Top security fears for mobile devices

Security observers share security concerns around major mobile operating systems including Apple iOS, Google Android and RIM's Blackberry, that consumer and corporate users should beware.
Written by Ellyne Phneah, Contributor

The risks mobile devices pose to enterprises and consumers are mounting with the rising adoption of smartphones and tablets. Not only are cybercriminals finding the growing base lucrative to target, weaknesses and vulnerabilities of mobile platforms also make their effort worthwhile.

David Hall, Symantec's regional consumer product marketing manager for the Asia-Pacific region, told ZDNet Asia the fact that more are using smartphones and tablets, have not gone unnoticed by cybercriminals. Citing the Symantec Internet Security Threat Report Volume 16, Hall said that mobile operating and system vulnerabilities jumped from 115 in 2009 to 163 last year--an increase of 42 percent.

As more users download and install third-party applications for mobile devices, the possibility of installing malicious apps also increase, he added in his e-mail. Malicious codes are now designed to generate revenue and there are likely to be more threats created for these devices as people increasingly use them for sensitive transactions such as online shopping and banking, he explained.

"Attackers are constantly looking for new avenues to exploit and profit from unsuspecting users, but until there is adequate return on investment to be found from exploiting new devices, they will likely continue to use tried and true methods," Hall said.

When it comes to enterprises, the proliferation of mobile devices is a cause for concern since both personal and corporate information are now present in them, George Kurtz, executive vice president and CTO of McAfee said in an interview. Additionally, mobile technologies are moving "rapidly" even though they are still relatively "immature", which makes it difficult for organizations to grapple with the situation, he said.

Hall, Kurtz and other security industry insiders shared with ZDNet Asia the security holes present in major mobile OSes--Apple iOS, Google Android, Microsoft Windows and Research In Motion's BlackBerry--as well as concerns associated with devices running on these platforms.

iOS devices
The iOS security model is well designed and has proven to be largely resistant to most types of attacks, but this does not necessarily mean that iOS users do not face risk now or that the risk will not increase in future, Hall noted.

1. Jailbroken devices not safe
Having a provenance approach is a good security implantation for smart phones, Hall said, but Apple's provenance approach applies to devices that have not been "jailbroken".

Under Apple's model, each iOS app is digitally signed to carry the mark of the author and for tamper-resistance. This enables an end-user to decide whether to use an application based on the author's identity, and for publishers to analyze the application for security risks before publication, Hall explained.

Symantec's Norton Mobile Security Whitepaper revealed that jailbroken devices have already been the target of at least two computer worm attacks, and will likely be the target of increasing volumes of malware in the future.

"Apple vets every single publicly available app," he said. "While this vetting approach is not foolproof, it has thus far proved a deterrent against malware attacks, data loss attacks, data integrity attacks and denial-of-service attacks."

2. Encryption not foolproof
Another pillar of security implementation is encryption, which seeks to conceal data at rest on the device to address device loss or theft, Hall said.

"iOS' encryption system provides strong protection of e-mail and e-mail attachments and enables device wipe, but it provides little protection against a physical device compromised by a determined attacker," he said.

3. Limitation to app isolation
The Symantec executive added that smartphones should have application isolation, which attempts to limit an app's ability to access sensitive data or systems on a device.

"[Apple's] application isolation model totally prevents traditional types of computer viruses and worms, limits the data that spyware can access [and] also limits most network-based attacks, such as buffer overflows, from taking control of the device," he said. "However, it does not necessarily prevent all classes of data loss attacks, resource abuse attacks or data integrity attacks."

Android devices
The security model of Android platforms is a major improvement over the models used by traditional desktop and server-based Oses, Hall noted, but "no one mobile platform is perfect".

Naveen Hegde, senior market analyst at IDC Asia-Pacific, pointed out that the openness of the platform will make Android devices "susceptible to virus and intrusions".

"Google has opted for a less rigorous certification model, permitting any developer to create and release apps anonymously, without inspection," Hegde said in an e-mail. "This lack of certification has arguably led to today's increasing volume of Android-specific malware."

1. Weak provenance
According to Hall, Android's provenance system enables those with malicious intent to anonymously create and distribute malware.

Android ensures that only digitally-signed applications may be installed on Android devices but Google performs no vetting on either apps or the application author, and malware authors can easily sign their malware apps with anonymous certificates, he said.

