Mobile Device Security
Your Ultimate Guide to Mobile Device Security
No time? Get the PDF sent to you via email.
Introduction
It should come as no surprise that the evolving modern tech landscape is forever changing the way we see threats. Securing company and organizational data is no longer about physical security; it's about digital protection. Mobile devices have quickly become a welcomed addition to the modern workplace but also an access point vulnerable to all kinds of security threats. Consequently, mobile device security has never been more important.
Even so, it appears as if the models currently in place across many data-sensitive industries fall short of achieving true security. It's not an easy task. Mobile devices can present vulnerabilities across almost every layer of the device’s software and hardware, from applications to physical components like radios and biometric devices. If your team is ready to take on mobile device security head-on, what do you need to know?
Read on to explore the modern mobile device security landscape, examine the vulnerabilities inherent in devices and discover what’s happening in the security industry to lock down sensitive data.
When it comes to understanding mobile device security, a lot of confusion surrounds the topic. This is mainly due to people’s misunderstanding about what separates smartphones and traditional computers. For most people, these two devices seem so different that they face different security concerns and issues. The reality is that the security risks that plague a computer will also be a thorn in the side for mobile devices as well.
What often happens is that individuals or organizations assume that mobile device security is not as big of a priority as other IT cybersecurity infrastructure. In 2019, research found that 24% of all enterprise mobile devices were prone to threats — not including out-of-date software. This significantly opens up the chances of major security breaches when malicious actors decide to infiltrate systems.
By taking security challenges in mobile devices seriously, businesses can design systems to protect sensitive information stored on devices like laptops, mobile phones, tablets and wearables. At the root of mobile security is the goal of keeping unauthorized users from accessing your enterprise network.
The truth is that a huge portion of the workforce has gone mobile. The COVID-19 global pandemic further exacerbated this trend and pushed otherwise strictly in-person positions into mobile and remote work. This includes defense sector employees working under strict security regulations. Since mobile devices pose a significant security risk, accounting for all those devices and keeping them properly managed has become a huge challenge across all industries that deal with sensitive and classified data.
Mobile devices are an integral part of operations for many different organizations throughout various industries. The ubiquity and connectivity of mobile devices puts them in the prime position as a huge attack surface for malicious actors.
As these devices advance and evolve, so do security threats to mobile devices and the countermeasures needed to mitigate them. With the evolution of the modern mobile operating system (OS), the security environment for these devices shifted.
Smartphones, tablets and wearable devices become prime targets for attackers as they offer the opportunity to access large amounts of personal and work-related data. As enterprise-level organizations started implementing these devices into their IT infrastructure, it dramatically altered the threat landscape for mobile devices.
Let’s explore some primary attack surfaces and security challenges in mobile devices.
Mobile Applications
Apps running on top of mobile device operating systems (OSs) are particularly vulnerable to security threats. Both within the application itself, especially third-party apps, and also malware-based threats. Threats can be specific to particular OSs, and some are generally applicable to all devices.
Threats for applications are numerous. One attack, called the man-in-the-middle attack (MiTM), finds a vulnerability in the authentication mechanism of the software application. Here, an attacker can impersonate a back-end developer and gain access to the app.
With this type of attack, the attacker will have access to unencrypted transmitted data. Other application threats include poorly implemented cryptography and other risks like a breach of sensitive information in the system logs.
Malware threats are also quite common. One risk an end-user needs to be aware of is malicious applications disguised as legitimate software. These “trojan apps” offer functionality for the user but also contain hidden functionality that provides an attacker access to the device. With third-party applications clogging up OS app stores, it can be hard for end-users to parse what’s safe and dangerous.
Authentication
Authentication is a big part of mobile device security. You’ll often find the mechanisms for authentication grouped in one of three categories.
- User to device — These are authentication mechanisms used by the user. This includes passwords, fingerprints and voice recognition.
- User or device to remote services — These mechanisms allow a user, or non-person entity (NPE), to access and authenticate an external process, device or service.
- User or device to network — This is the mechanism used to authenticate to a network like Wi-Fi and commonly includes cryptographic tokens.
As you can imagine, plenty of security risks are present for user to device. This doesn’t have to be a super tech-heavy attack either; it can be something as simple as leaving your password on a sticky note out in the open for an attacker to see. Conversely, other attacks are more sophisticated, like biometric authentication spoofing.
When authenticating to remote services, you can fall victim to a security attack through phishing websites or just by having your credentials stolen. When it comes to network authentication, the most common risk is securing your credentials in an insecure storage location. In each of these scenarios, an attacker can gain access to your device, your information and possibly gain access to other networks and systems attached to your device.
