(Reading time: 10 - 20 minutes)

Mobile Device Security for SMOs

Hot

SaRB for SMOs Action Info

Security Management Group:

Mobile device security

The first group of mobile devices appeared in the mid-nineties and provided personal organisation applications. These were called PDA’s (short for Personal Digital Assistant), they were a digital version of the Filofax, or diary. There were several of these around until they just fizzled out as an alternative to paper-based diaries or organisers.

{snippet title="Bloggers Transcript Message"}

 Glossary Terms in this Blog Article - hover to view, click for full glossary.

Introduction

When mobile phones took off, Microsoft created a mobile version of Windows to run on a mobile phone. This offered users an opportunity to connect to Wi-Fi, download apps, receive email, read documents, amongst other things.

"Most Organisations were not ready to deal with opening up their networks to personal devices, but it happened nonetheless."

However, things were still not that interesting for Organisations to consider using mobile devices in large numbers, this changed quickly when devices like the Blackberry, iPod, iPhone and iPad and Samsung deviceswere introduced,because these new breeds of devices created for “Bring Your Own Device (BYOD)into Organisations.Most Organisations were not ready to deal with openingup their networks to personal devices, but it happened nonetheless.

The transition from dumb devices and smart devices brought with it two dominant operating systems(OS) which obscured the othersto an early retirement. These two operating systems very early had realised that to win over users, they had to make the OS as open as possible to application developers, as the more apps that are available would attract more users.

This opening up of the OS was not just the OS, but essentially opening up of user data, in the contact list, in theaccountsusers created, what apps they downloaded, and so many other things, which some big tech took full advantage of. Privacy was the casualty of this OS war to win over customers through applications on the platform.

Security in the OS and the Apps was not even an afterthought, as the OS platform owners themselves collected vast amounts of data without permission. Although, some of this has changed due to legislation (andabelated realisation that taking our data was wrong!) now the OS platform owners seem to be promoting more effective security and privacy.

Over the period of this quick overview, what has happened is that mobile devices can now represent individuals, as they can be used to access allthe services that they subscribe to, pay for things in shops, transfer money to other people and accounts,reset our services via email or messaging, verify who we are (our identity) use electronic tickets to travelon trains and planes,control who gets into their homewhile they may be on the other side of the world, see who is going in and out of their home, control heating and lighting and energy in their home, etc.etc.The list is endless.

Our mobile devices are a representation of us, the more we use them for all the services that are available for them. So, the more applications and services we subscribe to on our mobile devices the more it is capable of becoming us in our absence. Is this risky for Small Organisations?

Attacks to mobile devices

Attacks to mobile devices have existed for many years, and since they first started to use of the devices for so many other functions, services, etc. has made them even more valuable as attack targets - not less.

This is only likely to increase not decrease, given that we already use them to do the following:

  • Store personal data that is not stored anywhere else
  • Store password lists
  • Receive SMS based one-time-passwords (OTP) or second factor authentication apps
  • Access email services which are the primary accounts to reset all key apps and services – which to some extent defeats the object – it's not as bad as having passwords on a sticky note on a computer screen, but it isn’t that far behind in terms of if the device is compromised
  • Banking accounts and services are stored on them
  • Payment card details for many different types of services, from PayPal to debit / credit and store cards
  • NFC payment functions
  • Record and edit HD video and high-quality audio
  • Storing device location data
  • Purchasing travel tickets, stubs, etc.
  • To connect with our friends, family, work and social contacts and followers
  • To communicate with known and unknown people
  • To track our likes and/or dislikes of things
  • Accounts for key services, like music, film, games, etc.
  • Vouchers or money equivalent services
  • Shopping orders and delivery times and dates
  • To access home SMART hubs
  • To access home CCTV
  • To access smart locks for homes and modern cars
  • To access cloud storage for both personal and organisation data
  • To access administrator dashboards for business cloud services.

New uses that we can expect in the future are likely to be those which are more personal and more IoT and control related, since many of the communication type apps and uses have already played out to an extent.

Vulnerabilities of mobile devices

"There are often several hundred apps on each device, ... [and] often wants to collect as much data about users as possible."

