Industry analysts and security experts believe that as smart-phone adoption increases within the enterprise, attacks and malwares will also increase. Smart phones may become conduits to breaches of corporate data. Malwares and viruses will masquerade as apps and may compromise both personal and corporate data. 2010 saw a huge rise in such instances of targeted malware.
2011 is really a year to watch for mobile attacks. With WikiLeaks and StuxNet, fear is looming in everyone’s mind regarding what and how the next attack will be. Let us try to imagine and understand the surface of potential risks. We will focus on risks related to large businesses and enterprises.
I) Data breach as a result of lost/stolen device
A lost device means potential for loss/theft of sensitive information and also enabling unauthorized users to gain access to ENTERPRISE networks. Remember the hapless Apple engineer losing the iPhone 4 prototype in a bar? In case you are rolling your eyes, please remember, that over a six month period, 3,000 laptops were lost in London cabs. Compare that to 55,000 phones lost during same period!
Also, when individuals lose a device it is a personal loss. When enterprise devices are lost it is a much bigger affair. Some experts put the total cost of a lost laptop to be around $49,000. This cost reflects the enterprise wide effort (corporate, legal, purchasing, admin, etc.) required to deal with a lost laptop.
A sophisticated approach is to use a service such as “remote-locate-and-lock” which will remotely locate the phone using built in GPS service and lock out a lost phone. Even more stringent policies of “remote-wipe” can be enforced to remove all sensitive data from a misplaced phone. There are several vendor software options which are emerging. For iOS there is “Find My Phone ”, for Android there is Lookout .
Additionally, it is important that key content be encrypted and stored in a fashion so that even a device loss does not compromise key information using a proper standard like AES-128 or AES-192.
II) Malicious code attack coming from masquerading applications
This usually happens after downloading an application, which in-spite of masquerading as an innocuous app, actually engages in nefarious activities (keyboard logging, transmission of private information secretly, etc.). In July 2010, The ‘Carrot App’ for Android was disguised as a calculator application. The malicious application was programmed to email to the attacker of transcripts all text messages, both sent and received by the infected device.
Due to Apple’s stringent application review and publication process these problems are less common in iOS, but are still an area of concern. Android, due to its open publishing policy can be more prone to such attacks. Please refer to the recent in-depth study on App genome.
III) Mobile device OS, Applications or protocol vulnerability
Software vulnerability at this level is hard to fend off and can only be mitigated by constant study of and vigilance against security threats. It is advised to ensure that the latest versions and patches of the OS & development environments (Apple XCode or Android SDK) are applied carefully and security patches are taken seriously. Remember the chain is only as strong as the weakest link!
IV) Weak or non-existent mobile device authentication
This is a double-edged sword. Having a very hard pass-code is easy to forget and hence affects the usability. On the other hand, having something straightforward like “1234” or “admin” is easy to guess and easy to crack. The long-range solution for this is using some form of biometric or fingerprint based authentication. However, until these are refined we should have a TWO FACTOR AUTHENTICATION (a combination technique of something you know, e.g. pass-code and something you have, e.g. a CAC reader). In many cases a simpler variant of CAC Reader can be adopted, e.g. a token code which is distributed via SMS. Such two-factor authentication schemes are proposed by large organizations such as Google and Microsoft. Such options will provide additional protection against phishing and malware attacks, as the one-time token codes are valid only for a limited duration of time and are deactivated automatically, thus preventing access to any sensitive information.
There can additional attack surface which we have not thought yet. After all a “Hacker’s mind” has a different orientation than a “Builder’s brain”. Constant vigilance can never be overstated in today’s world, specially when you adopt more modern means to conduct your business.