Communication Mechanisms
Modern mobile devices require a host of hardware components integrated within the device to accomplish all kinds of communications mechanisms. Some operate wirelessly, while others require physical connections. Some of these technologies include:
- GPS
- Wi-Fi
- Bluetooth
- SIM
- Cellular
- Near-field communications (NFC)
- Secure Digital (SD) card
- Physical connections like power and sync cables
For each technology listed, you’ll find plenty of potential threats. Cellular threats can come in the form of air interference attacks, including eavesdropping and device identification. With Wi-Fi, you can face SSID tracking. Bluetooth can make your device vulnerable to a whole range of threats, from BluePrinting — remotely fingerprinting devices — to simple pairing attacks that can leave you susceptible to a MiTM attack.
Ecosystem
Most devices require a full list of networks and interconnected systems to support modern mobility standards. It’s just not the case that mobile devices work in a vacuum; they require outside systems. Add to that the many software applications that require cloud services to operate, and you can see how this mobile ecosystem poses a massive threat for users.
These services add a level of convenience to using a mobile device but are intrinsically tied to the risk they carry. In this situation, this ecosystem of connected services gives attackers ample opportunity to distribute malware or other harmful software to end-users.
With mobile OS providers, you often find dedicated app stores that focus on providing applications to users. Another element that complicates the vetting process for apps is that many third-party applications exist that don’t fall under the supervision of the OS vendor. If end-users don’t understand the risk, downloading a malicious app, opening a phishing e-mail or clicking the wrong link could easily provide attackers easy access.
Technology Stack
Most mobile devices share similar architecture to, say, a desktop computer. Similar, but not the same. In mobile devices, extra functionality is needed to provide services outside cellular connectivity. Components that provide this additional functionality include radios, a full suite of sensors and other components like cryptographic processors. Not to mention the common components you’d think about when listing off your phone’s features.
- HD touchscreen
- Camera
- Audio interface
- Etc.
Smartphones and tablets will separate hardware and firmware in regards to cellular network access. This is all happens in a component called the baseband processor. In most cases, when a user boots up their phone, the OS will run an initialization code before the user can access the device.
At every piece of this technology stack are inherent risks. This could include code execution vulnerabilities within the SD storage, SIM card threats like malicious applets or even firmware sources like bootloader unlocking. Even though most mobile OSs will feature isolated execution environments, for those serious about security, you should not take these threats lightly.
While most enterprise-level organizations should take mobile device security seriously, some industries and sectors are often the prime targets for attacks. As we’ve learned, the modern mobile device is basically a giant attack surface for malicious actors. Pair that with the rising implementation of devices across different networks, and you can easily see why the risks and threats seem to be evolving faster than the technology that protects us.
Healthcare
Securing mobile devices in healthcare is an often unaddressed risk in the industry. Threats are no longer confined to the hospital beds and doctor’s offices but rather present in every connected device in use across hospital campuses. With more and more mobile devices being introduced to healthcare environments, data breach risks for patients’ protected health information are higher than ever — and so is the need for securing mobile devices in healthcare.
Additionally, medical device security threats are also becoming a troubling trend. A 2021 report by McAfree found vulnerabilities in certain types of infusion pumps that may have allowed hackers to increase the dosage to patients remotely. Medical devices and mobile devices, and the networks they connect to, are increasingly becoming vulnerable to cybersecurity risks.
In 2020, during the height of the global pandemic, over 500 healthcare providers reported being victims of ransomware attacks. These attacks leave hospitals at risk of situations like ambulance diversions and electronic health record (EHR) downtime. What makes these issues so important is the fact that the use of mobile devices, connected medical equipment and healthcare applications aren’t stopping anytime soon.
Financial Services
It should come as no surprise that financial services experience a higher level of cybersecurity attacks than other sectors. With a general higher volume of traffic and mobile devices connecting to public Wi-Fi, financial services are ripe for attacks. These can come in the form of phishing, malware, crypto-jacking or just the use of outdated OSs. Malicious actors are constantly targeting phones, tablets and other devices.
Even for organizations that implement Mobile Device Management (MDM) solutions to manage devices, these risks still exist. With managed devices, security is often an afterthought. This is especially true when it comes to certain attacks like phishing. Since MDM solutions usually only set app and access policies, they don’t necessarily monitor risks when individuals use apps and networks not under MDM control.
Most financial services organizations struggle to keep up with an evolving regulatory landscape, the rapid increase of cloud migration and the implementation of bring-your-own-device adoption. Managing threats and keeping devices secure is becoming a significant challenge for many organizations.
Military and Defence
The need to protect mobile data has quickly become a prime concern for federal agencies and other governmental organizations. With high-profile breaches, like the attack on then-White House Chief of Staff John Kelly’s smartphone, it's becoming obvious that the threat landscape is rapidly changing.
