Threats to the security of mobile devices and the information they store and process have been increasing significantly.The number of variants of malicious software, known as “malware,” aimed at mobile devices has reportedly risen from about 14,000 to 40,000 or about 185 percent in less than a year.
Cyber criminals may use a variety of attack methods, including intercepting data as they are transmitted to and from mobile devices and inserting malicious code into software applications to gain access to users’ sensitive information.
These threats and attacks are facilitated by vulnerabilities in the design and configuration of mobile devices, as well as the ways consumers use them. Common vulnerabilities include a failure to enable password protection and operating systems that are not kept up to date with the latest security patches.
Attacks against mobile devices generally occur through different channels of activities:
How to Secure Mobile
Malicious applications may be disguised as a game, device patch, or utility, which is available for download by unsuspecting users and provides the means for unauthorized users to gain unauthorized use of mobile devices and access to private information or system resources on mobile devices.
Visiting a malicious website
Malicious websites may automatically download malware to a mobile device when a user visits. In some cases, the user must take action (such as clicking on a hyperlink) to download the application, while in other cases the application may download automatically.
Direct attack through the communication network
Rather than targeting the mobile device itself, some attacks try to intercept communications to and from the device in order to gain unauthorized use of mobile devices and access to sensitive information.
Unauthorized individuals may gain possession of lost or stolen devices and have unauthorized use of mobile devices and access sensitive information stored on the device.
Mobile devices often do not use security software
Many mobile devices do not come preinstalled with security software to protect against malicious applications, spyware, and malware-based attacks. Further, users do not always install security software, in part because mobile devices often do not come preloaded with such software. While such software may slow operations and affect battery life on some mobile devices, without it, the risk may be increased that an attacker could successfully distribute malware such as viruses, Trojans, spyware, and spam, to lure users into revealing passwords or other confidential information.
Operating systems may be out-of-date
Security patches or fixes for mobile devices’ operating systems are not always installed on mobile devices in a timely manner. It can take weeks to months before security updates are provided to consumers’ devices. Depending on the nature of the vulnerability, the patching process may be complex and involve many parties. For example,Google develops updates to fix security vulnerabilities in the Android OS, but it is up to device manufacturers to produce a device-specific update incorporating the vulnerability fix, which can take time if there are proprietary modifications to the device’s software. Once a manufacturer produces an update, it is up to each carrier to test it and transmit the updates to consumers’ devices.
Software on mobile devices may be out-of-date
Security patches for third-party applications are not always developed and released in a timely manner. In addition, mobile third-party applications, including web browsers, do not always notify consumers when updates are available.Unlike aditional web browsers, mobile browsers rarely get updates. Using outdated software increases the risk that an attacker may exploit vulnerabilities associated with these devices.
Mobile devices often do not limit Internet connections
Many mobile devices do not have firewalls to limit connections. When the device is connected to a wide area network it uses communications ports to connect with other devices and the Internet. These ports are similar to doorways to the device. A hacker could access the mobile device through a port that is not secured. A firewall secures these ports and allows the user to choose what connections he or she wants to allow into the mobile device. The firewall intercepts both incoming and outgoing connection attempts and blocks or permits them based on a list of rules. Without a firewall, the mobile device may be open to intrusion through an unsecured communications port, and an intruder may be able to obtain sensitive information on the device and misuse it.
Mobile devices may have unauthorized modifications
The process of modifying a mobile device to remove its limitations so consumers can add additional features (known as “jailbreaking” or “rooting”) changes how security for the device is managed and could increase security risks.Jailbreaking allows users to gain access to the operating system of a device so as to permit the installation of unauthorized software functions and applications and/or to not be tied to a particular wireless carrier. While some users may jailbreak or root their mobile devices specifically to install security enhancements such as firewalls, others may simply be looking for a less expensive or easier way to install desirable applications. In the latter case, users face increased security risks, because they are bypassing the application vetting process established by the manufacturer and thus have less protection against inadvertently installing malware. Further, jailbroken devices may not receive notifications of security updates from the manufacturer and may require extra effort from the user to maintain up-to-date software.
Communication channels may be poorly secured
Having communication channels, such as Bluetooth communications, “open” or in “discovery” mode (which allows the device to be seen by other Bluetooth-enabled devices so that connections can be made) could allow an attacker to install malware through that connection, or surreptitiously activate a microphone or camera to eavesdrop on the user. In addition, using unsecured public wireless Internet networks or WiFi spots could allow an attacker to connect to the device and view sensitive information.
Mobile device manufacturers and wireless carriers can implement a number of technical features, such as enabling passwords and encryption, to limit or prevent attacks. In addition, consumers can adopt key practices, such as setting passwords, installing software to combat malware, and limiting the use of public wireless connections for sensitive transactions, which also can significantly mitigate the risk that their devices will be compromised.