By Graeme Cunynghame.
The number of mobile phone subscriptions worldwide is around the seven billion mark and growing. Smartphones are becoming more complex and more powerful in order to provide more functionality. Because of their unique characteristics, they present challenges that require new business models that offer countermeasures to help ensure their security.
Concerns are increasing regarding security threats against smartphone users. Smartphones generally use the same software architecture as that used in personal computers, and are vulnerable to similar classes of security risks such as viruses, Trojans and worms. The rapid and worldwide diffusion of applications (apps) for smartphones has produced a complex environment composed of users, developers and vendors with sometimes contrasting and sometimes matching interests.
Being an all-in-one device, smartphones and their associated apps provide very real convenience to users by providing services such as banking, social networking, games, emails, word processing, book readers, newspapers, day journals, photos and so on. The audio and camera functions on smartphones, which are formidable, have changed the landscape when it comes to recording day-to-day conversations, activities and spontaneous events.
In terms of human decision-making, the world is becoming a more complex place where black and white, good and bad, right and wrong as concepts have been displaced to some degree by complicated constructs that leave a large proportion of people in the dark. This concept has been referred to as the Black Box Model. Smartphones provide an example of a technologically advanced device that people choose to have faith in rather than understand. Their inner workings are not well understood by the average user but, nonetheless, users integrate their inputs and outputs into their decision-making.
In support of that thinking, marketing companies use strategies that are designed to influence people with images and emotions rather than factual or technical information. Subsequently, smartphone users place a considerable amount of faith in these devices in the absence of the knowledge required to completely understand the complexities and impacts of the device. However, it should be acknowledged that many smartphone users are high-tech; however, others are technically unsophisticated, which is problematic.
Research on how users evaluate and decide on particular apps is still being conducted; however, it would appear the average user is impulsive more so than considered, especially in terms of any sustained security threat analysis. Curiosity is one of the drivers when it comes to installing apps and, while threat awareness in relation to privacy is clearly denunciated, users are often dismissive, with few reading the service agreements or conditions, which are often longwinded and contain a degree of jargon.
Smartphones nevertheless are becoming the mobile hubs of information for many people and companies. What started as a way to provide users with the flexibility of installing apps to enhance the usability of their smartphone has grown into a global market with hundreds of thousands of apps built by thousands of developers. Apps run inside a security sandbox and need permissions to interact with the smartphone and the data stored on it. One of the issues is that users may not be aware of what specific permissions mean, why they need to be granted and the consequences.
While there are plenty of established companies developing useful apps or entertaining games, there is no easy way to distinguish them from developers that put users at risk or worse, choose to dispense malware or spyware. Many attacks operate in a stealth mode; users might not notice these attacks for days or even months. In addition, a malicious user could plant malware in a smartphone but not use it until later. Some malicious apps are believed to be sponsored by Nation States and have access to significant budgets.
Not all developers are paying attention to security, in part due to the rapidity of technical advancements. Some of the more sinister developers are using the app as a gateway into smartphones, with menacing motives. Some apps are mining data for marketing purposes; however, others are potentially part of the chaotic cybercrime world. Malicious third party apps ported on smartphones target the privacy and security of unknowing users by accessing confidential data or inserting malicious code, which could potentially damage or alter information, the firmware or software.
Ratings are often used in distinguishing ‘good’ apps from ‘bad’ ones and these reviews are supposed to provide the user with an assessment of an app’s trustworthiness by real people. However, fake reviews written by collaborators of the developer or the developer himself are activities designed to boost an app’s ranking.
Along with the rapid, worldwide adoption of smartphones, there has been tremendous growth in the number and diversity of apps available in the marketplace (for example, Android Play, the Apple App Store, Amazon App Store). Smartphone users select and install apps based on their own needs and interests, in a short timeframe with just a few clicks. Regrettably, there have been cases of malicious apps authorised and unknowingly distributed by Apple Store and Google Play. In one report, the top free gaming apps in both iOS (96 percent) and Android (84 percent) operating systems could access user and sensitive private information (such as contacts, location and calendar details).
Empirical research suggests users are more likely to trust the authorised apps such as those accessed through Google Play, Kindle or Apple for example. Apps may also be installed on the recommendation of someone else, such as a friend or business associate, without any other considerations. It is common practice for users to download apps or games because their colleagues and friends already have them on their smartphone. These recommendations provide users with a level of confidence on the innocent nature of the app, despite the fact some of those apps may be malicious but undetected by their friends. There are many considerations when it comes to app installation. However, significant discrepancies emerge between how users perceive privacy and security risks and their actual behaviours.