The use of mobile devices provides an invaluable asset, but keeping those devices secure is another challenge in and of itself. Sensitive information, like location data, doesn’t just come from devices like smartphones, either. Other high-profile events, like the leak from fitness tracking app Strava in 2018, have shown us that threats are becoming more advanced and adaptable to the modern landscape. To keep up, mobile security needs to evolve, adapt and meet threats intelligently.
It’s obvious that governmental employees will continue to use their devices in the workplace. Even with enterprise mobile management (EMM) and MDM solutions, it's difficult to enforce certain security policies that are enough to mitigate threats independently. With the future of warfare seemingly being information-based, the impetus to implement lasting solutions for mobile device security has never been stronger.
The problem inherent in approaches to mobile device security is the increasing complexity of attacks and the versatility of mobile devices. Our world revolves around the smartphone. Take that center of gravity and put it in a workplace, and you’ll find that a huge part of work-related and personal activities happen on the same device.
While we’d like to present a dramatic narrative for the source of these threats, in most cases, it's not nefarious foreign spies cracking codes but rather vulnerabilities spotted by attackers and exploited. As we’ve outlined in our risk section, the threats toward mobile devices are staggering. So, how are businesses, organizations and the government handling mobile device security?
Bring Your Own Device
As modern workplaces evolve, the bridge between personal electronics and work electronics slowly blurs. This is especially true when it comes to mobile devices. Implementing a bring your own device (BYOD) solution to your organization has its benefits. It also presents some unique security challenges. BYOD enables workers to use their own personal devices for work-related activities. But, with increased flexibility comes the increased risk of data theft and breaches.
To manage a BYOD deployment from a security perspective is quite a challenge. It often includes implementing long-term commitments to employee education regarding mobile device security best practices to keep end-users aware of common risks. To be successful also means implementing other security strategies like application installation controls and blacklisting or whitelisting applications.
Even with these extra precautions and policies, inherent risks still exist that aren’t so easily mitigated. For instance, if admin access remains on devices, it can be an entry point for attackers looking to steal data. For devices that are supposed to be personal, finding the balance between security and flexibility is part of the challenge.
Corporate-Owned Personally Enabled
When companies implement a corporate-owned personally enabled (COPE) approach to mobile device security, challenges still exist in protecting devices that deal with sensitive data. Organizations will still need to manage risks from different types of network and application threats effectively while giving end-users seamless access to workplace resources.
Securing COPE devices usually means developing infrastructure containing on-premise EMM, virtual private network (VPN) services and other security measures. Even with modern approaches to COPE, attacks still manage to happen even with the most secure systems.
Another issue is the fact that the organization is responsible for managing a fleet of devices and developing guidelines for managing and securing those mobile devices in the enterprise. To create the best security environment, teams will need to effectively update devices for firmware and security changes regularly as well as organize device deployment. If operating with controls parameters through the Commercial Solutions for Classified (CSfC) program, this could mean working through a staggeringly slow implementation process.
Cloud and Hybrid Systems
As fast as solutions for mobile device security become available, it seems like technology advances another step — presenting new threats and challenges along the way. Adapting to the modern landscape of cloud computing and hybrid systems means developing novel solutions to protect data while still offering remote access to resources.
As you can imagine, giving devices constant access to different cellular networks and Wi-Fi connections presents some significant security challenges for mobile devices. Any way you approach it, storing protected data on mobile devices and giving access to transmit data opens networks to security vulnerabilities.
Usually, a security policy for hybrid or cloud systems include:
|
|
|
|
|
|
One of the major struggles that affect any approach to mobile device security is underlying vulnerabilities in mobile OSs. In the modern landscape, every bit of information can find its way into the wrong hands. In the case of mobile devices, architecture built to relay device information for different marketing and data research efforts presents a significant risk for mobile device security.
Digital Exhaust
As a device travels through the world, it interacts with all kinds of communication networks. At every step of the way, you’re leaving a breadcrumb trail of data for all to see. This is what we call digital exhaust — and it's a big issue for mobile device security.
Built into popular technologies are synchronization frameworks. We’re talking about major companies like Google and Apple. Within applications like iCloud or Google Chrome are inherent background services that transmit your data without you even knowing what’s happening. This is not a mistake; these services actually work quite efficiently.
As you can imagine, this can open up secure information up to threats without you even knowing. For example, let’s say you have your personal iCloud synced with a work laptop. When you go home, the information you put into the Notes app on your work computer makes it to your home before you even have time to unlock the door. Once secure data enters an unsecured network, it’s ripe for attack.
