Skip to main content

Mobile Security - Why You Should Care

Nearly all professional working people in the western world, have access to a mobile phone.  These phones are generally not just phones.  They're portable laptops, with processing and storage capabilities greater then a desktop PC 25 years ago, yet we treat them like toys that can easily be replaced.

With every pay monthly contracted sold (especially in the UK), an equivalent monthly insurance policy is sold too.  We're constantly reminded about the dangers of dropping the phone down the toilet, or smashing the screen, after inadvertently leaving the phone in your back pocket, or by damaging the outer casing by not having the correct protective membrane.  For another £12 a month, you can have 'piece of mind' that you're protected.  Great.

But what about the stuff the phone is actually used for?  Does that get protected too?  What stuff, why should I care about protecting that?



Why Should I Care?

Well, if your phone is used for work, it's quite likely you'll have a list of contacts.  Number information, perhaps email address information and perhaps address, job title and so on.  You may also have
 cross linked social networking account data for these contacts too - Twitter, LinkedIn, Facebook amongst others.  This is basically the digital version of your 'little black book'.  But they're just contacts, not really bothered about that.  Well you should be.

But it's not just your contact list that is on your phone.  What about all the emails you've sent and received?  If you use your mobile for full on work communication, this is the bit where the CISO/Infosec Manager has a bit of a wobbly over the whole Bring Your Own Device (BYOD) piece.  Your phone is suddenly an inadvertent extension of the corporate network.  Albeit, not particularly regulated or managed by the corporation.  Work related emails (should) contain work related content.  Attachments.  PDF's, spreadsheets, numbers, policies, customer details, accounts, records, meetings and so on.  All stored locally on your phone.

From a personal perspective, other aspects of data storage are a concern.  Geolocation data is now common to make the most out of a lot of key applications, like navigation and recommendation apps.  Suddenly your phone can easily pin point to the nearest metre where you are, and where you have been.  Social networking is all about the 'now' and being portable gives a smartphone the biggest edge over many social networking clients on the web and laptop platforms.  But how many times do you type in your username and password to access Twitter or Facebook on your phone?  With those tiny keys on the touch screen, you'll do it once or maybe twice, before hitting the 'save username and password' details button.  Singe Sign On is basically configured on your device.  Get access to the phone, get access to all your web and social networking related clients.

Attack Vectors

OK, so there's quite a lot of data on my phone.  But that's no different to my laptop right?  What's the big deal.  Well there are several.  The attack vectors for a smart phone are more prominent and more vulnerable than a laptop.  The first port of call, is that laptop and desktop operating systems, for all their issues and vulnerabilities, are more mature than smartphone operating system's like IOS or Android.  That maturity comes in the form of patching and basic approaches to security and protection.  Many smart phone operating systems are difficult to patch due to bandwidth limitations.  The second main difference between laptops and smart phones is anti-virus.  How many have AV for their phone?  Very few.  Whilst there are some smartphone specific iterations of AV software, many are incomplete or expensive, limiting their uptake.

The biggest threat to a smartphone is that of a physical attack.  Mainly due to it's size and value, theft is a major concern.  Once a physical device is stolen, there are two attack vectors.  One is via the console of the phone the second is via direct physical access to the SIM, on board memory and storage card memory.

Another major area of concern for phone security, is regarding the apps that get installed on a daily basis.  Many apps are free, with no real training, configuration or reputation support.  How do you know that an app is 'safe' or correctly coded to a standard that is stable or non-malicious?  Whilst both Apple and Google are attempting to put verification processes in place to help identify rogue developers, the sheer size of the available app pool will give access to malicious software.

Countermeasures?

From a basic standpoint, the phone should have a PIN to access the console.  Simple.  Everyone knows that.  iPhones provide a 4 digit capability whilst a lot of the Android devices can provide 6 digit PIN protection.  In general password management, the longer and more complex the password, the more secure this becomes.  This is mainly due to the increased time it takes to brute force the string.  This would generally point to showing that a 6 digit PIN is stronger than a 4 digit PIN.  True.  But NOT if that 6 digit PIN is your data of birth - big fail.  The majority of 6 digit PINs contain date of birth values.   Aim for a PIN that isn't your landline or date of birth and if it's a 6 digit PIN, perhaps contain a repeating value.

