Mobile Security
Introduction
Since the advent of mobile phones the number of users who have adopted mobility as a core aspect of their lives in entertainment, education, commerce and even dating has increased exponentially. The number of smart phone devices currently in use is over 5.28 Billion with daily new users hitting millions (GSMA real time data). The smart phone has revolutionized how people live their lives with most of their needs conveniently accessible at the touch of a button. The rise of social media has even pushed further the use of mobile phones as the primary means of interaction through a myriad of mobile applications that range from social networking applications like Instagram, Facebook, and Twitter to professional networking platforms like LinkedIn to dating applications like Tinder, Tagged and POF.
The result of these is that the mobile phone has become a centralised reservoir of personalised information about an individual that has made it a very attractive target to threat actors’ intent on compromising the information for personal gain. Unfortunately, unlike the enterprise networks with dedicated security teams in charge of securing the Infrastructure through technologies like Firewalls, IPS & IDS, Data Loss prevention tools, the individual mobile user is fully in charge of their Cyber security in the use of their mobile devices. This is despite the added threat landscape brought about by the different applications in use and their varying threat surfaces. It is hence not surprising to see that most threats attack the mobile devices as the starting points for further complicated attacks. The mobile device is used to attack users directly or indirectly through means like faking audio and video messages to carry out threats.
Mobile use cases from a security perspective
The wide usage of mobile phones is particularly attractive to threat actors who not only want to attack a particular device but also leverage on the wide reach of text-based message forwarding like WhatsApp chats, Memes to spread its reach to all devices to which its shared and hence attack as many devices so as to cause maximum damage. These could be targeted to particular applications like banking applications to steal their credentials so as to commit financial frauds or to target the social media accounts to either spread a false information or steal the identity of a particular use to defraud their social media contacts. Others could be to use the devices as pivots to commit other crimes or even to steal the compute power of the devices to mine Bitcoin. It’s hence important for mobile users to take great caution in their mobile usage especially online.
Mobile threats
The main mobile threats include the following;
Phishing: — This Occurs when the mobile phone access to the internet is used to trick the user to click on malware infested email attachments, Memes, photos etc. This then propagates within the mobile device to deliver its payload and cause the desired damage as well as spread itself to others. A lot of time this also installs a backdoor to allow the attacker a persistent access to the mobile device at will in the future to cause further damage. Phishing is the leading Cyber security threat both in mobile and computers and with the wide usage of mobile devices; it’s hence no surprise that it leads in mobile threats as well.
Device loss
Because of their portability, mobile devices are prone to actual loss or physical destruction that would render them useless to the user and if they fall into the hands of bad actors then all the information held in the device will now fall in the hands of the threat actor and the damage caused can be monumental. The attacker will then have access to all your social media accounts, Emails both personal and official, mobile finance accounts and essentially your digital identity.
Insecure mobile applications
Mobile applications extend the usage of the mobile device and enable it to access Streaming applications services, social media networks and academic material. Other applications extend the usage of the mobile device handset like Cameras, Wi-Fi receivers, flashlights, browsers etc. These mobile applications have software bugs of themselves which are easily used as a medium to attack the bigger device. Some attackers even upload decoy popular apps to fool users into installing them assuming they are the social media apps like Netflix and Facebook.
Unpatched vulnerabilities
Unlike the Enterprise networks where the security management is under dedicated and professionally trained Security personnel who patch and monitor the networks for signs of attack and quickly take recovery measures, the mobile platform is in the hands of mostly naïve users and hence may fail to patch their Operating systems & applications hence opening themselves to highly specialised attackers who know of the inherent vulnerabilities. Other risks may include incorrectly applied patches that introduce vulnerabilities or even fake updates that open up a mobile system to attacks.
Insecure networks usage
Mobile devices use either GSM or Wi-Fi access points to access the internet and this exposes them to the inherent network vulnerabilities which may include the Telecommunications. Service providers’ vulnerabilities which may be exploited to attack a mobile subscriber such as hamming, SIM Swapping and MITM attacks. Wi-Fi networks on the other hand are the easiest attack means for mobile devices that are connected to the mobile. The attacks against a mobile Wi-Fi network would include, MAC address spoofing, MITM attacks, Rogue AP attacks.