Phones That Never Stop Tracking
One of the challenges of working with consumer technology is that digital exhaust is a huge threat. While you’d hope that you could easily remove these tracking services from the underlying software, it’s actually quite hard. Even for phones that are off, some phone manufacturers allow for periodic checks for Wi-Fi, Bluetooth and other sources to gather information.
What does this mean? Well, it means that no matter what you do, your phone will be tracking you. The threats we detailed earlier are always risks you take when using mobile devices, regardless of the security measures you implement.
To create a truly secure mobile device platform, you need to essentially strip away that functionality from the underlying OS. This is easier said than done as it takes working intimately with a manufacturer to develop the hardware and a complete overhaul of the mobile OS.
Here at Archon, we wanted to tackle all these issues, including digital exhaust, and create a truly secure platform. Our original objective was to create hardware that would work with CSfC requirements. This fairly strict framework means our devices can work with the highest levels of classified information.
The platform we’ve created in Archon Mobile applies to more than just the defense sector, though. In fact, all the problems and threats we’ve learned about today plague any industry that puts mobile devices into its network.
So, what approaches to mobile device security are we implementing? How does our platform remedy some of the major issues and threats facing mobile devices and secure data?
Separating Work From Personal
At its core, we’ve got a simple idea. What if we could separate all the secure components of mobile devices from everything else? Our system lets users set up “personas” for both personal and work-related activities. These can be configured in various ways.
These personas are completely isolated from the underlying OS. This means that if a security breach occurs, access to other device functionality is practically impossible. In the CSfC environment, this could mean having end-users perform sensitive tasks in a VPN environment that exists outside the phone itself. If, by chance, someone is tracking these activities, the persona system will only allow them to see the VPN the end-use is operating within and not what’s happening outside that persona.
For an unclassified data situation, like a community of interest perspective in hospitals, work-sensitive applications could reside in one persona, while personal applications reside in another. This has massive potential to help with securing mobile devices in healthcare.
If an end-user engages with a phishing email or a trojan-style application in their personal persona, the work persona is perfectly safe and isolated from the threat. You could even manage these containers with separate security policies.
Privacy That’s Relevant to Everyone
Remember that digital exhaust issue? Well, with Archon Mobile, we’ve built our OS from the ground up using the open-source version of Google’s Android OS. This means that we’ve stripped away all the synchronization functionality that was the root of the security threats we outlined earlier.
The best part is that everything looks and feels the same as using any other Android device. For the end-user, these security features don’t impact any day-to-day operations. Additionally, the mobile device is truly secure. When we say a device is off, we mean it — no periodic Wi-Fi checks and routine data uploads when you’re not looking.
Even with all these security features and different systems, personal education toward mobile device security best practices will always be relevant. At the end of the day, it's often the end-user who creates the vulnerability. Attackers just take advantage of them.
Developing and delivering training for employees on mobile device security is essential. So what are some best practices you can add to your mobile device security checklist?
- Bluetooth — Disable Bluetooth when not in use. Airplane mode does not turn off Bluetooth, so keep that in mind.
- Passwords — Use strong lock passwords and PINs and enable device wipes for multiple incorrect attempts.
- Applications — If you can, keep applications installation to a minimum and close apps when they aren’t in use.
- Messaging — Be mindful of sharing sensitive information, even if it feels like the content is generic.
- Location services — If you can, disable location services when you don’t need them.
- Public Wi-Fi — Avoid using public Wi-Fi if possible.
Of course, these are just a few of the best practices you and your team should consider. To keep your mobile devices secure requires more than just mindful operations; it requires a comprehensive plan on both the back-end and the front-end. Keeping these best practices in mind will help mitigate some of the risks and threats, but unless you’re working with a truly secure system, you’ll always face threats.
When it comes to mobile device security, risks and threats are numerous. With today’s fastly evolving tech landscape, our reliance and dependence on connected mobile devices is becoming a cornerstone of the modern workspace. With future trends like cloud computing also being adapted at lightning speeds, new and novel approaches to securing our devices and data are becoming that much more important.
Today’s modern mobile devices like smartphones, tablets and wearables present unique challenges. The variety of attack surfaces means implementing comprehensive guidelines for managing and securing mobile devices in the enterprise is that much more difficult. Sensitive information is an asset in many different industries, but some present some unique challenges like in defense, healthcare and financial services. Even with different deployment models, MDM and EMM, threats and vulnerabilities still manage to plague modern networks.
Mitigating these risks often requires a bottom-up approach. With Archon Mobile, we work intimately with CSfC guidelines. This means our platform is built to handle classified data securely, effectively and, most importantly, easily. The technology behind Archon Mobile isn’t just for the defense sector; it's for any business or organization that values data security. To learn more about how we can help your team effectively manage a secure network of mobile devices, reach out today.
Contact us.