Rethinking Mobile Security

  /     /     /  
Publicated : 22/11/2024   Category : security


Rethinking Mobile Security


Debate whirls around the hype of mobile malware and the solutions we have to fight it



As the explosion in mobile devices hits enterprise networks in force, the IT security community will need to reinvent the way it addresses malicious behavior within software if it is going to stay apace with the risks. The fact is that even though many of todays mobile devices are essentially little computers, the traditional host-based approach the industry has taken with these PC counterparts might not apply. Aside from the form-factor difference, the way malware writers approach mobile information theft is shifting, and-- besides all that -- the line between good applications and bad applications is quickly blurring, experts warn.
I think mobile is a real wake-up call to a lot of security professionals, says Michael Sutton, vice president of security research at Zscaler ThreatLabZ. The mobile space is going to require us to completely rethink the way that we do security. We cant do things the way that we used to, and I think that most security vendors are just trying to repeat what was tried in the PC world beforehand.
One of the big reasons why traditional antivirus approaches wont fly is simply because the form factor is different.
The device has limited resources, battery life is critical, and you dont want to have things running in the background that you dont have to, Sutton says. Plus, on the flip side, if you look at the iOS world, its just not even an option because you cant run things in the background; Apple has made the decision that is not going to happen.
According to Sutton, in order to address the risk of mobile malware, security firms need to find better ways to inspect and protect data in transit rather than necessarily focusing on whats going on within the device itself. This is especially key considering the fact that his researchers at Zscalers ThreatLabZ are finding that the biggest risks are not necessarily from outright malicious software, but from good applications behaving badly.
Were not seeing a lot of malware so much propagating on the mobile space as we are apps with a lot of privacy concerns -- apps sharing information that people arent aware of, and apps that have not been built securely, Sutton says. A few months back we were looking at some iOS apps that would ask you for your password to popular services like Google Docs, and all of those authentication credentials were just stored in clear text. So anybody who got a backup of your phone could go through that in plain text.
Suttons points about the balance of risk between mobile malware versus privacy-smashing apps offers an interesting take in a heated debate that has been frothing for years now, and has come to a head recently with comments from Chris DiBona, open-source programs manager for Google. DiBona said that antivirus companies selling protection for Android, RIM and iOS are
charlatans and scammers
. DiBona kicked over a hornets nest within the security world by questioning whether mobile malware is even a real threat.
Well, its definitely not the Easter bunny, Ill tell you that, says Brian Contos, director of global security strategy at McAfee. I think maybe a few years ago people might have been able to make that argument and to some extent that it was such a small percentage of the malware ecosystem that it was relatively negligible. But were seeing a lot more of it now.
According to McAfee Labs, mobile malware in the wild is growing significantly, particularly on the Android platform. In its quarterly threat report, researchers with the outfit reported Android malware rose by 37 percent in the last quarter. But these types of numbers can vary wildly -- a similar report from the Juniper Global Threat Center reported that its researchers measured an increase of Android malware from July 2011 to November 2011 of 472 percent. Similarly, Vanja Svajcer, principal virus researcher at SophosLabs, reported that over the last three months the number of unique malware samples sussed out by Sophos jumped four-fold. But even researchers at Sophos give a little credence to the point that even though mobile malware has grown and should be on most IT security pros radar, its still pretty uncommon. After all, that four-fold jump was from 500 unique pieces found to 2,000 unique malware samples found.
Malware on mobile devices is a reality but is still very rare. You are far less likely to encounter malware for your phone than for your PC, says Richard Wang, manager of SophosLabs US. The official marketplaces for both Android and iOS have good records of swiftly removing any malware found on them, reducing exposure to users who only use official sources for their apps. Mobile platforms are comparatively safe but not entirely free of risk. Users should take care of their data whatever device it is on.
Consensus throughout the industry is that, yes, some entities may overhype the numbers or the capabilities of their mobile security products to one degree or another. But that doesnt mean mobile malware threats and mobile security shouldnt be taken seriously.
It would be crazy for anyone to dismiss the possibility of devices becoming compromised, says Jason Baron, partner and director of consulting services at Welsh Consulting. Hackers operate on free market principles, but they dont really have the impediment of law or ethics that a real company has to worry about. So if theres a profit motive to exploit mobile devices, then theyre going to exploit them.
Kevin Mahaffey, CTO and founder of Lookout Mobile Security, echoes Barons thoughts, saying that just as mobile technology is operating at Mach speed, so too are the threats.
While PC threats took decades to evolve, mobile threats have been advancing in a fraction of the time, Mahaffey says. Because mobile phones have in-band payment mechanisms -- the ability to charge premium-rate phone calls and text messages to a user’s phone bill -- malware writers have a much easier time monetizing their attacks than the PC.
Whats more, even though the form factor is different, mobile devices and PCs share one very important element that hackers will be looking to take greater advantage of in the future: use of the web. This may well be one of the biggest lessons the industry should take as it figures out just how to protect those little computers in our pockets.
One of the most prolific pieces of malware in the last few years was Zeus, which is a man-in-the-browser attack. One of its incarnations actually installs a Trojan on Smbian, Blackberry and jailbroken iPhones, that can basically allow the man-in-the-middle software on the desktop or laptop to work efficiently by intercepting multiauthentication tokens, Contos says. So, its here and its going to grow as people start using mobile devices more and more for banking, online shopping and doing the things they typically would on a computer. Were going to see many more attacks focused that way.
Have a comment on this story? Please click Discuss below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Senate wants changes to cybercrime law. ◂
Discovered: 23/12/2024
Category: security

▸ Car Sector Speeds Up In Security. ◂
Discovered: 23/12/2024
Category: security

▸ Making use of a homemade Android army ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Rethinking Mobile Security