Dueto technology, mobile devices are not just a means of voice communicationanymore, it has evolved into a complete computing platform, primarily becauseof an increase in both its storage and processing capabilities.
The emergenceof mobile platforms such as iOS and Android have also had an effect 1. Withinternet speeds comparable to that of a PC, the amount of users accessing theweb through their phones has surpassed desktop access. Thus mobile phones arethe primary choice when it comes to accessing information such as emails,social media, banking and other financial services 2. Thereare a lot of security and privacy risks involved with mobile phones. Modernsmartphones know a lot about its current owner. It is able to know the userscurrent and past location, photographs, private text messages and bankingcredentials. Due to the fact that the phones are always connected to theinternet, it is highly susceptible to hacking and malware exploits 3. It isreported that “at least 80% of mobile apps have security and privacy issues” 4,which suggests that the mobile environment has a whole is far from secure and dataprivacy and security presents severe worries for users.
MacAfee 5 in 2011,said they had discovered a rise in malware attacks on mobile devices and thetotal malware number had gone past 70 million. Asmentioned previously, modern smartphones have the same processing power as adesktop unit, nonetheless device manufacturers as well as users have failed torealize that mobile devices warrant the same level of protection againstmalware and hackers as desktop computers. Since modern mobile platforms such asAndroid, Firefox and Ubuntu are based on Unix-like operating systems, itincorporates a lot of security measures such as code signing and hardwareisolation. However, they aren’t still on the same level as desktop computerspossess superior features like firewalls or application control. Theneed for security on mobile phone becomes crucial for the following reasons:1. Processing and Storing Sensitiveinformation: As mentioned earlier, mobile devices nowadays are used foraccessing a wide range of services.
Personal activities such as banking andshopping to Corporate activities like email, enterprise resource planning andcustomer relationship management. The fact is that this involves lot ofstoring, processing and transmission of highly sensitive data such as login andbanking credentials, which makes it a prime target for hackers.2. Non-transparentUse of Mobile Devices: Due to the ever growing adoption of smartphones, apolicy named bring-your-own-device (BYOD) was established. It is when anemployee takes and uses his/her personal devices such as mobile device and alaptop to the workplace 5. This comes with its own fair share of problemswith the main one being privacy.
Using ones one device leads to companyinformation being stored on personal devices, which makes it hard to enforcerestrictions and policies on the phones. A mobile phone is easier to compromiseby an attacker than a company issued devices.3. New Technology: As time advances,new and better technologies are developed. Technologies such as Near FieldCommunication (NFC) which makes contactless payments possible and QuickResponse (QR) codes which store data. This opens up new forms of attack such aseavesdropping.
Data corruption and manipulation which are typical securityissues involves when dealing with NFC. QR codes can also be used for enablingphishing attacks and can also link users to malicious websites which haveworms, viruses and Trojans. Incomparison with a PC environment, attacks can also have the same devastatingeffect on a mobile phone, which can threaten the functionality of the device aswell as applications that hold confidential information. Because of theportability of mobile phones this brings in more security threats. Each year anenormous amount of phones are either lost or stolen, the stolen or lost phonemight cost a few hundred dollars, but the personal and corporate informationstored on it is much more valuable. Figure.
1 below displays some of the threatsinvolved in a mobile environment. Some of these are somewhat similar to thosepredominant in desktop environment, while the rest are more prevalent in amobile environment. Figure.1. Threats in a MobileEnvironment.Applicationson a mobile phone can either be native or mobile web.
It is able to take advantage of the operating system features.Operating systems on mobile applications like iOS and Android offerdevice-level encryption. Almost all mobile operating systems offer API’s forencryption which can be used in the application as well as access permissionfor resources. The problem then lies with the application developer who has toadd all of these security features. If sufficient security features are not putinto place, the mobile device is vulnerable to the following risks:1.
Insecure Storage of Data: Thishappens when highly sensitive data is stored on a mobile device or cloud datain not well protected. This is the due to improper or no encryption of datastored either on the phone or the cloud.2. Client-sideInjection: Other than the usual injection attacks like HTML injection, SQLinjection and XSS, mobile apps have seen a rise in new attacks such as SMSattack, which can spread malware and war dialling which can identify phonenumbers that are able to make a successful connection with a modem so as togain remote access.3.
Disclosure of SensitiveInformation: When a sensitive information such as login credentials, accesstokens are hardcoded into the app, this makes it easy for an attacker to gainthis information by simply reverse engineering the code. When the attackergains this information, it is only a matter of time, before the sensitiveinformation is accessed.Basedon how important the application is, suitable security controls should be putin place in case any of the threats as shown in figure.
1 should ever arise.These are described as follows:1. Multifactor Authentication Schemes:These are able to address any of the inadequacies that are based on conventionalauthentication schemes such as passwords and personal identification numberthat can easily obtained by an attacker by brute-force and dictionary attacks,as well as guessing. An additional layer of security such as one-time passwordscan be added in addition with the user’s credentials, thus strengtheningsecurity.2. DigitalSignature: A Public Key Infrastructure (PKI) can be used to verify authenticityand integrity. iOS is able to provide support for the management of digitalcertificates, which help in providing API’s so as to verify the digitalsignature.3.
Data encryption: This is the mostimportant requirement for sensitive data both on the device and on the go. Thiscan be done through SSL/TSL encryption mechanisms. iOS and androids are able toprovide device- and file- level encryption.Mobiledevices are going to continue to be targeted by attackers, with 224.
3 8million Americans making use of smartphones and e-commerce on mobile devicesbecoming more common, these attacks are only going to increase. However, ifthese mobile devices are securely managed and potent security features areincorporated, then the users will be well protected from any potential attack.