Mobile Security Challenges

There’s been a massive focus on mobile security recently as the proliferation of smartphones and tablets and advent of BYOD has forced IT and security professionals to completely rethink how mobile devices and data are managed. Gartner’s Rob Smith looked at some of the challenges around mobile security at the Security and Risk Management Summit held in Sydney in August 2015.

Mobile malware had had a lot of recent attention with some vendors claiming there are millions of malicious applications in the wild. Smith says the problem isn’t malware in app stores but delivering malware via devices that have been rooted and had users download malware themselves. He also noted mobile data breaches aren’t the preferred attack vector. There’s no Sony level event that was initiated via a mobile device.

According to Verizon, 15.3% of all incidents are due to physical theft or loss including mobile devices. And Gartner’s own data says about 75% of mobile security breaches will be the result of mobile application misconfigurations. One of the challenges was the number of different Android versions were in the wild. In a survey conducted in 2012, it was found there almost 4000. By 2013 that went up to 12000. Today it’s in excess of 30000.

Android challenge

Every device sold by different carriers has it’s own slightly different software version. This makes it difficult for IT admins to configure devices correctly. in some cases, detected issues are resolved by Google and phone makers but not deployed by carriers.

In some cases, applications make it difficult for data to be secured from devices. For example, Office 365 allows users to save data directly to personal cloud services such as a Dropbox or This creates data leakage issues for businesses that are difficult to detect or prevent.

Smith highlighted how easy it can be conduct a man-in-the-middle attack by tricking users to install profiles that allow data to be intercepted. However, such issues can be avoided through user training - something IT often misses out on delivering.

Breach points and Windows 10

By 2017, the focus of endpoint breaches will shift to tablets and smartphones. Recent deals, such as the alliance between IBM and Apple, highlight that executives are abandoning their laptops and moving to smaller devices.

Interestingly, Smith noted Windows 10 offers some significant security benefits that don’t compromise usability. He noted BlackBerry had strong security cachet but usability had suffered over the years. Windows 10 offers BlackBerry-like security with Apple-like usability. Also, once a Windows Phone is put under device management, administrators have control over firmware versions - taking that control away from carriers.

The focus on device protection is misplaced says Smith. Highlighting a recent experiment undertaken at Cal Tech, it’s possible to publish a piece of malware through a certified app store that sends a tweet on behalf of a user without permission or visibility. The focus needs to be on data protection as it’s not possible, even when users do the right thing and stick to legitimate app stores, to secure data.

Smith says it’s important to treat mobile security as tactical and only deploy it where it’s needed. There may not be a need to secure every single user equally. This means risk managers need to profile and understand users and considering mobile devices as untrusted. The focus ought not be on not locking devices down - which only annoys users - but securing data.

Join the CSO newsletter!

Error: Please check your email address.

Tags smartphonesecuring data#GartnerSECdropboxWindows 10Rob SmithBox.netMobile Security ChallengesCSO AustraliaBYODCal Tech

More about AppleBlackBerryBox.netDropboxGartnerGoogleSonyVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts