Mobile security is the strategy, infrastructure, and software used to protect any device that travels with users, including smartphones, tablets, and laptops. Cybersecurity for mobile devices includes protecting data on the local device and the device-connected endpoints and networking equipment. As mobile devices continue to be a user preference over desktops, they will be bigger targets for attackers.
Why Is Mobile Security Important?
As more users travel and work from home, mobile devices have become increasingly more integrated into their everyday lives, including corporate employees. Internet browsing activity used to be limited to desktops, and employees that traveled were the only ones with laptops. Now, mobile devices are the preferred way to browse the internet, and traffic from these devices has become the dominant form of web browsing over desktops.
Mobile devices have a much bigger attack surface than desktops, making them a more significant threat to corporate security. A desktop is immobile with threats mainly from outside attackers, but mobile devices are vulnerable to physical and virtual attacks. Users carry mobile devices with them wherever they go, so administrators must worry about more physical attacks (e.g., theft and loss) and virtual threats from third-party applications and Wi-Fi hotspots (e.g., man-in-the-middle attacks). Stationary desktops don’t move from the corporate network, making it easier for administrators to control network and endpoint security. With mobile devices, users can root them, add any app, and physically lose them.
For many of these reasons and more, corporations have a lot more overhead when creating strategies surrounding mobile devices. Even with the overhead, it’s a critical part of cybersecurity as mobile devices pose significant threats to data integrity.
There are two main physical threats to a mobile device: data loss and theft. Natural disasters are also an issue, which would be the cause of data loss but not data theft. Lost data can be recovered, but data theft is an expensive issue for organizations. Mobile devices have lock screens to help stop data theft after a device is stolen, but the technology must be strong enough to prevent an attacker from bypassing the screen lock by removing the storage device and extracting the information.
Should the device be stolen, it should request a few PIN attempts to get only to the home screen before locking the phone. This security feature stops brute-force home screen PIN attacks. For devices with sensitive data, the company should use wipe applications that delete all data on the phone after several incorrect home screen PIN attempts. Encrypted storage drives stop attackers from exfiltrating data directly from the device by bypassing the PIN feature.
Administrators can block applications from being installed on a desktop, but a user with a mobile device can install anything. Third-party applications introduce several issues to mobile device security. Corporations must create a policy surrounding mobile devices to help users understand the dangers of installing unapproved third-party apps.
Users should not be able to root their phones, but some do, rendering many of the internal operating system security controls unusable. Third-party applications running on rooted devices can disclose data to an attacker using a number of attack methods. Third-party applications can also have hidden malware and keyloggers embedded in the code. Anti-malware programs can be installed, but rooted devices leave even these applications open to malware manipulation.
With mobile devices – especially bring-your-own-device (BYOD) – they create a threat for the internal network. It’s not uncommon for malware to scan the network for open storage locations or vulnerable resources to drop malicious executables and exploit them. This can happen silently on a mobile device that isn’t adequately secured.
Administrators can force anyone with a BYOD to have antimalware installed, but it still does not ensure that the software is up to date. If the corporation offers public Wi-Fi hotspots for customers and employees, this too can be a point of concern. When employees connect to public Wi-Fi and transfer data where other users can read data, it leaves the network vulnerable to man-in-the-middle (MitM) attacks and possible account takeover if the attacker steals credentials.
Web-Based and Endpoint Threats
Mobile apps connect to data and internal applications using endpoints. These endpoints receive and process data, and then return a response to the mobile device. The endpoints and any web-based application add threats to the organization. Endpoints used by the application must be properly coded with authentication and authentication controls to stop attackers. Incorrectly secured endpoints could be the target of an attacker who can use them to compromise the application and steal data.
Because mobile devices have been increasingly more popular, some web-based attacks target these users. Attackers use sites that look like official websites tricking users into uploading sensitive data or downloading malicious applications. It’s not uncommon for an attacker to tell a user that they must download an app to view a video or other media source. Users download the app and don’t realize it’s a malicious app used to probe the devices for vulnerabilities and disclose data.
Components of Mobile Security
Organizations that use mobile devices have several options to protect them from attackers. Components in mobile security can be used to define cybersecurity strategies surrounding mobile devices. In addition to the infrastructure added to corporate strategy, it’s also important to create BYOD and mobile device policies that instruct users what can and cannot be installed on the device.
The following components will help any organization protect from attacks directed towards mobile devices:
- Penetration scanners: Automated scanning services can be used to find vulnerabilities in endpoints. While this is not the only cybersecurity that should be used on endpoints, it’s the first step in finding authentication and authorization issues that could be used to compromise data.
- VPN: Users connecting to the network from a remote location should always use VPN. VPN services and always on VPN alternatives installed on a mobile device will encrypt data from the device to the endpoint or from the device to the internal network. Plenty of third-party services are set up specifically for protecting corporate traffic from a mobile device to the internal network.
- Auditing and device control: While administrators can’t remote control a smartphone or tablet, they can require users to install remote wiping capabilities and tracking services. GPS can be used to locate a stolen device, and remote wiping software will remove all critical data should it be stolen.
- Email security: Phishing is one of the biggest threats to all organizations. Email services are usually added to a mobile device so that users can obtain their email messages. Any phishing messages could target mobile devices with malicious links or attachments. Email filters should block messages that contain suspicious links and attachments.