Mobile devices are an integral part of operations for many different organizations throughout various industries. The ubiquity and connectivity of mobile devices puts them in the prime position as a huge attack surface for malicious actors.
As these devices advance and evolve, so do security threats to mobile devices and the countermeasures needed to mitigate them. With the evolution of the modern mobile operating system (OS), the security environment for these devices shifted.
Smartphones, tablets and wearable devices become prime targets for attackers as they offer the opportunity to access large amounts of personal and work-related data. As enterprise-level organizations started implementing these devices into their IT infrastructure, it dramatically altered the threat landscape for mobile devices.
Let’s explore some primary attack surfaces and security challenges in mobile devices.
Apps running on top of mobile device operating systems (OSs) are particularly vulnerable to security threats. Both within the application itself, especially third-party apps, and also malware-based threats. Threats can be specific to particular OSs, and some are generally applicable to all devices.
Threats for applications are numerous. One attack, called the man-in-the-middle attack (MiTM), finds a vulnerability in the authentication mechanism of the software application. Here, an attacker can impersonate a back-end developer and gain access to the app.
With this type of attack, the attacker will have access to unencrypted transmitted data. Other application threats include poorly implemented cryptography and other risks like a breach of sensitive information in the system logs.
Malware threats are also quite common. One risk an end-user needs to be aware of is malicious applications disguised as legitimate software. These “trojan apps” offer functionality for the user but also contain hidden functionality that provides an attacker access to the device. With third-party applications clogging up OS app stores, it can be hard for end-users to parse what’s safe and dangerous.
Authentication is a big part of mobile device security. You’ll often find the mechanisms for authentication grouped in one of three categories.
- User to device — These are authentication mechanisms used by the user. This includes passwords, fingerprints and voice recognition.
- User or device to remote services — These mechanisms allow a user, or non-person entity (NPE), to access and authenticate an external process, device or service.
- User or device to network — This is the mechanism used to authenticate to a network like Wi-Fi and commonly includes cryptographic tokens.
As you can imagine, plenty of security risks are present for user to device. This doesn’t have to be a super tech-heavy attack either; it can be something as simple as leaving your password on a sticky note out in the open for an attacker to see. Conversely, other attacks are more sophisticated, like biometric authentication spoofing.
When authenticating to remote services, you can fall victim to a security attack through phishing websites or just by having your credentials stolen. When it comes to network authentication, the most common risk is securing your credentials in an insecure storage location. In each of these scenarios, an attacker can gain access to your device, your information and possibly gain access to other networks and systems attached to your device.
Modern mobile devices require a host of hardware components integrated within the device to accomplish all kinds of communications mechanisms. Some operate wirelessly, while others require physical connections. Some of these technologies include:
- Near-field communications (NFC)
- Secure Digital (SD) card
- Physical connections like power and sync cables
For each technology listed, you’ll find plenty of potential threats. Cellular threats can come in the form of air interference attacks, including eavesdropping and device identification. With Wi-Fi, you can face SSID tracking. Bluetooth can make your device vulnerable to a whole range of threats, from BluePrinting — remotely fingerprinting devices — to simple pairing attacks that can leave you susceptible to a MiTM attack.
Most devices require a full list of networks and interconnected systems to support modern mobility standards. It’s just not the case that mobile devices work in a vacuum; they require outside systems. Add to that the many software applications that require cloud services to operate, and you can see how this mobile ecosystem poses a massive threat for users.
These services add a level of convenience to using a mobile device but are intrinsically tied to the risk they carry. In this situation, this ecosystem of connected services gives attackers ample opportunity to distribute malware or other harmful software to end-users.
With mobile OS providers, you often find dedicated app stores that focus on providing applications to users. Another element that complicates the vetting process for apps is that many third-party applications exist that don’t fall under the supervision of the OS vendor. If end-users don’t understand the risk, downloading a malicious app, opening a phishing e-mail or clicking the wrong link could easily provide attackers easy access.
Most mobile devices share similar architecture to, say, a desktop computer. Similar, but not the same. In mobile devices, extra functionality is needed to provide services outside cellular connectivity. Components that provide this additional functionality include radios, a full suite of sensors and other components like cryptographic processors. Not to mention the common components you’d think about when listing off your phone’s features.
- HD touchscreen
- Audio interface
Smartphones and tablets will separate hardware and firmware in regards to cellular network access. This is all happens in a component called the baseband processor. In most cases, when a user boots up their phone, the OS will run an initialization code before the user can access the device.
At every piece of this technology stack are inherent risks. This could include code execution vulnerabilities within the SD storage, SIM card threats like malicious applets or even firmware sources like bootloader unlocking. Even though most mobile OSs will feature isolated execution environments, for those serious about security, you should not take these threats lightly.