Both Apple and Google have built protections into their mobile operating systems – such as encryption, access control and application isolation – making both devices more inherently secure than desktops, according to the report, titled “A Window into Mobile Device Security.” Despite these protections, such devices are susceptible to data leakage, social engineering attacks and other threats.
Chief among the list of mobile security risks is that users of both Android and iOS commonly synchronize their devices with their home computers and third-party cloud services, such as web-based calendars, according to the report. This practice could lead to sensitive corporate information being transferred to devices outside of the control of the enterprise.
“Mobile devices aren't islands,” Dean Turner, director of Symantec's global intelligence network, told SCMagazineUS.com on Tuesday. "All of these devices operate in one or more uncontrolled environments. From an enterprise perspective, you don't control the security of those services or home computers.”
When it comes to malware, the iOS mobile operating system, which powers iPod, iPhone and iPad devices, provides a high level of protection due to Apple's stringent application and developer certification processes, the report states. Google, on the other hand, allows any software developer to create and release apps anonymously and without inspection. This approach, naturally, makes it easier for malware authors to target the Android platform.
There is currently much more malware targeting traditional desktop-based operating systems, but attackers will undoubtedly begin to view mobile devices as a more viable target as their popularity grows, Turner said. Plus, Android and iOS devices both lack any protections for social engineering attacks, such as phishing and spam, which are likely to become a larger threat going forward.
Malicious apps, for example, might be crafted in the future to display pop-up boxes attempting to trick users into allowing access to their personal information, which would be transmitted back to attackers, Turner warned.
“Mobile devices aren't islands.”
– Dean Turner, director of Symantec's global intelligence network
As for the encryption capabilities of each phone, iOS provides strong protection for emails and attachments, but it does not fully protect against the risk of physical device compromise, the report states. Most of the data on iOS devices is encrypted in a way that can be decrypted without the need for a user to input their device's master passcode. Consequently, an attacker with physical access to a device could use a jailbreak attack and read most of the data on a device.
Kris Rowley, CISO for the state of Vermont, told SCMagazineUS.com in a recent email interview that mobile devices provide new threat vectors for data leakage, exacerbating the risk of breaches.
“Mobile devices pose a unique threat,” she said. “There are so many different types of devices and the technology is constantly changing. Many smartphones do not have encryption abilities, cannot have company policies pushed out to them, are not able to be tracked, and are not 'controllable' from within the network due to the fact that they are proprietary. This poses serious security risks.”
Android, meanwhile, just recently began offering built-in encryption in Android 3.0. Earlier versions of the operating system, which powers virtually all Android-based phones today, contain no such capability. As a result, the jailbreak of an Android phone or theft of the device's SD card could lead to data leakage.
To defend against mobile threats, organizations should create policies and consider deploying management solutions, Rowley said.
On top of tools and policies, user education and training is the best way to mitigate mobile risks, she added. Training programs should aim to educate users why mobile security policies are necessary and they should be multifaceted, including not only security classes but also onsite visits, competitions and newsletters.
“Users of mobile devices are focused on the device, not on the security of the device or the technology behind how the device works and how it can be compromised,” Rowley said. “Therefore, education needs to be ongoing and varied, so users don't get used to seeing the same poster or reading the same online warning."