Even with an estimated 5 billion people currently possessing a mobile device, half of them being smartphones, the use of mobile technology is still growing rapidly throughout the entire world.
We perform plenty of our daily tasks with our mobile devices, many of them involving the use of sensitive data including banking and credit card information, and other personal identifiable information (PII), often in making payment transactions.
However, the rise of operational mobile devices brings with it the rise of related security threats. According to one report by Upstream, 93% of mobile transactions attempted in 2019 were fraudulent, and the number of malicious apps rose to 98,000. Not to mention the number of mobile data breaches that graced headlines the previous year, and new ones discovered with each passing week.
But even if the threats are there, and uncomfortably real, that shouldn't stop us from enjoying the benefits that mobile computing has brought to our private lives and businesses. Organizations as well as individuals should practise diligence and take appropriate steps to ensure security in our daily use of mobile devices.
More and more, mobile security is becoming a vital part of the security policies and procedures of many organizations. There are easy ways for all of us to reduce the chances of our mobile devices getting hacked, and the likelihood of handing over our private information to crackers.
That's why today marks the beginning of our new blog series, Mobile Security 101. We'll be exploring all kinds of threats and vulnerabilities, and how to protect ourselves against them. Let's start by answering the question "What is mobile security?" and examine some common mobile security threats to both individuals and organizations, and steps we can take to protect our devices.
- What is mobile security?
- 6 common mobile security threats and how to protect yourself against them
What is mobile security?
We're storing more and more sensitive information on our phones, such as passwords, phone numbers, locations, private photos and videos and credit card information, so it's becoming increasingly important to ensure the safety of that data. Not only for individuals, but organizations are at risk too—a growing number of employees are accessing company data over their mobile devices.
One study finds that 1 in 5 corporate logins take place over mobile devices. This leaves more room for human error, phishing, session hijacking and other ways to endanger sensitive data.
"Mobile security" refers to the protection of mobile and other wireless devices, such as smartphones and tablets, against attackers that can exploit vulnerabilities associated with operating systems, browsers, other software and apps, as well as communication services like SMS and MMS and wireless technologies, including WiFi, Bluetooth, and more.
6 common mobile security threats and how to protect yourself against them
Different security threats target different components of mobile devices. And with the different features and vulnerabilities of every mobile device OS, particular threats exist for each. High-risk vulnerabilities were found in 38 percent of mobile applications for iOS and in 43 percent of Android applications, according to a Positive Technologies report.
Consequently, with different mobile security threats, there are different security measures to consider as well. Eliminating these security threats isn't completely possible, but there are steps we can take to protect ourselves as best we can.
Let's take a look at some of the most common security threats—regardless of manufacturer and OS—that can hamper our mobile devices and steal, modify, or destroy the data stored on them. And while we're at it, we'll share some simple tips on staying diligent and keeping mobile devices secure.
Stolen and lost devices (no password and/or PINs)
This threat may sound foolish, but it's not a minor one. Many of us have lost a phone at some point in our lives. You might've left your device at a cafe, or someone has stolen it from you. Either way, unattended devices are a big threat in the possession of a malicious actor. And with no existing lock pattern, password, PIN code or biometric authentication, it will be easy for the attacker to gain access to your private files, contacts and accounts, as most users stay signed in to their accounts.
According to research by DuoLabs, 1 in 3 Android devices don't have passcodes set on their screens, and even when they do, users tend to use simple letter or number combinations that are broken quite easily. Not having security policies regarding passwords, PINs and other ways of guarding access to sensitive data puts way too much responsibility on the user; an unattended device holding sensitive corporate data is a major security risk for any organization.
Setting stronger passcodes, using more complex patterns and relying on biometric authentication will make it harder for hackers to access your device. Also, most iPhone and Android devices have a remote wipe feature that allows you to block access to all accounts on the device, and erase all data from it, making it practically useless to attackers.
If your password is good but hackers still succeed in breaking it, having these anti-theft features enabled will help keep your data secure. And implementing a password policy in your organization will make sure users won't use identical passwords across all their accounts, making the devices more resilient to attacks.
Most mobile malware out there is distributed by apps, often coming from unverified third-party sources, but it's not unheard of that malware comes from an app found on, for example, Google Play Store. Out of the top 100 active malicious apps, 32% are still available for download on Google store, while 49% can be found in third-party app stores.