The vulnerabilities of mobile devices an include the following:

  • They can easily be lost, misplaced, stolen or accessed without our knowledge
  • Not secured with the locking options available
  • The OS is not updated as quickly when there are vulnerabilities discovered (as they are in a PC OS)
  • There are often several hundred apps on each device, where each app often wants to collect as much data about users as possible
  • Apps are not written by people who understand secure coding practices, and are driven more by the desire to increase the user installed base
  • Libraries used by these apps - and the time of discovery to the time of the app being updated offers be a big window of opportunity for attackers
  • Device clipboards are used and shared by most apps including password managers
  • A malicious app can automatically send premium text messages or make calls to premium numbers earning money for the criminals
  • A malicious app can spy on a smartphone owner, recording video and audio, steal credentials and documents stored on the device
  • A malicious app can utilise a device to mine for cryptocurrencies or other functions like DDOS attacks
  • Unscrupulous apps known as 'fleeceware' that after a short trial, automatically lock users into subscriptions with recurring high monthly fees.

Who owns what?

As mentioned earlier data protection legislation has been around for some time in most countries in the world. The terms and conditions for many apps was such that the data that was uploaded onto the app platform transferred ownership of data to that platform- where users only had use of it despite creating it. This has changed on the whole,but many platforms still reserve the rights on how they can use the data. Most users are unlikely to read the very long list of conditions,and there are still concerns as to who they may share the data with even if it now belongs to users.

With that said, Organisations should not forget that they have data protection responsibilities which extend to data and access on their mobile devices.Where a Organisation receives a "Data Protection - Subject Access Request" they may be asked for any photos taken at events, etc.as well as messages in all their different formats.

The security of a new device

Most new devices are sold with default settings enabling and allowing either one or more of the following three players to collect data:

  • The platform owner
  • The manufacturer
  • The telephone signal carrier supplying the device.

All three can and may have installed some default applications which cannot be un-installed and will collect data about you.As has been said many times by the media, “You are the product”. The only one of the three that users can cut out is the third one, by purchasing mobile device separately from the mobile device contract.This means that Organisations and/or users would have to have the resources to purchase the device outright at the start. The added benefit of doing so is that there are often good deals to be had on “SIM only” contracts and that there is no danger of overpaying for a device in long contracts that do not separate the connection and the device costs.

Over the last few years modern devices have developed features to clone the data and settings from an old device to the new device just by placing the devices next to each other, to make it easier to for users' to upgrade devices. This feature could also be used to clone a device if certain credentials are known by an attacker who has physical access.

Set-up and configuration

When most people get a new mobile device,they are excited by it and want to get to use it as soon as possible, so they often take short-cuts. This compares to computer in a organisation environment, where the IT person or team will configure it for security first and load all the applications that are permitted, and finally the user will get the device when it meets the organisation’ security policy.

"One of the most important user settings to configure properly is the permissions settings for each application."

Because mobile devices have been considered as personal devices, rather than corporate devices (other than perhaps the old Blackberry devices) or those in organisations where a Mobile Device Management (MDM) system is in place, usually users are left to get on and set up the device.

The prerequisite is that a user will have an email account attached to the platform owner for them to communicate with the user/owner. The hope is that it will become the default email account, using the default email App on the device, giving the platform greater connection with the user - and obviously, considerably more data.

One of the first few actions in setting up a new device is to connect to a network, whether it is a Wi-Fi or a mobile carrier network, to register and validate both the user and the device – connecting the two with the network (and surrounding Wi-Fi network names in the area, thus providing a location of the user.)

One of the most important user settings to configure properly is the permissions settings for each application. There are two ways that this can be done. One is by viewing advanced permissions which show an overview of which apps have permissions to which protected functionality, such as the camera, microphone, contacts, etc. The other is to view the application itself.

Different people often take different approaches, I generally give no permissions to every app and add the permission when I use the app and then remove the permission again when I have finished using it. What Organisations actually suggest for their employees will depend on their sector, app and risk.

