Mobile Security

MobileSecuirty

Smartphones and tablets are increasingly being used for everyday tasks in both personal and professional lives. As this trend continues, the amount of sensitive data accumulating on these devices makes them a rich target for exploitation. The need for personal and enterprise security will continue to increase over the coming years. Some security is already in place, but enterprises that allow employees to use their personal devices for business purposes are exposed to widespread risks, notably the exploitation of corporate data. Passwords, strategic information, competitive information, and customer data are among the vulnerable assets to security breaches.

The Risks

The most obvious risk to mobile security is simple theft of the device. Assuming a PIN is sufficient protection against a thief unlocking the device has been proven wrong. 'Smudge analysis' has a very high success rate for determining PINs.

A more insidious theft is when the device is not stolen but its services are. This occurs when a device is infected with malware such as trojans, worms or viruses. Their lifecycle is to infect the device, achieve some goal, and to spread to other devices. The goal can vary widely, such as a monetary gain, damaging the device in some fashion, or to lurk in the background awaiting some instruction to take action.

Malware can get a foothold on a device in several ways. Web browser attacks are very common, but mobile devices have additional vulnerabilities by accessing, downloading and installing apps. Devices can also receive MMS (Multimedia Message Service) content containing embedded malware.

The communications medium through which the device accessing corporate and other data sources can also be compromised. Both Wi-Fi and Bluetooth are fairly easy to exploit with contemporary hacker tools. One of the more interesting attacks involves an 'access point twin' where an Wi-Fi access point is set up to mimic a legitimate access point. The communications subsystem happily connects to the twin without knowledge that it is actually a malicious masquerade.

Security Tips: Don't ever access a wireless network that does not require a password, and only access Wi-Fi networks using at least a WPA2 security protocol. Enterprises using Wi-Fi should verify all access points are using WPA2 or stronger, or reconfigure or decommission the weaker access points.

Although currently in limited use, Near Field Communications, NFC, will be a new medium for attacks as applications become more available. NFC allows you to wave a device in close proximity to a device reader in order to take some action. That action may be to conduct commerce such as to buy a soft drink from a vending machine. Unfortunately, nefarious individuals could attach another reader right next to the legitimate one. Unless you closely review your billing statement, you might never know that you were a victim.

Attack Vectors and Vulnerabilities

The breadth of vulnerabilities is staggering, but not insurmountable. Malicious intent is focused on identifying one vulnerability and maximally exploiting it. This can occur on the client device, on the server system which may be cloud based, or on both environments.

Access to unsecured data on the device, such as browser and password caches is a common target. Some apps requiring username/password combinations, for example, will often cache this data once collected or provide a fast login mechanism such as a quick PIN entry. If this data is not encrypted, attackers can discover and exploit these credentials.

Attackers can also monitor application layer communications by sniffing packets to discover exploitable data. Secure communications comes with an overhead, but this burden is often very acceptable in the face of the consequences of data loss. This data leakage can be modestly impactful, such as upcoming quarterly earnings numbers; or much more serious, such as secret plans for moving high value assets through the public transportation infrastructure.

With credentials exploited, attackers can infiltrate server systems using legitimate authentication controls. The level of security on server systems are insufficient if they are based entirely on these credentials. Robust controls examining secondary authentication layers, such as digital certificate checks to validate the authenticity of the client, or other pre-defined handshaking controls that are conducted over secure communications, can present a web-service firewalling against some attacks. Once established, the entire session between server and client must be carefully managed in application code.

Attackers can also monitor user behaviors, such as SMS messaging. Obvious to many people is that you should never text or email a password, even to a systems administrator. Nevertheless, people do it regularly, especially passwords for system that are being shared through a single login, such as an administrative login to a host account. Monitoring emails, text and other plain-text communications systems is a vulnerability to all computing platforms, not just mobile devices. But, the personal intimacy of, say, a smartphone, presents a false sense of protection when in reality the environment is more vulnerable to attacks.

Detection Methods

So, you think you might have a mole. What tipped you off to this? Was it when you rebooted your phone and you saw a pineapple instead of an Apple logo? Your iPhone is jailbroken.

Jailbreaking is a deliberate exploit of an Apple device so as to enable its use outside of the Apple ecosystem, typically by allowing alternative phone carriers. But, jailbreaking is a major security breach. Corporations should never allow jailbroken devices to be used for accessing any corporate information. Detecting a jailbroken phone can be done by checking for an installation of Cydia (an app store for jailbroken phones), examining the signatures of operating system files and matching them against valid ones, trying to write files in areas outside of the app's process space, or checking to see if SSH has been enabled. This latter is particularly notorious because the default root password of the device is often not changed and anyone can gain superuser access to the device remotely.

