There are more than 4.3 billion active mobile internet users worldwide, who downloaded more than 230 billion apps and accounted for more than 55% of total online traffic last year. The increase in remote working policies has brought an onslaught of IT security challenges. Hackers are waging war on your data, and they are getting to you through your most vulnerable fronts – your mobile devices.
In our latest webinar, Mobile Wars: Rise of the Hacker, CrucialLogics’ Amol Joshi and Claudio Damaso (aka the Most Secure CIO in the World) teamed up with ethical hacker Richard Rogerson from Packetlabs. They discussed three different mobile device management scenarios and the top seven threats in mobile device security.
3 Main Mobile Device Management Scenarios
- Corporate: The device, applications and data are the property of, and controlled by, the company. The user is given a unique corporate identity with multi-factor authentication (MFA) support.
- Personal (BYOD): The device is owned by the user, but they sign into the company’s portal to auto install and configure Outlook, OneDrive, Teams, and other company apps. The device and applications are partially managed by the company, but personal and corporate identities are kept separate.
- Personal (MAM-WE): The device is owned by the user, subject to Microsoft Application Management – Without Enrollment protocols. Users sign into each app and configure them individually. The apps are partially managed by the company and given dual identities, separating corporate data from personal data.
The team agreed, that in all of these mobile device management scenarios, application protection policies should include PINs and have “do not copy/paste” rules. The panel then went on to talk about the top security threats to mobile devices.
The Top 7 Mobile Device Security Threats
- Data Leakage
Data leakage can happen in many ways, such as employees saving emails to a personal cloud storage drive, or by having malware on their phones, or by simply using unvetted mobile apps. In fact, applications developed for mobile devices are not as secure as their desktop versions and can increase the risk of data leakage to an unauthorized external user.
Your IT team can prevent data leakage by extending their Data Loss Prevention and Information Protection policies over to their remote user’s mobile devices. They should also implement protocols that block users and applications from transferring data from corporate owned apps to personal apps.
- Unsecured WiFi
The rise in remote work means that employees are working from anywhere, including accessing open wireless networks like those found in coffee shops. A mobile device that is connected to a public, often unsecured, network is vulnerable. And since not all mobile applications validate certificate authorities, this leaves the device open to attack from bad actors.
You can reduce the chance of a data breach over unsecured WiFi by supplying employees with managed corporate phones and encrypting traffic using a VPN service. Labeling and encrypting your company’s sensitive data can prevent it from being exploited if it falls into the wrong hands. However, enforcing mobile management policies that allow corporate data to be accessed and transferred using only corporate approved and controlled apps is the best way to keep it out of the wrong hands in the first place.
- Network Spoofing
Network spoofing is where a bad actor, masquerading as a legitimate network, tricks mobile device users into believing they are a trusted source. For example, a spoofer can listen in on the wireless network at a local coffee shop and identify a user they want to hack. They then create an access point with the same name as the coffee shop and wait for their mark to login, giving the spoofer access to the mobile device.
Spoofers can attack using various protocols, including Dynamic Host Configuration Protocol (DHCP), Web Proxy Auto-Discovery Protocol (WPAD) or other systems, to bait user credentials. To avoid getting spoofed, users should disable legacy protocols on their mobile devices and ensure that corporate data is transferred via secure protocols, with proper application policies in place.
Phishing is a type of social engineering, where an attacker sends a fraudulent email (phishing attack) or text/SMS message (smishing attack). The spoofer tricks the user into handing over sensitive information like their passwords, deploying malicious software, like ransomware, onto their mobile device. Recently, bad actors have been hacking COVID-19 vaccine booking systems and smishing the contact database. (In fact, this happened to Amol during the webinar – no joke.)
To prevent phishing/smishing attacks, ensure you have protection mechanisms installed on all mobile devices. Corporate IT protocols should be in place, so that even if a user opens a link in an email, the link is scanned for any malicious activity before the user can proceed. You should also restrict access to your corporate IT infrastructure from any unmanaged devices and applications that cannot be controlled by your company’s IT team.
Spyware is used to monitor and collect data. It is usually installed when a user clicks on a malicious advertisement or through scams that trick them into downloading it. Mobile phones are a prime target for spyware, because of the number of data gathering sensors they have, including cameras on both sides, microphones, accelerometers, and GPS locators. And, because mobile phones are also used for MFAs and push notifications, hackers love to exploit them.
To prevent spyware being downloaded onto your employees’ mobile devices, you should utilize the same corporate anti-malware strategy that applies to your company’s IT enterprise. Integrating advanced threat protection mechanisms, like Defender for Endpoint, into your company’s overall malware strategy is also critical.
- Broken Cryptography
Mobile and desktop web browsers that are validated give users a sense of security. It is best practice to have this cryptography in mobile applications as well, but that isn’t always the case. Broken cryptography exposes sensitive data on the mobile device to bad actors, who can assume the man-in-the-middle position between the target's mobile application and the back-end API, to pull clear-text credentials off the phone.
To avoid broken cryptography, ensure your users’ mobile devices and applications are properly managed according to your company’s IT security protocols. Only corporate approved devices should have access to your corporate data, and jailbroken devices must be blocked.
- Improper Session Handling
Improper session handling happens when a session token is unintentionally leaked during a transaction session between a user’s mobile app and a backend server, giving hackers access to your IT infrastructure. Another scenario is when a mobile application sends login/password information with every API request, leaving the mobile device exposed to a cyberattack.
To ensure proper session handling, delineate between corporate managed and non corporate managed applications and ensure they have undergone extensive vulnerability testing. Sessions in HTTP should be random, and not guessable, to remove their predictability.
Mobile Application Security Testing
Mobile devices and applications are vulnerable to hackers and should undergo regular security checks. There should be as much attention paid to mobile devices as desktop applications. Custom developed mobile applications should be comprehensively tested, and back-end applications should undergo Dynamic Application Security Testing (DAST) to validate server-side controls. Key features, like network captures, log reviews, disk activities, and credential exposures need to be analyzed and reviewed to ensure your users’ mobile devices and applications are secure.
CrucialLogics’ experts can help your IT team with these and other cybersecurity issues. They can also assist with educating your remote workforce on mobile device security. Want to learn more? Watch our webinar on Mobile Wars: Rise of the Hacker. Want a free security advisory session? Contact our team.