 

Pattern, PIN, password or biometric

We have moved from having no controls to access a device to having a choice of controls to access a device. The first option was a four-digit PIN number,added to this was a pattern or password,as well as a six-digit PIN number and finally we were offered the use of biometric controls to access our devices. Fingerprint recognition came in first then facial and retinal.

The disadvantage with the user of pattern to unlock devices is that security professionals and researchers have shown that it is probably one of the least secure, due to it leaving smudges on the screen which can later be observed, and that patterns that onlookers observe are easier to remember than four to six digits on a keypad which presents randomised digits.

PINs on mobile devices were thought to be as easy to crack as patterns, until the randomised keypads were introduced, because no matter how many times an onlooker views someone typing a PIN, unless they can clearly see every digit pressed, they will not be able to guess the PIN as easily as they could on a static keypad.

Fingerprint recognition was considered a step up from patterns,PINs and passwords, as they are quicker and convenient to unlock devices.In certain premium devices facial recognition was also added or replaced fingerprint recognition, though in all cases PINs remain to avoid device lockout if the biometric authentication fails, which it often does due to various reasons like wet hands.

The challenge with the use of any biometric is that if an attacker has physical access and is able to change the biometric data,either by adding themselves or removing existing biometrics,they could then access the device without the owner’s knowledge at a later date - when the device is left on a desk for example.

There can also be scenarios where it is difficult for the real owner or authentic person to prove that they are the real owner or person.This is true, regardless of the type of biometric data we are talking about, because the way that most biometric data works is that it is not the image of the fingerprint, face, eye or retina that is stored, by rather it is a set of attributes related to that biometric. It is a representation and attributes of that body part or behaviour that is stored. And attached to the set of attributes which represent that body part or behaviour will be an owner.

Network and other device connections

For convenience most users allow their devices to connect automatically to certain networks, like the work or home Wi-Fi.Also, many users also keep their Wi-Fi on most if not all of the time. The combination of both of these settings is that the mobile devices are constantly looking to see if any of those automatically connected networks are within reach.This means that anyone around you can very trivially identify which SSID’s your device is trying to connect to, and this will give them enough information so that the attacker could set up a spoofed network, so that your device innocently connects to it, and enable the attacker to be able to collect any data exchanged between your device and the services being connected to.

The recommendation is to keep the Wi-Fi default to off, and to not set any network to be connected to automatically. This gives the user the choice about if, when and which network to connect to, and in reality, it doesn’t actually take much time to make that connection.

It is a convenience vs risk consideration. If the device is valuable because it has so much on it, and if it were to be compromised it could result in high losses, or it is used as a basic telephone with connections to services of low value, the decision is simple either way.

A similar approach is recommended when using and connecting via Bluetooth or other technologies (e.g.car unlocking apps, etc.).

Default apps

Those familiar with the Cyber Essentials and such certification schemes will be aware that the requirement is to uninstall or disable all default applications that come with the device,if they are not used.This is not always possible with many modern smart phones as many of the pre-installed apps are locked and cannot be removed.

The other types of default apps are those which a user uses for specific functions, for example the default app to receive,read and send emails, or the default app for editing images or videos. This choice is also important, as not only do users want familiarity, they also want the best tool on the for the job and device, and sometimes they want to use the same tool over several platforms.

The challenge is that many default apps users use for specific functions will want access to data, accounts, payment options, camera, contacts, email, etc. So, it is important that when selecting the default app for a function, users choose one that doesn’t demand too many permissions to function. This is the way that the Facebook app took user data as well as collecting much more without users actually understanding what was being asked or taken.

We usually recommend choosing default functionality apps based on the company behind the app and what is known about their data protection stance – are they known to be privacy conscious or not. Some of this can be picked up from the app reviews, and further supplemented by a quick search in a browser.

As mentioned above, in the early days the two OS platforms almost allowed a free for all. Now they both seem to be adding in controls and settings to make it easier for users to control what apps do, but are also making greater efforts to not allow data stealing apps onto their platforms. However, this does not mean that the criminals aren’t getting past such things by allowing some apps to grow first and then add the malicious code in an update. Or to use the ad networks in free apps to lead users onto sites which cause browser and device compromises.

"Non-Apple devices can also access apps directly from vendors or developers."

