Is your smartphone-based data secure?

So will users’ smartphones become infected with malware? The simple answer is yes and they are. Of course, the Windows PC platform is still the biggest target for virus and malware authors as this produces the biggest “return on malware investment”. Due to poor security measures taken by users such as failing to patch their PCs or not using anti-malware there are now around 4 million PC-based viruses and worms out in the wild.

Contrast this with the 400 or so viruses and worms targeting smartphones and you can see the order of magnitude difference. But complacency is an enemy, and criminals are now exploring the smartphone market as a new and untapped source of devices waiting to be infected.

In April 2010 a pirated game was infected with malware, forcing the infected smartphone to dial out to premium international numbers unknown to the user. The first the user knew of the problem was the incoming phone bill at the end of the month.

August 2010 saw an SMS-based Trojan for smartphones running the popular Android operating system. Called Trojan-SMS.AndroidOS.FakePlayer.a the malicious program penetrates smartphones running Android looking like a harmless media player application. Users are prompted to install a 13KB file and once installed on the phone, the Trojan uses the system to begin sending SMSs to premium rate numbers.

Not only does this malware create havoc on the smartphone it can also take advantage of the voice capability of the device. This is where these threats start to raise very sinister security concerns far beyond those of the humble personal computer.

lockedphone

To prove the point about smartphone security last year, Veracode, the code security people, conducted an experiment to see how easy it is to infect a smartphone with malware. The coders at Veracode created a tic-tac-toe game (noughts and crosses) that ran, in this case, on a BlackBerry device.

Not that they were picking on BlackBerrys—they could have done this attack on any smartphone as it simply used a bit of social engineering to get a user to download the software on to their phone. Nothing that advanced here; in fact if the user didn’t actively download the app and put in their passwords then the attack would have failed.

Once installed on the device the user happily played a game whilst in the background the malware was siphoning off their email contacts and SMS messages. It would have been trivial, at that stage, to turn the smartphone microphone on and have the device act as a bug.

David Cameron, the UK Prime Minister, carries a BlackBerry device and, in early 2011, he announced that he was following the cricket test match in Australia live on his BlackBerry whilst he was in bed. Consider the implications if this device was compromised and the Prime Minister was bugged in bed?

But no end of security education will prevent users from downloading apps if they really want them. Yes devices can be locked down, as is the case with many company issued BlackBerrys. Many security practitioners would agree that BlackBerry devices can be very well secured and these devices have been tested and approved by the UK security establishment.

But what employee in a “normal” business would agree to their personal device being locked down in such a way that they are prevented from downloading and running the latest game or app?

Is my smartphone-based data secure?

Any CISO considering their smartphone security strategy should consider this data from the Get Safe Online website, a crime prevention website based in the UK.

Over 1 in 4 (28%) internet users use a smartphone to access the internet, rising to 50% amongst 18–24 year olds. Of these:

  • 71% use their phones to send emails or use messaging applications
  • 56% view and update their social networking profiles
  • 1 in 5 (20%) synchronise their handsets to a personal computer
  • Almost 1 in 5 (19%) use their mobiles to make purchases online
  • Over 1 in 6 (16%) manage their finances, including banking and paying bills
  • 1 in 5 (20%) have had their handsets lost or stolen

The statistics speak for themselves but we are seeing a lot of people using devices for financial transactions, with the issues that can bring. Also 20% have had their devices stolen—and these are their own devices they love and cherish! Would they take greater or lesser care over a company issued phone?

The next article in this series will look at voice data security and smartphone managment tools.

SHARETweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Pin on PinterestDigg thisShare on RedditShare on TumblrShare on StumbleUponEmail this to someone

Nigel Stanley is a specialist in business technology and IT security and now heads up Bloor Research's IT Security practice. For a number of years Nigel was technical director of a leading UK Microsoft partner where he lead a team of consultants and engineers providing secure business IT solutions. He has written three books on database and development technologies including Microsoft .NET. Nigel is a member of the Institution of Engineering and Technology, the British Computer Society and the Institute of Directors.

  • This month Veracode published a list of the Top 10 Mobile App Risks (http://www.veracode.com/blog/) to raise awareness for enterprises and educate developers on how to develop apps secure enough for enterprise use. Recently OWASP, an organisation well known for the OWASP Top 10 Web Application Risks has started a project to develop the OWASP Top 10 Mobile App Risks. Veracode is contributing mobile assessment knowledge to this effort. The hope is that testers can use the Top 10 Mobile Risks much the same way they do with the OWASP Top 10, as a minimum list of vulnerabilities to inspect for.