Tag Archives: mobile devices

Should we trust our Phones?

Posted on by
Reply

Recently I wrote about the number of malware apps for the android operating system. Well, I think the article I found interesting was found interesting by other people. From an article posted in Network World, it appears that HP found that 90% of Apple iOS mobile apps show security vulnerabilities. Now in reading this summary of the HP report in detail, the point made by HP is not that 90% of iOS apps are malware, rather “86% of the apps tested lacked the means to protect themselves from common exploits.”

As companies expand their IT presence into phone and tablet apps, the question of the security of those platforms needs to be answered. After spending the first 20 years of my career as an application developer, I understand the problem. The first thing you do as a developer is find a solution to the problem that is presented to you. The second to last thing you do (the last always being documentation, if you ever do it) is test your code for unexpected usages. And you never think of all of them. I remember being thanked by a user for writing a particular function a year or so after I had released the code. He told me what he was doing with what I had written and my response was “It does that?” The user was using what I had written to do one thing for something completely different and totally unexpected. What was more interesting is that it was working perfectly.

The problem according to HP is that adequate penetration testing is not done. This is probably because of the speed in which apps are being developed and released. Like any other client, mobile apps are at some point going to be connected back to the corporate servers. Then, like any other client, malware on the client may be transported to the server. As noted above, you never know what someone will do with something you wrote.

As an IT professional, you need to be aware of what apps you are recommending/developing do and what they might do under malicious conditions. Although malware protection is a reactive science, you should be as proactive as possible when evaluating mobile apps.

Android on course for One Million Malware Apps

Posted on by
Reply

After taking some time off to attend to my real business, I have found some time to write again. The article the peaked my attention the most was a recent article in Fox Business News. The headline to this article is “Cyber Hackers on Course for One Million Malware Apps” and they are talking just about the Android operating system! According to the article it took over a decade to reach that many malware applications on the “much” beleaguered Microsoft operating environments. However, do we hear a cry from the public about how bad the Google Android operating system is? Not really, we just hear sales numbers on how that OS is selling better than anyone else.

I can go on about the details in the article, but it is written in plain English and doesn’t need any technical translation. What I really what you to think about is how this affects your policy on Bring Your Own Device (BYOD). It is evident the malicious software industry is turning its attention from the evermore hardening arena of the PC environment to the easy pastures of the mobile environment. Not to get too into Google bashing, but it is evident that Google has not learned from the mistakes of its predecessors in the industry. I will not say they are ignoring the security of their customer’s data and money, but they are evidently not doing what is necessary to control the massive outbreak of malware in their OS environment. The excuse that they just create the OS with associated patches and it is up to the licensees to distribute and implement those patch is ludicrous. If Google wants to be recognized as a true software vendor for the business environment, it needs to step up to the responsibilities of a true software vendor. This means they have to reach out beyond the environment that they completely control and make sure that the people using their software are protected as much as reasonable possible.

How secure is your cell phone?

Posted on by
Reply

A recent Computerworld article talked about a research paper by Daniel Brodie, Sr. of Lacoon Moblie Security. In this paper, Brodie talked about spyphones, surveillance tools surreptitiously planted on a user’s handheld device, have become more and more common. If you have been watching CBS’ Person of Interest, you would note the first thing that is done is that a spyphone is put on the subject’s cell phone. Now, you might think this is just Hollywood’s version of reality, but the truth of the matter is that it has become reality.

Lacoon Mobile Security partnered with several global cellular network providers to sample 250,000 subscribers in March of last year and again in October. The first sampling showed that 1 of 3000 devices had spyphone software installed. The second sampling showed the infections tripling to 1 in 1000 devices being infected. The initial survey showed that 74% were iOS (Apple) devices while the second showed the percentage dropping to 52% being iOS devices. The following chart from the research paper shows the percentage of devices infected by operating system.

Why the increase in infections? Lacoon Mobile Security identified more than 50 families of spyphones. As stated in the research paper “These spyphones run the gamut from dedicated high-end groups targeting specific nations and corporations, to low-end software targeting the private consumers…. At the lower end of the spectrum are spyphones which most commonly portray themselves as promoting parental controls and spouse monitoring.” What is more amazing is the cost of this type of software. Again from the research paper, Brodie noted

“The difference between the military and non-military grade spyphones? The device infection vectors and accordingly, their cost. Current estimates hold nation-targeted spyphones at $350K1. In the meanwhile, the commoners-targeted spyphones follow a monthly low licensing model– sometimes as low as $4.99.

The amazing part is that the end-result is essentially the same on the targeted devices. So for just a bit more than the price of a Starbucks latte, an attacker can purchase a spyphone with nearly identical capabilities to that of a top-end spyphone.”

The conclusion of the paper is even more interesting. Brodie concludes that “It is important to recognize that infection is inevitable.” But he also notes that we have seen this before in the computer desktop environment. The steps that we use to protect ourselves from malware in the desktop world are needed in the mobile world. The problem is that the tools to prevent mobile device malware are not there yet and the awareness of the problem is not large enough for the tools to be profitably developed.

How can you protect yourself? First follow the same rules on your phone that you do on your desktop computer. Be very careful on what apps you download. Keep up with what is happening on mobile device security. Talk to your IT Professional to help you defend against this new type of malware.