Google has Bouncer, a malware detection mechanism for the Android Market that was released early 2012. Bouncer scans apps for 'known malware, spyware and trojans' by running each app in a virtual environment. According to AV-Test, the best Android malware detection apps are:

  • avast! Free Mobile Security
  • Dr.Web anti-virus Light
  • F-Secure Mobile Security
  • IKARUS mobile.security
  • Kaspersky Mobile Security
  • Lookout Security & Antivirus
  • McAfee Mobile Security
  • MYAndroid Protection
  • NQ Mobile Security
  • Zoner AntiVirus Free

Good detectors will also:

  • Detect one of the many 'rootkit' systems which circumvent operating system security and masquerade as legitimate operating system subsystems
  • Provide antivirus protection and firewalling capabilities
  • Monitor battery usage to ensure denial-of-device malware is not present
  • Monitor memory usage
  • Monitor network traffic
  • Log service access

Regardless of the detection mechanisms used, simple user awareness of the risks and potential exploits is a significant step toward mitigating exposure.

Mobile Security Solutions

The ability for enterprises to fully control the devices accessing corporate data has been challenged from the first moment an employee wanted to use their own device rather than a corporate provided one. Today, most organizations have accepted the notion of 'Bring Your Own Device', or BYOD. Meaning, people already have smartphones and tablets and would rather configure their own device to connect to company email or access intranet apps rather than be fettered with carrying their own phone as well as a company phone.

Mobile security solutions and products are categorized under the heading of Mobile Device Management, or MDM. Good MDM systems address all of the preceding security concerns, and often add several proprietary algorithms for additional security. To work effectively, MDM systems have custom mobile client apps that establish a secure environment within the device itself. The typical MDM client app will provide:

  • Access to email
  • Secure browser
  • Secure data caches
  • Detection of jailbroken or compromised devices
  • Policy configuration and enforcement
  • Certificate management
  • Remote device lockout
  • Remote device wipe
  • Device locating

Many MDM solutions also provide Mobile Application Management, MAM, which provides an app repository at the corporate level. Users may still be able to access other app repositories like the iTunes Store or Android app marketplaces.

Mobile Security Action Items

The following action items are intended to aid enterprises struggling with adoption and implementation of mobile security.

Perform a risk assessment

  1. Identify the risks of using mobile devices in the enterprise, at a minimum consider:
    1. Email
    2. Document access
    3. Application access
    4. Data access
    5. Critically sensitive or competitive information and their threat exposures
  2. Prioritize these risks
  3. Define mitigation or management steps for each risk
  4. Determine which risks are acceptable to management

BYOD or Not

Bring your own device, BYOD, needs to be thought of from three different perspectives: customers, partners and employees. For customers, enterprises have little or no control over the devices being used. For partners who access corporate data, there can be more control, but often it is no better than for customers. For employees, companies have much more control and can decide whether to let employees use their own devices or to have the company supply a device to them. For some categories of use, such as military, financial and healthcare, supplying the mobile device may be the better and more secure choice. The higher costs may be offset by less costly control and security.

When evaluating whether to adopt a BYOD strategy , consider the cost, risks and benefits as part of the roll-out and ongoing management plan:

  1. Will the enterprise provide device support?
    1. Multiple device manufacturers
    2. Multiple Operating Systems
    3. Multiple OS versions
    4. Multiple display resolutions, orientations and sizes
  2. Does the enterprise content support all screen layouts that may occur?

Enterprise Security, and Access to Enterprise Content

  1. Identify the enterprise assets to be made available in a mobile context
  2. Determine levels of access, if any, based on mobile user needs
  3. Identify the boundaries of the IT infrastructure that will be used for mobile access
  4. Codify the policies and procedures to be put in place
    1. Do privacy policies need to be modified?
    2. For customers, determine how to handle personal information and any acceptance agreements
    3. For Employees, prepare an Acceptable Use Agreement
  5. Extend corporate logging, monitoring and auditing to include mobile activity
  6. Evaluate internally developed application security in the context of mobility

Conclusion

Although security administrators are tearing their hair out over the pressures to enable mobile access to corporate data, there are clear paths that can be followed to resolve the challenges in a mobile enterprise. Mobile Device Management is one solution, but enterprises must consider the policies and procedures they adopt to be just as important as the mobile security approach selected.

MDM Vendors

The following is a non-exhaustive list of some of the MDM product companies:

AirWatch
Good Technologies
MobileIron
Sybase
Zenprise
Symantec
McAfee
Tangoe
BoxTone
Motorola
SOTI
Fiberlink Communications
Smith Micro Software
Mobile Active Defense
Odyssey Software
Ubitexx
Excitor
The Institution
FancyFon Software
Fromdistance
IBELEM
Capricode
Fixmo
SOPHOS
AmTel

References

OWASP
Wikipedia Mobile Device Management
eWeek - BYOD Secutiry Management an Issue for IT
Wikipedia Mobile Security
Wikipedia ETSI
Open Mobile Alliance
MacWorld iPhone Security
Apple MDM
AV-Test Android Malware Report (PDF)


Comments


Post new comment

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Image CAPTCHA
Enter the characters shown in the image.