By Iain Wadds, Regional Presales Manager, Tarsus Technology Group
1. What are the security issues in mobile?
Broadly speaking, the majority of risks in the mobile computing space are around data loss. Either the loss of sensitive corporate data (in the business context) or the disclosure of personal information that can lead to cyber criminals stealing identities and money.
Hackers usually do this by exploiting vulnerabilities in the OS or more commonly in the apps or networks that we are using.
Another more basic risk comes from misuse of our information or devices. Lost or unsecured devices and accidental disclosure of data are simple but all too common mistakes.
2. What are the flaws?
Users demand convenience and ease of use. When security is applied in the mobile context, this becomes more difficult to do and users take the easy way out by disabling security features. Whilst 16 digit password provides stronger security than a 4 digit pin, often this option is deemed inconvenient to users to have to punch in every time they look at their phone.
The same applies with downloading mobile apps. In our need to install the latest and greatest apps, how often do we take the time to review the features and data these apps request access to? Often users click through the installation process without a second thought leaving themselves vulnerable. Does a mobile game really need access to your contacts, camera or Facebook profile, or are you in fact putting yourself at risk of revealing a little too much personal information?
Whilst the technology itself has flaws, the vast majority of providers have solutions to basic security issues. However, the biggest flaws are not with the technology but with the way users use it and their lack of understanding of the risks.
3. What should users be aware of?
There are some simple best practice guidelines all users can deploy in their use of mobile devices:
a) Updates: Run them regularly. Often these are not just providing additional features but patching security vulnerabilities that have been discovered in the code.
b) Unsecure networks: Users will jump at the chance of some free bandwidth whenever it’s offered, but joining a free access point potentially makes any data transmitted visible to anyone else on that network. Hackers like to set up rogue access points advertising “free” internet and wait near coffee shops and other public spaces waiting for information that can benefit them. If users need to use their mobile device for online banking, rather use 3G unless they are 100% sure they are on a safe network.
c) Use a PIN, thumb print reader or some other method to lock the screen.
d) Don’t store data on mobile devices that can’t afford to be lost. If it’s really necessary, keep a backup. There are various free cloud-based backup solutions to choose from these days – make use of them.
e) Only install apps from trusted app stores like Google Play or Apple App Store.
f) Don’t be tempted to “jailbreak” (deliberately circumvent the security controls in the OS of) a device. Yes, it may offer access to free apps but it opens the device up to mobile malware and data theft.
4. Which OS is more secure?
The main mobile vendors all take OS security seriously so to try and suggest that one is more secure that another is trivial.
Apps that request access to data and convince users to grant it are prevalent in all the major platforms and malicious websites are accessible to all devices regardless of the OS.
5. How can you tell if there is an issue?
Often you can’t. The first you’ll know about it is if your social media accounts show posts that are not yours or your bank calls you to warn of anomalous payments. If this happens, backup your data, wipe your devices and change your passwords.
If the malware has already corrupted your data then admittedly it’s difficult, but there are solutions out there to assist as much as possible. My best advice would be to get into a habit of backing up regularly and not wait until the infection hits. There are many service providers available that make this process automatic – Tarsus SecureData has partnered with Druva to do exactly that.
Less obvious signs of malware on your device will be a rapid loss of battery life and/or spikes and increased data use.
If you are unfortunate enough to be infected with mobile ransomware, hopefully you’ve backed up, then wipe your device and reset passwords. If not, the best solution is to just wipe it and start afresh (even though this is a painful choice). Paying the ransom just exacerbates the problem; the sooner victims stop paying ransoms, the sooner this business model will fail.
Sometimes, you’ll stumble across a web page telling you that you have a virus on your mobile device. You don’t. They’re just trying to collect your clicks and present a costly solution you don’t need. No credible anti-malware solution works this way.
This feature first appeared in the Mail & Guardian in October; used with permission here.
[Image – CC by 2.0]