Device vulnerabilities
Mobile device Operating systems and the primary applications may have their own vulnerabilities that the attackers can exploit to access the mobile device and hence compromise the mobile users. These may include Browser vulnerabilities, OS vulnerabilities, and database vulnerabilities. Others may include the incorrect usage of devices like rooted devices which opens the device to further attacks through unhardened services.
Social Engineering
This involves impersonation or identity theft to enable a mobile user to carry out a desired task for the attacker in the false belief that it’s a known entity to the mobile user. This may include installing software into a device, disabling the threat intelligence tools, transfer money to a fraudulent application, sharing a particular sensitive information or even to share a malware-infested file to further spread a threat agent.
Mitigations
To protect one from these almost inevitable risks, the following steps can help minimize the risks that mobile devices usage exposes their usage;
1) The use of mobile finance and commerce applications have led to increase of online frauds because unlike the traditional physical commerce and banking with more controls to prove identity of customers, e-commerce rely on just a few key authentication controls. To reduce the possibility of stolen credentials and social engineering, always counter check before carrying out any money transactions / e-commerce transactions to prevent fraud. Wherever possible activate 2 factor authentication and possibly device based authentication to reduce fraud possibilities.
2) Do not access Enterprise information from an unsecured mobile connection and always use VPNs and encryption to protect sensitive enterprise data from attack from attackers. This extends to avoiding connecting to random unsecured mobile networks which could be used as a means for attacks to a particular device.
3) Install security tools like IPS/IDS, firewalls, Threat intelligence tools on your mobile device to detect and thwart attacks that may not be obvious to the user and set alerts on detection of such.
4) Update all Software on the mobile device. This includes the mobile operating system, the system software and the user applications. These are the weakest link and can be easily weaponized to attack a mobile device.
5) Only install mobile applications from verified Application stores to avoid wrongly accessing applications acting as malware. As you install your applications take note of the permissions it requests to enable it work and if it requests irrelevant permissions like a Camera application asking for Contact list access then counter-check and do not install it as it may be a malware.
6) Physically secure your devices and this could include the installation of remote tracking; remote wiping tools to protect sensitive data should the device fall into wrong hands.
7) To the age old advice, do not click on unsolicited links on emails, forwards on chats, do not take instructions to carry out transactions via Voicemail or video mail both of which can be faked.
8) Subscribe to the Service provider updates and support and always use their helpline should you see anything suspicious in your mobile usage as these maybe the first steps of a complicated attack.
Enterprise controls
With the Covid-19 pandemic forcing most Companies to allow staff works from home, the enterprise networks are obviously exposed to more risks brought about by the increased threat surface by remote access. They can secure themselves through the following controls;
1) Implement VPN access to all sensitive information and ensure end to end encryption to prevent sensitive information leakage.
2) Maintain a highly responsive and accessible security support centre to respond to security incidents that users may force to ensure the users are safe and they are not used as pivots into the corporate networks. This should be accompanied by user training in the common threats in remote work to enable them detect simple threats and know how to react.
3) Implement proper User authentication and access control to ensure nobody/account has access to information they should not access.
4) Modularise access rights and networks to prevent access to sensitive areas of the network to general users.
Regulatory controls
Most Governments have rightfully implemented various versions of Computers crime acts to protect mobile users from attackers. They have also established Computer Incidence response centres (CIRTs) to interact respond to computer incidences. These are important triage centres to help detect variations and emerging threats and to also share the information to stakeholders. However these are not sufficient as the attackers continually adapt to new technologies for which it’s not easy to effectively legislate. They have work more with the Telecommunications Companies to educate users as well as educate them on the risks they are exposed to and what to do about them.
Conclusion.
This short article has delved into the common risks of mobile computing in the age of dispersed usages across mobile commerce, social networks and remote working brought about by the Covid-19 pandemic. The suggested controls are meant to provide a layer of defense from the bad actors through technologies like IPS/IDS, firewalls etc., Operations like training users and avoiding clicking on suspect links and policies like Access control stratification of networks. However these cannot fully protect a mobile user form an advanced determined attacker, it’s hence important to implement other compensating controls like user training and actively carry out threat intelligence and automating response in cases of the Enterprises.
