Security researchers have been warning about mobile malware for at least the past two years, but we have yet to...
see any significant attacks on smartphones. Why should enterprises expect any different in 2012?
Rik Ferguson, director of security research at Trend Micro, believes 2012 could be the year of mobile attacks because of the increasing number of people using smartphones for financial transactions.
According to Kantar ComTech, around 51% of the UK population now owns a smartphone and 28% of those are using their mobiles for online purchases, according to Morgan Stanley. Some 17% are using them for financial management such as paying bills, according to GetSafeOnline.
Criminals follow users, which means that, as more people carry out transactions using their smartphones, criminals will increasingly target this platform, Ferguson told attendees of an Inside Technology symposium on smartphone security in London.
The problem is that all operating systems have been found to have vulnerabilities to attack, including Apple's iOS. Most smartphone users do not expect malware and tend not to have any anti-malware protection.
A YouGov survey of more than 2,000 UK smartphone owners revealed that only 17% have any anti-virus software installed. Over half of users believe the device is secure and only 15% think it is not.
"But Trend Micro is increasingly seeing viruses, worms, Trojans, adware, spyware, web-based threats and even bots targeting mobile phones," said Ferguson.
Although iOS and Google's Android are about even when it comes to vulnerabilities in the platform, Android is definitely where the action is when it comes to malware, said Ferguson.
Smartphone malware threats
Trend Micro was tracking around 129,000 unique pieces of Android malware at the end of 2011, but now there are around 3 million.
Android is open to abuse because of the openness of the ecosystem that includes third-party app stores and the lack of up-front checking of applications.
The growing number of Android versions is also a security challenge, as there is no mechanism for providing automatic security updates.
"It is up to the mobile carriers to update the Android operating systems on customer handsets and apply security patches," Ferguson said.
He said that while there is not yet an "absolute plague" of mobile malware, there is sustained criminal interest in mobile – particularly Android – and that is not going away.
The security threat is not just about vulnerabilities, though. It is also about permissions asked for, and granted to mobile applications.
Mobile apps for Flickr, Flixter and Facebook, for example, all have the ability to know the location of handsets and what phone numbers they are calling, when and for how long, said Ferguson.
About 20% of Android apps request permission to access private or sensitive data; and the iOS address book is accessible to all applications, said Rick Chandler, treasurer at security and privacy association, EEMA.
One study revealed that one in 20 mobile applications has the ability to place a call to any number without interaction from the user, while another showed that apps often have the ability to do things that users are not aware of, such as send phone numbers, device IDs and location data.
The YouGov research reveals that 34% of UK smartphone owners do not read access permissions they agree to when installing applications.
The IT department and mobile malware threats
IT departments are in many cases losing visibility and control because of the increasing number of employee-owned handsets connecting to corporate networks.
"De-standardisation of handsets and operating systems increases the difficulty of managing mobile devices and the challenge of data protection, because of the unpredictability of where data will be consumed," said Ferguson.
In the commercial world, however, businesses need to be agile enough to move at the speed customers demand, and they are continually seeking to increase productivity. Mobility can help meet these demands as well as help attract and retain talent.
But how can IT meet these demands, while at the same time keeping risk to levels acceptable to the business?
IT departments should have a strategy in place that will enable them to say "yes" to the business and regain visibility and control, said Ferguson. Otherwise the business will find a way around obstacles the IT department puts in its way.
At the same time, IT cannot say "yes" to everything without first considering the business case, the operating system involved, the sensitivity of the data and what risks the business is willing to accept.
Embracing mobility requires IT to enforce policies, install anti-malware, encrypt data and implement remote tools for locking handsets and wiping data.
IT should also be able to monitor and react to security threats; and integrate mobile devices with corporate security information and event management (SIEM) systems where they exist.
Where employees are using their own devices for work, IT departments could also reduce the security risks by providing corporate applications in a virtual environment, said Peter Wood, chief executive at FirstBase Technologies.
Virtual environments can be controlled by the enterprise remotely and ensure no sensitive data is stored on the smartphone locally.
A data-centric approach is key, said Nader Henein of the advisory division, Blackberry security group, Research in Motion. "Encryption in iOS and Android means only part of the operating system is encrypted, but a data-centric approach allows corporate IT teams to lock away specific files and know exactly where the data is," he said.
To help enterprises overcome the problem of separating corporate and employee data, RIM has developed BlackBerry Balance, which provides a comprehensive set of technical controls.
A data-centric approach, said Henein, also encourages organisations to focus on what is needed from a data protection point of view and not just on what is required to tick a checkbox in a regulatory compliance audit.
"Do not assume that an encryption solution is sufficient, and always check that remote wipe tools actually do what they claim to do," Henein said.
Henein also revealed RIM is working on evolving Blackberry Enterprise Sever. The next generation, dubbed "Mobile Fusion", is aimed at enabling organisations to support a wide variety of devices from multiple manufacturers, as well as multiple form factors.
Can smartphone users and the IT department make a deal?
However, Wood said security technologies and technical controls will only be effective if they are backed by strong mobile security policies, such as those used by the US Army, NASA, Intel and Citrix, which have all been published and can be used for guidance.
Each of these policies, said Wood, is an example of a legal contract between the company and employees that ensure data protection requirements are met in return for some benefit.
Employees agree to use two-factor authentication and allow the installation of firewalls, anti-virus software and tools for data encryption, remote wipe, patch management and remote lock, for example, in return for corporate support such as backup of personal data, anti-virus protection and web-filtering.
"This is an intelligent approach to security: go to the users and say 'let's make a deal' that benefits both parties," Wood said.
Despite operating systems' inherent vulnerabilities, growing malware threats and device and user management challenges, it appears that controlling corporate data on mobile devices is not a lost cause.
But it does require a proactive response that includes drawing up a policy; striking a deal with users to ensure the policy is enforced; educating business managers on risk to get top-down support; educating users on why controls are necessary; and taking a data-centric approach to ensure all data is protected.
Organisations should be following these security principles if they have a mobile strategy for their business operation, regardless of whether 2012 will indeed be the year of the mobile anti-virus explosion or not.
Having a security plan will help an organisation reduce the chances of being at the centre of the first significant smartphone malware attack, whenever it may happen.