By: Bryan Harte
Mobile device operating systems and apps do not offer sufficient security. In 2022, 82% of Android devices were susceptible to at least one of 25 Android operating system vulnerabilities [1]. Mobile device users may unknowingly store and share passwords & sensitive information. Mobile operating systems and apps have connection point options (APIs) that may allow cybercriminals to gain access and take control of the devices. Mobile devices are almost always connected allowing hackers to continually do attacks. This article covers key types of mobile cybersecurity challenges, tactics users and companies can take to protect mobile devices and mobile security tools and services.
The Android system is open-source software which is available for anyone to download and develop apps making it more vulnerable to malware threats. Research shows that 99 percent of all mobile malware detected was designed for the Android platform. [2]. In 2021, there were over 3.2 billion smartphone users and the user had installed approximately 80 apps and over 60% of their apps were unchanged after their initial installation and login [3].
The iOS operating system is closed and tightly controlled by Apple. The tight control with limited access to iOS has resulted in relatively low security risks as compared to the open Android operating system. It also means that less attention has been given to developing and using security services. In 2022, Apple warned of serious security vulnerabilities for iPhones, iPads and Macs that could potentially allow attackers to take complete control of these devices. Apple described that hackers could get “full admin access” to the device and allow intruders to impersonate the device’s owner and to run any software in their name [4].
Mobile Security Threats
Common mobile device security threats include unencrypted data access, operating system vulnerabilities, mobile application attacks, app data leakage, riskware apps, unsecured wireless connections, network spoofing, phishing attacks and spyware.
| Unencrypted Data Access | Store passwords and sensitive data in unprotected memory areas |
| Operating System Vulnerabilities | Device operations software access points (APIs) that allow hackers to view, change data or have the ability to redirect device control processes |
| Mobile Application Attacks | Using mobile apps as a direct gateway to data and the mobile device operating system. |
| App Data Leakage | Unintended transfer of private or sensitive information to unauthorized users. |
| Riskware Apps | Software applications that can provide access and share data in unexpected ways. |
| Unsecured Wireless Connections | Using wireless connections that can be monitored & have potential transmission modifications (e.g. man in the middle – MTM). |
| Network Spoofing | Fake wireless and network access points that look like Wi-Fi and trusted networks. |
| Phishing Attacks | Fake or misleading messages that are designed to steal user login credentials, credit card numbers and other user data. |
| Spyware and Malware | Software that performs unauthorized activities without the end user’s knowledge. |
Table 1, Types of Mobile Security Threats
Unencrypted Data Access
Mobile devices may store data in unencrypted storage areas. This may be a choice the user makes without knowing of the security risks. Users may store sensitive information such as passwords, business data or other sensitive information in notepad or messaging apps. To protect from unencrypted data access, users should be made aware (e.g. employee guides, training) about what data is sensitive and where they should store it.
Operating System Vulnerabilities
Mobile device operating (OS) systems may have access points (APIs) that allow hackers to view or change data or provide the ability to monitor and interfere or redirect processes. These access points may have limited or no access connection controls. Once connected to the operating system, hackers may be able to take control of the device and its applications. Operating system vulnerabilities may be discovered and fixed with patches and version updates. To protect again operating system vulnerabilities, it is important that users continually update their devices with these security fixes and updated versions of operating systems.
Mobile Application Attacks
Cybercriminals may target their attacks on mobile apps. Mobile apps provide a direct gateway to data and the mobile device operating system. When apps are installed, users authorize apps to have access to the operating system and device data. Apps may have access vulnerabilities. Existing mobile apps may be sold and transferred and used by cybercriminals. This would give them direct control of apps already installed on many devices. To reduce the risk of mobile application attacks, you should be careful to use reliable app sources (official app marketplaces) and use mobile security apps and services.
App Data Leakage
App data leakage is the unintended transfer of private or sensitive information to unauthorized users. The information may be transferred to an app service provider for legitimate purposes. The transferred information may become available from the app providers to unauthorized users by accident or by security breaches. To minimize app data leakage risks, users should make sure they are using encrypted connections (the padlock symbol), avoid data caching (temp storing of data to speed up connections) and avoid using and sharing sensitive information with 3rd party services.
Riskware Apps
Riskware apps are software applications that can provide access and share data in unexpected ways. Mobile users may grant apps broad permissions to apps without understanding or checking security impacts. These can be free apps available in app stores that perform as advertised but they also may send personal or business data to a remote server where it may be mined by advertisers or cybercriminals. To reduce risk, users should only give apps permissions that they absolutely need in order to function correctly.
Unsecured Wireless Connections
Mobile devices may be connected using unsecured wireless connections such as WiFi. While WiFi connections offer free transmission, they are typically unencrypted which allows monitoring and potential transmission modifications (e.g. man in the middle – MTM). To ensure protected communications, users can connect using a virtual private network (VPN) that encrypts data transfer between mobile users and their destinations.