Research indicates permissions requested by apps were assessed as a cost by the user and weighted in respect to other needs. Users may rationalise the decision to allow an app access to personal data (contacts, addresses, phone numbers) because they regard that content as unimportant. This raises security concerns when a person’s details might be accessed through someone else’s smartphone (for example, an unlisted telephone number) because they do not value the information the same as that person might. Users with different levels of knowledge regarding smartphones and apps usage treat these issues differently. What the user should understand is the smartphone is, in many respects, a smaller version of the laptop or desktop computer and security should be a major consideration.
Smartphone popularity has also translated into increased hacker interest and a concerted push in targeting such platforms. In fact, a large amount of smartphone malware has attempted to exploit the unique vulnerabilities of smartphones. A smartphone security study identified Trojans that use voice-recognition algorithms that can steal sensitive information spoken over smartphones. Such threats not only invade privacy and security of smartphone users, but also manage to generate coordinated large-scale attacks on the communication infrastructures by forming botnets.
Security approaches based on running lightweight intrusion detection processes on smartphones, which effectively fail to provide any serious protection due to constraints involving limited memory, battery power, storage and computational resources, are underwhelming. Present research suggests these programs do not have the capability to run a real-time, in-depth, effective detection analysis. Technology no doubt will address security issues; however, due to the high rate of technological turnover, decisions in relation to app security often take a backseat to marketing strategies when it comes to getting the product to the user as quickly as possible.
Importantly, businesses are in the firing line due to the proliferation of smartphones and the potential of apps. It is estimated about 70 percent of security threats to any organisation will arise internally. Businesses operating without adequate policies and procedures addressing specific issues in relation to smartphone use (both private and business mobiles) are exposed in terms of security risks. Many businesses utilise workers’ private smartphones and have little idea, if any, regarding the app content of those devices.
Smartphones can easily be used to facilitate the movement of confidential information (emails, charts, reports, budgets) from the business to elsewhere. App usage on private and business smartphones is potentially a security threat to an organisation and should be addressed in security management plans. Unfortunately, small- and medium-size businesses are disproportionality exposed to security risks as they often do not have access to the required expertise and defer to reactive rather than proactive security strategies. Any organisation that views smartphone security as ‘grudge expenditure’ is taking unnecessary risks.
Trust assessments of apps are necessary and important since smartphones are becoming the new information hubs for people and companies, but their security is generally lacking and as such that there is no guarantee that information is safe. Some of the threats to users of smartphones include eavesdropping, unathorised device (physical) use, unauthorised access, crashing, misuse of phone identifiers, sensitive information disclosure, spyware corrupting or modifying private content, client side injection of malware and direct billing. The list is dynamic and by no means conclusive; technological advances will continue to reveal further threats.
Users ought to remain vigilant to security warnings and report incidents, particularly those in a business environment. Recommendations for users and organisations include:
- possess a basic knowledge of the numerous ways smartphone usage can be risky, including the use of Bluetooth, SMS services and Wi-Fi applications, and the dangers posed by the numerous data ports open to cybercrime; turn off Wi-Fi or Bluetooth if it is not needed.
- Close ports that are no longer required to be open (threat of scanners).
- Utilise PIN/key lock codes.
- Be suspicious of any messages from known and unknown senders and not open unrecognised links.
- Do not root the phone; this is an increasingly common practice among Android users that essentially involves modifying the file system to allow users access to read-only files and parts of the operating system the manufacturer or service provider does not want users to change.
- Install and activate anti-virus protection to protect from unauthorised access (it takes about three weeks from discovering a virus until the release of a patch).
- Install the latest updates of the operating system and running application as vendors release them.
- Subject private smartphone access to a business modem to a risk assessment (reasons for connection, access to documents, emails, porn access prohibition, app content).
- Know to whom and how to report security incidents as a matter of policy.
- Report any cases of data manipulation or privacy intrusion.
- Deploy remote locking and the ability to remotely erase data.
- Implement smartphone policies and procedures and ensure compliance.
- Backup on a regular basis and do not be reluctant to do a regular reinstall of the smartphone operating system and delete redundant apps.
- De-activate emails, SMS and any other applications that utilise Wi-Fi, and reset the device to the factory (original) settings if selling a smartphone.
The main actors apart from the users of the app environment include developers, vendors and researchers. All have a role to play in ensuring security is a vital aspect of smartphone deployment. In the haste to market, there is evidence that security is not a major consideration. However, it is the responsibility of the user to remain vigilant in relation to apps; users are the first line of defence against smartphone threats and they should be educated on security best practice.
Graeme Cunynghame served in a number of areas during his policing career, including the Fraud Squad, Corporate Affairs Commission, Drug Enforcement Agency, National Crime Authority, and NSW Crime Commission. Graeme attends Edith Cowan University where he reads Security Science (Honors). He is a member of ASIS and ACFE. Graeme welcomes referrals relating to fraud matters, workplace investigations, and security risk management concerns. He can be contacted on 0408 787 978, email firstname.lastname@example.org or www.pripol.com.au