Fixing the Broken State of Mobile Security

 

Sep 06, 2016 posted by William Chow, CTO & Founder, Mobolize

DOI: 10.13052/popcas009 | Read[81]

We are at an inflection point in how users view mobile security. Firesheep and Stagefright are just the latest wake-up calls that point to a future that is looking a lot like the dangerous old PC days. Unfortunately, Android fragmentation leaves all but recently purchased devices unpatched and at risk, so the vast majority of users (over 80% according to AVO) need tools to protect themselves. It's time for real mobile security solutions- ones that actually block malware and prevent data theft in real time.

In the PC era, the number of ways that hackers could steal your data was relatively limited. But with today's mobile devices and their abundance of radios (cellular, Wi-Fi, Bluetooth), the ways hackers get to your device and data has multiplied.The "attack surface" of smartphones is effectively bigger than that of PCs. And with smartphones far outnumbering PCs, most of which won't ever get the latest security patches, there are many more potential victims.

Most users think downloading a bad app is the main security risk (if they even think about security at all), so the Stagefright hack is an eye opener. This video shows just how easy it is for someone to hack your phone without ever touching it or getting you to download a malicious app. All they have to do is send you an MMS message, and there is nothing Google can do to block it for the 80% of Android devices that are unpatched.

Why is this happening? Since the first iPhone and Android, we've witnessed an unprecedented amount of new functionality - and vulnerabilities -delivered by mobile OSs. Users love all the new things they can do with their smartphones, but don't think about the security tradeoffs.

This isn't because Apple and Google are writing worse code. It's simply that the more complex software becomes, the more prone to errors it is, and therefore the more vulnerabilities it contains. These charts tell the story, and this is a trend where "up and to the right" is not a good thing:

National VulnerabilityDatabase National VulnerabilityDatabase
[From the National VulnerabilityDatabase]


Unfortunately, the typical user believes that "bad apps" are the problem, a misconception that Apple, Google and Samsung are happy to have you believe. Focusing on apps blinds us to much greater threats- the ones that arrive through all those radios that smartphones have. Beyond downloading malware, hackers can also attack your mobile device via:

  • Stagefright videos via unsolicited MMS, email or web site links
  • Malformed Wi-Fi packets [1, 2]
  • Phishing web sites, e.g. looks just like a Facebook login page
  • Nearby Bluetooth devices [1]
  • Wi-Fi snooping by others on a public hotspot[1]
  • Fake Wi-Fi hotspots, e.g. is that really "Starbucks"? [1]
In other words, attacks arebypassing the app store, and arriving at other parts of the attack surface.

The smartphone itself needs to be protected right on the device, because it's too late for a security appliance in the network or cloud to help when a hacker's already stolen your data sent over the Starbucks Wi-Fi. And the protection cannot be after the fact, like scanning for a file after it'sdownloaded, because these attacks will have already "pwned" your device. Smartphones need to detect malware at all entry points and block them before the attack even starts. We also need to ensure our personal data is always securely encrypted before it leaves the device regardless of which type of network being used, including the Wi-Fi at the coffee shop, hotel and airplane.

To empower users to protect themselves, Apple and Google provide only one option: through their app store. But we don't want just the traditional "security" app found in the app stores today that don't do much beyond finding your lost phone. We need apps capable of in-band network level protection that stops threats before they get onto the phone. We are now starting to see a new class of security apps that work at the network level, with many leveraging the VPN capabilities of the device to see/protect your data and even some capable of working transparently within the smartphone's network stack (similar to PC antivirus methods). What's powerful about theseon-device app solutions are that they leverage the supercomputer in your pocket, delivering massive scalability and compelling software-driven economics that are good for both the consumer and the overall industry.
Comments