by Chris Murrey, SecureState - Smartphones have become an integral part of our lives; we rely on them for everything. They hold all of our personal information, calendars, emails, phone numbers, text messages, and documents. However, the average user is not very savvy when it comes to the security of these devices. A user can browse to one of the many app stores and download just about anything, and most users do just that.
One of the exciting things about smartphones is the customization of them. You can get any type of application you want, and most of the time it is free. You can get games, productivity applications, web servers, and ftp servers. Users feel a false sense of security because it is "just a phone" and the apps must be secure because they are getting them from an app store.
These apps, however, are developed by programmers of varying levels and skill sets, and security might not be their top priority. None of the app stores put the apps through a thorough security check; most run virus scans but it is usually done randomly and done after the app is posted. Even Apple has fallen victim to mobile malware.
Some apps have even been signed safe by the stores only to have malicious code be discovered at a later date. Samsung's Wave shipped with malware installed on the SD card, which activated as soon as it was connected to a PC.
Lookout, a mobile security firm, stated "we've gone from seeing 4 pieces of malware and spyware per 100 phones per year in December 2009 to 9 per 100 phones per year in May 2010. That's more than double the prevalence of malware and spyware on smartphones in less than 6 months."
The phones themselves have put in some protections such as limiting which app stores you can download apps from. Other protections can notify the user what the app will have access to, i.e. Contacts, GPS, or network info.
But how many users actually look to see what that cool app will do before they run it?
Once a malicious application has been activated, it can disable your phone, make toll calls, get your exact location, view your SMS messages, or even turn on the microphone to eavesdrop on your conversations.
Not all applications that pose a risk were designed to be malicious. One such application was designed to remotely take photos; however, it also had the ability to view other folders and even system files and delete them. When the developer was contacted, he replied that he used a piece of code from another app he had made that was designed to be a file explorer and didn't set the restrictions yet on the photo taking application.
These issues have even been noticed by the FBI's Cyber Division assistant director Gordon Snow. He was quoted in The Wall Street Journal saying, "Mobile phones are a huge source of vulnerability," and "We are definitely seeing an increase in criminal activity."
None of the smartphones have been immune to attack. Apple, Blackberry, Windows mobile, and Android all have been under siege and the risk will continue to grow as these phones get smarter and more powerful. Companies such as Lookout offer free protection on supported devices. Symantec and McAfee are also getting involved with mobile security. As this threat grows, more companies will follow suit.
Should you stop downloading apps? Probably not; but you should be a little more cautious about what you are downloading. Users are quickly learning not to click links in questionable emails because of phishing attacks; however, the same user will click the link from their phone simply because it is a phone. You must protect yourself, but how?
Securing your smartphone can be as easy as applying simple best practices and common sense. Users need to understand that they are holding more than a phone, and it can fall victim to the same perils as their laptop or desktop. Businesses should ensure a mobile security policy is defined and in effect, to handle such things as the ability to join open WiFi access points, locking the device, if the user can install apps, and encryption policies. Using similar policies as those for your desktop and laptop, you can ensure you are taking the correct approach to securing your mobile device. Anti-malware, anti-virus, and firewalls are available and they may be the options you choose.
Simple steps for a smart user:
- Use common sense.
- Keep the phone and downloaded apps up to date.
- Be cautious of clicking links.
- Use reputable app stores.
- Back up critical data.
Chris Murrey is a consultant at SecureState for the Profiling Team. Mr. Murrey has both led and participated in dozens of engagements ranging from internal and external attack and penetration testing, war-dialing, war-driving, social engineering, and physical access.
For more on smartphone security see: Mobile Malware Attacks and Defense BlackBerry Security: Five Tips to Keep Your Smartphone Safe Securing mobile devices Fear mobile malware Could your mobile device land your CEO in court?