedia message service (MMS) facilities.

Intercepted Communications

Cellular data transmission protocols and unsecured wireless networks such as WiFi hot spots are prime targets for hackers, who can use any of the several tools available online to intercept communications and eavesdrop, steal or corrupt data. So-called “man-in-the-middle” attacks are becoming increasingly common, along with attacks like the hijacking of user sessions to gain access to online resources and services.

Insider Threats and Human Error

A lack of security awareness and the natural tendency to make mistakes are still a large factor in expanding the threat landscape. A lack of due diligence in downloading apps – either from official stores (where users may not take the time to read the fine print) or from third-party download sites (where the unsuspecting user pretty much plays a lottery) – contributes to the continued distribution of malware.

Jail-breaking or rooting of devices to overcome restrictions imposed by the device or operating system manufacturer leaves users vulnerable not only to malware, but may also deny them the protection of updates and security patches issued to users who haven’t stepped outside the manufacturer’s rules.

And for cyber-criminals, insiders recruited within an organization may use mobile devices to ship data off-site to external servers, download enterprise data onto portable storage media, or facilitate intrusions into corporate networks.

Confidentiality and Disclosure

Corporations and individuals whose mobile apps are hosted by an application service provider or ASP face the risk of having both their private data and security exposed to threat if the safeguards put in place by their service contracts aren’t sufficiently robust. Besides any assurances from the ASP itself, there’s also the possibility that confidential information may be disclosed to third parties such as advertising networks or partner agencies.

Users engaging an ASP should get written confirmation of the hosting agency’s own security policy, and its procedures for ensuring data privacy. Beyond this, virtual private networks or VPNs will give added protection.

Services and Client Confidentiality

Client confidentiality and the preservation of data privacy are also concerns for consultancies, advisories, and service based industries, whose business relies on intimate knowledge of a consumer’s case details and requirements. Personally identifiable information (PII) transmitted to such agencies or stored on user devices may be targeted by hackers.

The health-care sector is particularly prone to privacy issues, as telehealth services (video conferencing, remote surgery, etc.) and mobile health apps such as those for diagnostics and monitoring often don’t enjoy the protections offered by statutory regimes like HIPAA (the Health Insurance Portability and Accountability Act of 1996), the US Electronic Communications Privacy Act of 1986, or the Computer Fraud and Abuse Act of 1986.

Legislation such as this covers the unauthorized interception of communication, and deals with issues such as the information collected via mobile apps – but with the situation being hazy as regards who should be liable in cases of security breaches or unintended disclosure, users are left largely to themselves, in guarding their own data privacy.

Mobile Device Privacy and Security – Some Recommendations

  • Protect mobile devices with password control, lock screens, and/or biometrics (fingerprint scans, voice recognition, facial recognition, etc.). Proprietary device locking hardware is available from some manufacturers, and may also be an option.
  • Use multi-factor authentication for accessing web resources, which requires a combination of (for example) a login password and a confirmation code which is sent to your mobile phone.
  • Protect information in transit (including emails and document transfers) with encryption.
  • Use a virtual private network (VPN) when accessing WiFi, or when using apps from an application service provider (ASP).
  • Install mobile anti-virus and anti-malware software on your devices. Some security apps will also set rules for blocking suspect communications.
  • Install a personal firewall, if your security software suite doesn’t supply one itself.
  • Regularly update all your mobile apps, and install security patches to mobile operating systems and browsers.
  • Corporate mobile device security policies should include a white list of approved apps, and provisions for the remote wiping of lost or stolen devices.

Share this Post