Lost or stolen devices

According to an InformationWeek 2012 report on the State of Mobile Security, the number one mobile security concern was “lost or stolen devices.”  In a mobile computing world dominated by Bring Your Own Device (BYOD), does this make sense?  Why should my employer care if my smart phone is lost or stolen?  My employer doesn’t have to pay me to replace my phone.  However, my employer does have to worry about the company, customer, and partner data I may have stored on my mobile device.  This is the real concern.

Mobile malware

Increasingly, users are under attack from mobile malware.  The malware is typically spyware or trojans.  It makes its way onto the user’s phone through phishing or spear phishing attacks, often directing users to bogus app stores.  This is especially true for Android applications which are available from different app stores and are not centrally managed and controlled like the Apple App Store.

Once the malware makes its way onto the user’s mobile device many “bad” things can happen.  The malicious software will begin to mine for information on the mobile device.  It may try to access your contact database and forward along all your personal and business contact information.  There are many examples of mobile malware making expensive calls or sending expensive text messages without the user’s permission or knowledge.  It could communicate with mobile GPS services to disclosure your location.

The attacks are increasing in sophistication and putting all unprotected data at risk.  This is the real risk to an enterprise.  Because an enterprise cannot control the applications its users install on their mobile devices, their applications and the data their applications use are at risk.  Even in a BYOD scenario where the mobile devices are managed, there is still little control on what applications users can install.

If a managed mobile device is lost or stolen an enterprise can wipe corporate data and applications which will clearly mitigate the data leakage risk.  However, what happens if malware is installed on user’s mobile device.  The user isn’t aware of any risk.  Even if the device is managed the malware can mine for sensitive enterprise information.  Hackers are looking for all types of information.  They will gather what they can, forward it along, then figure out how to capitalize on the stolen information.

What can an enterprise do to protect itself?

What can an enterprise do to protect itself from the malware risk introduced by its users? The number one recommendation is to protect all data written to the mobile device.  Sensitive data needs to be encrypted. This is not limited to information stored on a mobile device in a file – it is all sensitive information stored anywhere on the device.  Sometimes mobile developers forget where they store data.  For example, a mobile application may cache sensitive information or post it to a pasteboard.

This risk highlights the need for mobile development teams to quickly and efficiently identify all the areas in an application where data leaves the application.  Using a Static Application Security Testing (SAST) solution such and IBM Security AppScan helps to mitigate the risk to enterprise data by automatically identifying data leakage vulnerabilities.  Given the fast pace of mobile development automating mobile application security analysis is the only solution that will scale.

 

More from Application Security

Exploiting GOG Galaxy XPC service for privilege escalation in macOS

7 min read - Being part of the Adversary Services team at IBM, it is important to keep your skills up to date and learn new things constantly. macOS security was one field where I decided to put more effort this year to further improve my exploitation and operation skills in macOS environments. During my research, I decided to try and discover vulnerabilities in software that I had pre-installed on my laptop, which resulted in the discovery of this vulnerability. In this article, I…

Critically close to zero(day): Exploiting Microsoft Kernel streaming service

10 min read - Last month Microsoft patched a vulnerability in the Microsoft Kernel Streaming Server, a Windows kernel component used in the virtualization and sharing of camera devices. The vulnerability, CVE-2023-36802, allows a local attacker to escalate privileges to SYSTEM. This blog post details my process of exploring a new attack surface in the Windows kernel, finding a 0-day vulnerability, exploring an interesting bug class, and building a stable exploit. This post doesn’t require any specialized Windows kernel knowledge to follow along, though…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

Vulnerability management, its impact and threat modeling methodologies

7 min read - Vulnerability management is a security practice designed to avoid events that could potentially harm an organization. It is a regular ongoing process that identifies, assesses, and manages vulnerabilities across all the components of an IT ecosystem. Cybersecurity is one of the major priorities many organizations struggle to stay on top of. There is a huge increase in the number of cyberattacks carried out by cybercriminals to steal valuable information from businesses. Hence to encounter these attacks, organizations are now focusing…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today