Many networks now provide a 'lose and wipe' feature that effectively wipes data from the phone remotely if it becomes lost or stolen.  Whilst this seems an extreme approach, many corporate owned devices will have this type of protection in place as standard.

Disk encryption on laptops and servers is pretty common.  Even free and easy to configure software like Truecrypt can provide adequate protection for the home user.  Many operating systems like Android can now provide phone and SSD storage encryption.  It normally isn't configured as default and will require poking around the settings of the phone, but it's not particularly complex and worth doing.

Finally, when it comes to apps, there are few basic steps that can be taken.  If there are apps you need, try and download from a developer with a significant download history.  Having 500k + downloads provides a little credibility that the app does what it says without any side effects.  Try and avoid the app with 6 recommendations that seem to give an overly glowing reference.  They're probably either the developer themselves or friends and relatives.  Keep your apps up to date.  Many apps have small code bases which will be constantly evolving and improving, perhaps as much as once a week.  Whilst having the newest release can often bring new feature bugs, it's often worth the risk to have the most recent version from a security perspective.

Spring clean!  If you have an app installed that hasn't been used in the last 6-8 weeks, un-install.  Only keep the apps you use and keep those updated.

I for one, would be pretty lost without my phone, but it takes only a few seconds to be compromised, but only a few minutes to be a little safer.

(Simon Moffatt)


Popular posts from this blog

2020: Machine Learning, Post Quantum Crypto & Zero Trust

Welcome to a digital identity project in 2020! You'll be expected to have a plan for post-quantum cryptography.  Your network will be littered with "zero trust" buzz words, that will make you suspect everyone, everything and every transaction.  Add to that, “machines” will be learning everything, from how you like your coffee, through to every network, authentication and authorisation decision. OK, are you ready?

Machine Learning I'm not going to do an entire blog on machine learning (ML) and artificial intelligence (AI).  Firstly I'm not qualified enough on the topic and secondly I want to focus on the security implications.  Needless to say, within 3 years, most organisations will have relatively experienced teams who are handling big data capture from an and identity, access management and network perspective.

That data will be being fed into ML platforms, either on-premise, or via cloud services.  Leveraging either structured or unstructured learning, data fr…

Customer Data: Convenience versus Security

Organisations in both the public and private sector are initiating programmes of work to convert previously physical or offline services, into more digital, on line and automated offerings.  This could include things like automated car tax purchase, through to insurance policy management and electricity meter reading submission and reporting.

Digitization versus Security

This move towards a more on line user experience, brings together several differing forces.  Firstly the driver for end user convenience and service improvement, against the requirements of data security and privacy.  Which should win?  There clearly needs to be a balance of security against service improvement.  Excessive and prohibitive security controls would result in a complex and often poor user experience, ultimately resulting in fewer users.  On the other hand, poorly defined security architectures, lead to data loss, with the impact for personal exposure and brand damage.

Top 5 Security Predictions for 2016

It's that time of year again, when the retrospective and predictive blogs come out of the closet, just before the Christmas festivities begin.  This time last year, the 2015 predictions were an interesting selection of both consumer and enterprise challenges, with a focus on:


Customer Identity ManagementThe start of IoT security awarenessReduced Passwords on MobileConsumer PrivacyCloud Single Sign On
In retrospect, a pretty accurate and ongoing list.  Consumer related identity (cIAM) is hot on most organisation's lips, and whilst the password hasn't died (and probably never will) there are more people using things like swipe login and finger print authentication than ever before.

But what will 2016 bring?


Mobile Payments to be Default for Consumers

2015 has seen the rise in things like Apple Pay and Samsung Pay hitting the consumer high street with venom.  Many retail outlets now provide the ability to "tap and pay" using a mobile device, with many banks also offer…