Experts: Mobile devices a growing target for criminals

Many IT departments face significant problems with smartphones and other mobile devices, security experts say

The best way to protect business information on smartphones from cybercriminals is to leave that information off smartphones, according to a mobile security expert.

Mobile security is still evolving, and smartphones are vulnerable to hackers and to social engineering schemes, said Andrew Hoog, chief investigative officer at viaForensics, a security vendor. Cybercriminals are starting to target smartphones, Hoog said at a cybersecurity summit in Washington, D.C., hosted by the Computing Technology Industry Association (CompTIA)

Mobile devices combine personal information and corporate information, Hoog said. "It becomes a much richer target."

ViaForensics recently completed a review of 100 popular mobile applications, Hoog said. Eighty-three percent of those apps either warranted a security warning from the company or failed the company's basic security tests, meaning they stored sensitive data insecurely, he said. The company gave warnings to apps that store app data in an unencrypted form.

Ten percent of the apps tested stored passwords in plain text, and 25 percent of the financial apps failed the company's tests, Hoog said.

"It is possible to build secure mobile apps," he said. "But when we're just scratching the surface, just looking for the most basic information, at this point in time, we're recovering enormous amounts of data on these devices."

Part of the problem for corporate IT departments is that employees are bringing in a wide variety of mobile devices to use in business settings, added Brian Contos, director of global security and risk management at McAfee

"Fundamentally, the problem with mobility is that the technocracy is over," Contos said. "It used to be that ... the IT people would say, "this is what we're going to run, this is how we're going to run it, these are the applications you're going to use.'"

Contos told the audience that he was at an organization in Bogota, Colombia recently. "They had all their auditors, all their IT folks, standing up there and telling their CIO why they shouldn't allow mobile devices on their network," he said. "They had charts, graphs, tables. After about an hour, they made their point, and the CIO stood up and simply said, 'But I love my iPad.'"

In addition, mobile app and OS developers want to make their products easy to use, added Allan Friedman, research director at the Center for Technology Innovation at the Brookings Institution. Criminals using spyware and other schemes count on split-second decisions by smartphone users, he said.

"The challenge for security is, to have someone make a good decision, you need to force cognition," he said. "You need to actually make them think. This is the opposite of usability."

Some corporate IT departments are turning to outside consultants for help with securing mobile devices, Hoog said. Many company CIOs are saying they have "a million other things to worry about," he said. "It's too much for an IT department to take on and become an expert in, but it's too important to ignore."

Some mobile security vendors have tools that can make mobile devices much more secure than they are out of the box, he said. Hoog described mobile security as a race between security vendors and cybercriminals. "If we get to them first, we win the race," he said.

Grant Gross covers technology and telecom policy in the US government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is

Join the CSO newsletter!

Error: Please check your email address.

Tags Computing Technology Industry AssociationAllen FriedmanviaForensicsAndrew HoogregulationBrookings InstitutiongovernmentiPadBrian Contosconsumer electronicsmcafeesecuritymobile securitysmartphones

More about Andrew Corporation (Australia)CompTIAComputing Technology Industry AssociationetworkIDGMcAfee AustraliaTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Grant Gross

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place