Skip to main content

“Worldwide psychological shift” needed for mobile security, says expert

For well over a decade, IT security experts have been striving to convince PC users they are at risk from a plethora of dangers online, and while it is a fight that will never truly end for the preachers, it can be said that certain security principles have now been established and ingrained in our minds.

But the arrival of the smartphone and its insistence on assuming nearly all the responsibilities we have traditionally entrusted to our PC has effectively reset the battle ground and produced the same struggle for the security industry all over again.

Steve Santorelli of security research group Team Cymru admits it’s a real headache. “We taught a whole generation how to keep their desktops secure, and that Internet security is their responsibility and not something they can allocate to ISPs or the software manufacturer,” he said.

“The same psychological shift needs to occur, worldwide, with regards to safety on our mobile devices. We’re just not there yet. People do not generally have antivirus on their phone and they feel that it’s the provider or OS manufacturer’s responsibility to protect them.”

The widespread failure to recognise the security implications of using the Internet from your phone has created a “ticking time bomb” in Santorelli’s eyes, and the dramatic upsurge in mobile web surfing pays testament to his fears. According to research from December 2012, phones now account for nearly 20 per cent of the time spent on the Internet across all devices. With this figure only going one way, the floodgates are being opened to a wave of new threats probing our relatively unprotected smartphones.

Most notable mobile breaches take the form of viruses smuggled through malicious apps, but Santorelli says that the dangers are “not always from out and out malware.” More significant, in many cases, is the access being afforded to certain apps and what they are doing with our data. These seemingly innocuous applications don’t directly extract financial information or build botnets, “but they do things with your data in excess of what they should be doing,” warns the Team Cymru expert.

A game for instance, may harbour the ability to access multiple areas of your device, such as contact information and photos, but request permission in the scarcely read small print of the app description. An unsuspecting user may grant this permission simply by going through with the download, or clicking away an irritating alert from the phone’s OS without considering what they have sanctioned.

It is this extended access which can then clear the way for miscreants to exploit a device. Even if an app does not immediately infect your phone, the download itself has already unlocked certain doors and left the bait out for unlawful hackers. “Just like criminals follow where the money is, malware writers follow where the data is. The amount we do on our phones - email, work admin, banking - is incredible, so it attracts danger,” said Santorelli, who understands why IT managers are becoming increasingly concerned about the potential repercussions of BYOD policy, when sensitive data is readily transferred back and forth between different networks, increasing its vulnerability.

If the attack does eventually hit, too often the situation is worsened by the fact that a user may not be aware of the breach until it is too late. “If you haven’t got any antivirus technology on your phone, you’re not really going to know you’ve been affected until you see the results. So regularly checking things like bank statements and your credit history is key,” Santorelli advises.

When the compromise is less covert, tell-tale signs include crashing apps, slow performance and increased battery drain, “but the fundamental thing is if you are infected, you really wouldn’t necessarily know unless you are looking for it,” he adds. As such, one of Team Cymru’s primary mantras comes into play - just like PC security, user responsibility is paramount. Checking up on the reviews, ratings and developer profile before downloading an app is a prerequisite, especially if the user does not have antivirus software on their device.

Ominous proclamations from the security industry are often scoffed at and accused of being overstated, but the underground economy of hacking dictates that increased mobile use will unquestionably lead to increased targeting from cyber criminals. For the malware writers it is a simple case of tracking the numbers and attacking the largest user base possible.

Despite their relative lack of popularity, antivirus solutions – many of which are available from major vendors on Android – are the obvious first line of defence to adopt for bolstering mobile security. But ultimately, a fundamental appreciation of the threats that exist in mobile, and adopting the attitude of caution that most users take to Internet surfing on their PC, could be most important in the long run.

“We’ve learned a lot about how to build safe, secure software and protect our networks,” Santorelli says of his industry, “but the whole world changed when Android and iOS came out. Unfortunately, as a society, we’re playing catch up.”

Image: Flickr (Denis Dervisevic)

Article researched in collaboration with Team Cymru - a specialised Internet security research firm formed by a dedicated group of technologists passionate about making the Internet more secure.