If you will make a choice on what you cannot live without, I would bet your mobile device or smartphone will be on your top list. Since internet's successful invasion into our daily life, a mobile device is the next pervasive need that we are heavily dependent on. It gets us connected online anytime and anywhere. However, convenience does not come without a cost. Cyber criminals or attackers become easier to reach out closer to the victim.
Identify common mobile threats
There are OWASP’s top ten major security risks that summarise nicely a good list of application based vulnerabilities but I like to take another step to look at the device and apps collectively. To identify the threats, we can start by looking into the multiple layers from the apps that we interact with, all the way down into the device hardware that we possess and have physical contact. Each of these layer faces different threats - see overview.
The Mobile DNA layers
Application Layer - This is no different from any other software as in, poor code practices create an opportunity for attackers to exploit such weaknesses and vulnerability. Fake mobile apps is another scheme that misplaced users trust.
Middleware & Service Layer - What makes apps explosive is their simplicity to get ready the code quickly by leveraging on available development middleware packages and leaving the device to be as lightweight with all the hot number crunching processing at the backend services. Apps development is about speed to deliver. Security is often an afterthought. The application backend server is the weakest link.
Operation System Layer - The most common mobile OS remains with Android and Apples IOS, though Windows 10 mobile is upcoming as the new kid on the block. Besides the mobile apps patching woes discussed earlier, mobile devices have their own issue - they often do not use security software. Mobile devices are seldom preinstalled with security software (or just comes with free time-limited ones) and that opens up a "can of worms".
What makes this a worse off situation for users is the OS can be weakened as it can be easily be rooted (Android) or jailbroken (IOS). Tools and steps are publicly available. It was estimated that between 50% and 90% of users opt to jailbreak or root their devices to enable them to install pirated games or apps without restriction. It is not hard to imagine those devices may already be infected and the user is not aware at all - false sense of security.
Firmware & Hardware Layer - It is not surprising security patches or fixes for mobile devices' OS are not always installed on mobile devices in a timely manner and especially for this layer, it gets even rarer since firmware does not even get upgraded or patched very frequently.
More challenges are expected when the phone critical hardware is found vulnerable. For example, phone's baseband components that take care of its whole device communication stack is flawed and subject to attacker exploitation and eventually take control of your phone's call and SMS communication unbeknownst to you.
Put up and review the defense strategy
Address the threats fast otherwise, the aftermath damages are going to be very costly. Cases of allowing personal devices need to balance the risk as it needs segregation off from unrestricted access to your official work in the same device. For such a BYOD scenario, enterprises are at her highest risk for cyber attacks. Manage the risk and develop an enterprise-wide mobile security strategy to improve and beef up each mobile layer discussed earlier.
1. Application Layer - Adopt Secure Code Development guidelines
Ensure the app on the mobile device is shielded from unnecessary risk of hijacking and manipulation
Key focus - Defensive coding
2. Middleware Layer - Enforce Operational policy for consistent Architecture & Hosting guidelines
Ensure there guidelines and instruction established for compliance across the enterprise deployment.
Key focus - Identity & Access Control
3. Services Layer - Conduct risk assessment and make sure closure on all identified risks
Ensure any residual risks are adequately managed and any risk acceptance is by the appropriate stakeholder.
Key focus - Authentication & Session management
4. OS Layer - Adopt a continuous data confidentiality & privacy controls
Ensure sensitive (personal) and operational data are also prevented from data leakage.
Key focus - Audit trail & Log activity monitoring
5. Firmware Layer - Maintain a consistent Cryptography standard use in deployment
Ensure the use of this standard to maintain high integrity on the apps and device posture.
Key focus - Security Validation
6. Hardware Layer - Establish contractual support in areas of supply chain
Ensure the use of strategic partner as reliable providers and their affiliated downstream supplier.
Key focus - Secure Platform & Network communication
On Reflection - What's more ...
The list does not end here. It will be an ongoing effort to beef it up to suit your mobile DNA.
Word of advice - Always learn and adopt good practices from the community. Engage and network actively.
They are the wisdom of the crowd and I benefited hence the writing of this article - look out for reputed bodies such as OWASP and National Cyber Security center, NCSC.NL.
Have a smooth journey in securing your mobile device and apps!
Get unlimited access to our entire library of technical procedures, guides, and tutorials written by certified industry professionals.Get 7 days free