Its default application isolation policy isolates apps from each other and from most of the device's systems but there are several notable exceptions, such as apps being able to read all data on the SD card "unfettered", Hall added.

2. Permission systems too technical for users
Android's permission system, while extremely powerful, forces users to make important security decisions but, unfortunately, many are "not technically capable" of making such decisions, argued Hall.

"Android ultimately relies upon the user to decide whether or not to grant permissions to an app, leaving Android users open to social engineering attacks," he said.

3. No encryption
At the moment, Android offers no built-in, default-level encryption and instead relies on isolation and permissions to safeguard data, Hall noted. As a result, a simple jailbreak will allow cybercrooks access.

McAfee's Kurtz also warned that users often overlook the ease of hackers in gaining physical access to their device. Without encryption, lost or stolen smartphones would mean data loss and serious consequences for organizations if sensitive corporation information is compromised.

Windows devices
Vincente Diaz, malware research at Kaspersky Labs, observed that attack likeliness is directly related to popularity of the target and ease of exploit. The Windows mobile platform, he added, is not the most popular at the moment but there are still malware associated with it.

In his e-mail, the U.S.-based researcher told ZDNet Asia that Microsoft's mobile OS is set to grow its market share, which would correspond to an increase in malware targeting Redmond's platform, especially if malware creators can reuse their knowledge for the PC and server Windows platform.

1. Device encryption not complete
IDC's Hedge pointed out that Windows devices do not provide entire device encryption. "This means it's possible for a hacker to access your phone's data without the password or PIN," he explained.

With this lack of full device encryption, data could also be potentially recovered by a hacker, he said.

2. VPN connections, full backup not supported
Windows devices also do not support full backups and regular VPN (virtual private network) connections, Hegde added.

He stressed the importance of VPN connections, as they are commonly used to securely access files and network resources when away from office.

Malware available
There is a long list of malware for earlier versions of Windows mobile platforms, representing some of the first samples ever collected on mobile devices, Diaz noted. Most of the malware for this platform were created before the smartphone boom and mainly designed to automatically send SMSes to subscribe for paid services.

However, he maintained that the mobile Windows OS has been and is still "in a heavy redesign process" and today's versions of malware have "nothing to do with those old ones".

Similar to Android, today's most common threats for Windows mobile users are fake app in official marketplaces, noted Diaz. These apps do not use any exploit, which prevents them from getting control of the affected device, but are "more of a scam".

BlackBerry devices
While BlackBerry has been offering smartphone-like features for a long time, their approach is different from other manufacturers, Diaz said. Cybercriminals, he noted, are "not interested" in targeting BlackBerry as it is a closed ecosystem with few apps and focuses mainly on enterprise users.

While it is "very hard" to remotely hack a BlackBerry device as demonstrated in last year's Pwn2Own contest with almost no malware families directly targeting them, it is still possible and Blackberry users are "not 100 percent safe", the Kaspersky researcher warned.

"In the [BlackBerry] landscape, we see general scams, but not specific threats," Diaz concluded.

1. Easy application approval
RIM allows developers to sign applications with keys it issues, Hegde of IDC noted, which means they are able to "sign whatever they choose" without "further testing" from a testing authority.

To its credit, RIM does require developers have to register with the Canadian mobile maker and provide details and payment but no real ID check is done, Hegde said. "This means someone can register with a stolen credit card and publish under a false name or can misuse this process."

2. Inconvenience in security measures
Measures taken to secure BlackBerry devices might cause inconvenience to users, deterring them from implementing the features, added Hegde. For example, if users choose to encrypt their contacts, caller names will not appear on incoming calls when their BlackBerry phones are locked, he explained.

Before a Blackberry is "sent out for repair", sold or "thrown in the trash", most users would delete all data from the phone but the wiping process cannot be stopped once it is started and can take up to an hour if there is device encryption activated, he added.

According to Hedge, RIM recently released a security advisory about a hole on BlackBerry servers that can be used by an attacker to compromise a system remotely.

"The vulnerabilities have a Common Vulnerability Scoring System (CVSS) score of 10.0 [for] high severity," he said. "Vulnerabilities exist in components of the BlackBerry Enterprise Server that process PNG and TIFF images for rendering on the BlackBerry smartphone."

Editorial standards