The fact is that one of the most compromised categories of apps are tools for customization, which are also one of the most frequently downloaded. Once they're downloaded, these apps can then inject malware into your device, and steal, corrupt or modify your data. But apps don't even need to be malicious in nature to cause a security risk and data leakage.
You should always be careful about downloading any app, but it's important to download apps from verified app stores, even if that doesn't guarantee complete security from malicious apps, they are far more secure than third-party ones. Another important thing to keep in mind is that the more apps you download, the more you are putting your device at risk from malicious ones. Always download the ones you really need and regularly update your existing apps if they don’t update automatically.
Let's be honest: we don't always read the full user agreements, and sometimes we unintentionally give permission to apps to obtain and control our data. Agreeing with a list of permissions granted to apps leaves you vulnerable to many different mobile security threats.
A lot of apps ask for permission to access different functions of your phone, such as your storage, contacts, GPS information, camera microphone, etc. With that kind of access, apps can collect data from your device and send it to a third party for advertising or even malicious purposes.
Organizations are at high risk of doing this, as the leak can result from something as simple as sending files to the wrong destination, exposing data that can be sold to competitors or malicious actors.
When accepting terms of service and giving permissions to apps, make sure you read everything and only give permissions that are truly needed. You'll also want to avoid apps that require too many of them. Within your organization, limiting the apps and sources they're downloaded from will help you avoid data leakage and the installment of malicious apps that may compromise sensitive data.
Phishing is the most common form of social engineering attack, and mobile devices are quite vulnerable to this security threat. Attack vectors for phishing attacks can be SMS, email, phone calls and social media as well as fake ads and phishing websites.
The most common form of phishing we see are emails that claim to be coming from a bank or similar service, urging you to change your password or input sensitive information. They do this while mimicking a legitimate email and the website of the actual service.
We often think we can easily distinguish a legitimate email from a phishing email, but phishing attacks have become a lot more sophisticated. Also, the smaller screens of our mobile devices can make it harder to confirm the legitimacy of a URL or email address.
Don't click on unknown links, and monitor all your emails to make sure they're coming from a legitimate source. Don't click on pop-up ads, either, to avoid unknowingly downloading malware onto your device.
As phishing attacks exploit human psychology, you can't truly put any kind of restriction or measure in place to ensure no one in the organization clicks on a wrong link, but educating employees goes a long way toward keeping everyone informed about typical signs of phishing and how to recognize them.
A lot of our communication happens over our mobile devices, and a lot of sensitive data is shared. Leaving that data unencrypted makes it easy for malicious attackers to view and collect it.
Encrypting your data and using communication tools that use encryption should be a baseline for device security. Use a VPN to make it hard for attackers to spoof your network. At the very least, use some sort of encryption when handling sensitive data such as banking or other PII information.
Public WiFi is widespread and easily accessible, and while that is good news for users, it also comes with its own set of threats. A lot of free public WiFi access points don't require any login information and are unsecure, meaning an attacker can easily intercept your connection. This is another area where the use of VPN and data encryption is vital.
Attackers can also set up fake access points in popular places that appear legitimate. These public WiFi hotspots often have generic names, making them look trustworthy to users. Once you're connected to that network, however, you are unwillingly providing access to your sensitive data. When you're looking at a list of free hotspots, make sure you aren't connecting to a fake one.
With mobile security threats on the rise, we all need to translate good security hygiene to our use of mobile devices. More and more communication is played out over our smartphones, meaning more and more sensitive data is stored and shared over them.
We really can't overlook the importance of mobile security in today's threat landscape. As an individual, there are simple steps you can take to protect yourself against common mobile security threats; at an organizational level, many of these threats can be avoided by maintaining a healthy cybersecurity culture in your organization.
Now that we've explored the basics about mobile security and the common threats we face, our next blog in the Mobile Security 101 series will dive deeper into the specific vulnerabilities on our devices that attackers can exploit. Stay tuned and stay safe!
In the meantime, as our organization infrastructure grows, our attack surface becomes more difficult to manage. Attack Surface Reduction tool solves this problem! Schedule a call with our team to learn more.