Gretel Egan | April 08, 2015

Risky Business: Mobile Security Threats

 

Last updated: January 15, 2019

Wombat_MobileApps2015_1

We’ve spoken in the past about mobile device security, and we imagine this will be a hot-button topic for years to come. Smartphone and tablets are only becoming more sophisticated, and with the emergence of wearables like Samsung and Apple watches and the continuous expansion of the Internet of Things (IoT), connections and communications between devices — and the data they generate — will only continue to multiply.

With this growth comes new challenges for security — and new opportunities for scammers and hackers. When mobile phones were merely used for making phone calls while on the go, significant threats numbered in the single digits, namely the potential for voice phishing (vishing). Now, the dangers number in the thousands.

Phishing emails, smishing texts, unsecured WiFi connections, and Bluetooth vulnerabilities are likely to come immediately to mind as far as threats associated with modern mobile devices. But it’s important to recognize that nearly every “smart” feature poses a risk to your business. GPS tracking can reveal schedules and habits. Oversharing on social media can give scammers insights into personal and business pursuits. And virtually every app has multiple potential pain points disguised as permissions.

Take, for example, a study completed by Wombat Security co-founder Norman Sadeh and a team of researchers at Carnegie Mellon University, which showed that Android applications are requesting (and receiving) location data from users thousands of times per week, at all times of the day and night. As Sadeh stated, “The settings we have available on smartphones are very limited when it comes to giving us the ability to deny access to this information”.

Jason Hong, also a Wombat co-founder, has extensively studied the privacy implications associated with mobile apps and led a team of Carnegie Mellon researchers in developing PrivacyGrade.org, a site that allows users to review independent evaluations of app permissions and access requests. Hong told WIRED that free apps tend to be the most risky and that “many developers don’t even realize how sketchy their app’s behavior can be.”     

color_bar.png

Download the User Risk Report

color_bar.png

Three Mobile Security Practices to Implement Today

Whether your organization supports a BYOD policy or you supply and manage your own stable of devices, it’s critical that your employees understand the best practices they can use to protect the business and personal data that is stored and shared through their smartphones and tablets.

Our Mobile Device Security interactive training module is designed to help users recognize the importance of physical and technical safeguards, and help them improve the security of their mobile communications and connections. And our Mobile App Security module teaches users how to do their due diligence before downloading a mobile app.

To help you shore up mobile security in your organization in the short term, here are three simple, effective practices to ask of your employees today:

  • Go above and beyond a basic password – As we shared on our blog, the four-digit passcode that is the default on many devices is not a high enough bar to set with regard to a locking mechanism for smartphones and tablets. At minimum, users should upgrade to a six-digit code, though alphanumeric passwords and biometric options (think fingerprint scanners) offer even greater protection. But a word of caution: assuming your users understand the difference between a good password and a poor password is a mistake, as is evidenced by our analysis of SplashData’s Worst Passwords lists from 2015 through 2018.
  • Limit mobile interactions to trusted sources – Too many people are too lax with the connections they make via their mobile devices. Employees should be cautious about the emails and text messages they interact with, the WiFi networks they connect to, and the Bluetooth devices they pair with. And they should absolutely research every app prior to downloading it. Reviews and web searches can help reveal questionable permissions and dubious developers. 
  • Get serious about physical security – It can’t be overstated: Portability, as it pertains to business devices, is both a convenience and a curse. One study reported that 70 million are lost every year — and that only 7% of those are recovered. Consider for a moment the amount of data and the number of systems a mobile device gives access to. And then consider that some of these devices are no larger than the palm of your hand and are highly targeted by thieves. As a rule, devices should never be left unattended in public spaces, including office areas, not even for a few moments. If employees make a habit of physically securing their devices, it will reduce risks associated with loss and theft.

 

Subscribe to Our Blog

2018 State of the Phish Report  Protect your organization from phishing attacks. Download Now
2018 Beyond the Phish Report  Protect your organization from threats including and beyond phishing. Download Now