Network Spoofing
Network spoofing is the use of fake wireless and network access points that look like Wi-Fi networks, but are run by hackers. The hackers may allow most data to transfer creating the appearance that it is a normal hotspot connection. However, the hacker can capture the unencrypted data sent through the connection. Network spoofing is typically setup in busy public locations such as airports, malls and coffee shops. Mobile users should be careful when choosing which WiFi hot spots to connect with and not to enter sensitive data when asked to setup a login.
Phishing Attacks
Phishing attacks are fake or misleading messages or content that are designed to steal user login credentials, credit card numbers and other user data. When the recipient is tricked into clicking a malicious link, it can transfer private data or start the installation of malware. Mobile device users may be more susceptible to phishing attacks because apps display less information and mobile devices are always connected. Mobile users should go to standard login pages when responding to requests and not to click on links in messages that are not from trusted sources.
Spyware and Malware
Mobile apps may contain or get infected with spyware or malicious software that perform unauthorized activities without the end user’s knowledge. Once the malware infects the device, it may obtain sensitive information and transfer itself to other devices it is connected with. Mobile users should avoid installing apps directly from websites and use security software apps and services that can detect, block and remove spyware & malware.
Mobile Security Protection Tactics
To protect mobile devices and data, users can create strong passwords, get security awareness training, use secure connections and get apps from trusted sources.
Strong Passwords
Strong passwords are easy for you to remember but difficult for others to figure out. When creating passwords, do not use personal or publicly available information such as your name, user name, birthday or your email address. Create longer passwords, at least six characters or longer. Avoid using the same password for multiple accounts. More secure passwords include numbers, symbols, and a mix of uppercase and lowercase letters. Avoid using words that are included in a dictionary. Random passwords are the most secure. If you’re have difficulty creating secure passwords, a password generator can be helpful.
User Awareness
Helping users to understand how and when to take actions to protect their data and sensitive information can be one of your most successful security risk reductions. Users should understand that attackers are constantly working on new ways to attack.
Mobile security should be part of personal and company culture. Protection should be everyone’s responsibility and they should understand the risks, benefits and want to do it. Users should understand using their own device (bring your own device – BYOD) for company services and data can add security risks to the company. If there is a security breach, it can be an opportunity to do a security training session.
Trusted App Sources
To protect against mobile application attacks, users should be instructed to install trusted apps directly from the Android or Apple app stores and that the apps they install should have many downloads with recent software updates. It may also be helpful to install security apps and use security services. Users should also check to see if the business apps are created by the company. This can be done by viewing the developer information.
Mobile Security Services
Mobile security services can use runtime application self-protection (RASP) to identify, learn and adapt to security threats. Security apps and services continually get updated to identify, block and remove new malware software infections.
Runtime Application Self-Protection (RASP)
Runtime Application Self-Protection (RASP) is software that protects mobile applications from multiple types of malicious attacks by detection and prevention. RASP processes can detect and block attacks by using information from the software apps that are running. The RASP system uses monitors and can block network inputs during security attacks. RASP can provide warnings to the user, terminate communication sessions and shut down applications. RASP software does not affect the operation of the app. It only adds some security layers that use a small amount of processing power.
Mobile Security Services
Installing and using mobile security services can help to identify, block and fix security compromises. Security services may provide online protection for multiple types of devices including computers, phones, and tablets. Security services may use virtual private network (VPN) connections providing encryption privacy on all types of wireless connections. Security services can provide protection against password theft, ransomware, fraudulent websites and other attacks. They may be able to remotely locate, lock, and wipe data from lost or stolen devices.
Security services may provide app screening to ensure users are warned or prevented from installing apps that contain riskware or malware. Security applications may slow down applications and reduce the device’s battery life. Some security services may include restoration expert support and identify theft insurance to recover & restore your data and applications.
Top Mobile Security Services [5]:
Avast Premium Security – avast.com
BitDefender Mobile Security – bitdefender.com
Kaspersky Internet Security – kaspersky.com
Lookout Personal – lookout.com
Norton Mobile Security – us.norton.com
References
- “Mobile app statistics to keep an eye on in 2022,” ASEE.co, 5 May, 2022
- “Smartphone Mobile Security Tips,”, Kaspersky – usa.kaspersky.com/resource-center/preemptive-safety/tips-for-mobile-security-smartphone
- Mobile app statistics to keep an eye on in 2022, ASEE, 5 May 2022
- “Apple warns of security flaws in iPhones, iPads and Macs,” NPR, 19 August, 2022
- “The 5 Best Mobile Security Applications for Android and iOS,” Daniel Hein, Enterprise Mobility News, July 9, 2020