Both platforms have been known to remove hundreds of thousands of malicious apps, some free and some paid for, when they have been discovered. In all cases no-one knows what data may already have been stolen from them, whether it was just contact lists or material to blackmail the user.

So, choosing the default apps for each function can make a difference to the security of a mobile device in the same way it does for laptops and desktops.

Selecting apps

Every smartphone will have one or more official App stores where apps can be reviewed and purchased.Non-Apple devices can also access apps directly from vendors or developers, known as side-loading, bypassing the App stores and their vetting procedures altogether.This allows for enterprise apps to installed on corporate mobiles, but also allows criminals to create and distribute apps that hide a malicious function, like stealing credentials or covertly recording the user.

There have often been dangers in loading apps that are not from the official app stores, however many of the larger app developers are not happy with the high fees that the stores charge–which makes the apps more expensive for consumers. There seems to be a growing move to bypass the store monopolies.

For many years several Android device manufacturers like Samsung and Amazon also have their own App stores. Such stores may increase going forward, and there are advantages and disadvantages on both sides. For Small Organisations, the decision should be based on risk; what are the benefits of using an alternative app store, compared to the risks?

Selecting apps should be based on organisation need for work devices, and all other personal apps loaded should be those which are from recognised and verified brands and suppliers.

The selection of App stores and actual apps is more of an issue where the organisation does not use a Mobile Device Management (MDM) application, which once installed onto the organisation or personal mobile device will manage permissions to protect the data, devices and apps. There are a few good enterprise solutions around that are free for Small Organisations that are worth considering.

Downloading apps

"If it is a free app and relies on revenues from ads,it could use more data for ads than the user understands, it may also have ... malicious code."

There is more to downloading apps than just downloading. This is because when a user downloads an app the first thing that will happen is that it will want permissions to access other apps, data, hardware, etc. If it is a free app and relies on revenues from ads,it could use more data for ads than the user understands, it may also have many other add-ons which are on a pay per use model, or add-ons which may have malicious code.

There are many types of apps whereby to make use of them, rely on additional downloads, be it images, templates, etc. and many users often just go ahead and download anything that is suggested without consideration of whether it may consist of malicious code.

The combination of the use of the network (bandwidth), the device’s storage space, and access to other apps, other functionality and user data are the key considerations that Organisations should encourage their users to make.

"To get the best out of every app, users should set the app up in the right way ... so that they are optimised for the users use."

App settings

When an app is opened, the first step for many is to see what they can do with it and get to speed quickly and as mentioned above involves downloading things to get the greatest benefits. However, the first step should be to configure the app’s permission, to access location services, photos, camera functionality or to link the app to a social media profile, etc.

Although, this may happen a lot less than it used to, the first thing that several of the social media apps used to do,was to access the device’s contact list and import it.The point being that to get the best out of every app, users should set the app up in the right way with the right permissions, so that they are optimised for the users use, not the app developer’s use to default to what they what to access for their purposes.

 

Default sample Threat Map infographic


Infographic images are copyright of Virtually Informed, and available to registered users for download during the publication week of the blog article together with other downloadable resources, including: all related infographics on this page, example policy templates, posters, screen savers and much more. 


Actions and Activities

Now, on SaRB for SMOs:

  • Help us to help you by completing our short poll on this topic (only available when article is published).
  • Let us know which FAQs you would like us to answer.

Later, in your Organisation:

  • Complete Board level Policy Review
  • Update Policy
  • Present to the Board for Agreement

Finally, if you know anyone who could benefit from the information you have viewed, please invite them to register for SaRB for SMOs and share our resources with them.

Follow-up Resources:

Virtually Informed Resources:

  • Glossary - at the top of this blog article (link to items).
  • Infographics (Downloadable in the week of publication).
  • Download Items - Policy Templates, etc. (Downloadable in the week of publication).
  • FAQ’s (Available soon).
  • Blog articles (link to items )
  • How To articles (links only available to Premium subscribers).
  • Other content (available soon)

External Resources:

  • Ponemon Institute Survey
  • Other Survey information

Images from https://www.pixabay.com.