Matt Peachey (Global) - Mobile Security Risks - What Can Enterprises Do?

The explosion in mobile usage within corporate networks has raised many security concerns. But what are the mobile threats and how can you protect your business?

Mobile security can be broken down into four layers: infrastructure, hardware/firmware, operating system, and application security. Risks are present at each layer of the "mobile security stack." The question is which of these layers poses the most danger to corporate data. While impossible to quantify in an absolute manner, I'm going to suggest that one of these is more dangerous than the rest, and what enterprise consumers can do to mitigate that risk.

The infrastructure is typically owned and operated by a third party, allowing you little ability to effect security changes. The risks here are in attacks that allow voice and data interception or eavesdropping and abuse of the cellular system to triangulate the location of particular handsets.

Attacks at this layer have been demonstrated by researchers allowing for rogue cell in box systems to be set up - targeting flaws in the firmware code. These flaws are exploited allowing for full control of the handset by the attacker and may lead to data compromise.

Operating System
The OS layer has a direct counterpart in the enterprise computing space. An example of an OS vulnerability is when a user "roots" or "jailbreaks" their device. If an attacker were to convince you to run code by pointing you to malicious websites, or by having you download an exploit, your phone may be compromised and data lost.

The application layer lies closest to the data that you want to keep safe, as it accesses data stored locally on the device or in the cloud. Applications are usually installed from marketplaces like the Google Android marketplace or the iTunes Appstore. Application security flaws come in two flavors, coding errors and malicious code. Coding errors are errors made by the programmer that can be exploited and potentially let an attacker steal data from your device. Malicious code, or spyware, is inserted into an application to compromise your device and data when you install or run the application.

Which of these layers holds the most risk? My answer is simple. If the mobile device world continues to follow in the footsteps of its desktop computing counterpart, the long-term risk lies in the application security layer. At this point, it may seem that some of the other layers are more dangerous, and if you remember your computing history, other layers were once quite dangerous in enterprise computing as well. However, as we progressed we have moved towards solving, or at least mitigating, risks at the infrastructure layer. Computing operating systems have become more secure with the advent of OS layer security mechanisms. The hardware layer hasn't changed all that much, but research over time hasn't born much risk at that layer either.

In enterprise computing, the real risks lie in applications. Hackers target application flaws daily, resulting in the disclosure of millions of sensitive records. The bulk of flaws exploited have been located in applications installed on the desktop, typically applications such as web browsers and Adobe Flash. If history repeats itself, mobile applications will become a haven for spyware and exploit code that compromises your phone and sensitive data. By leveraging application marketplaces, attackers can achieve mass deployment of their malware by creating a game or application that people want and making it freely available. Thousands of downloads later, hordes of mobile devices will be compromised.

As an enterprise computing security group, the most important thing to do is to vet the security of applications that you allow onto mobile devices. Use static application security scanning to ensure that applications your users install are free of coding flaws and malware. Ensure that the applications do not attempt to access data outside of expected norms and that only data required for operation of the application is transmitted from the device. Once you understand what the applications actually do, place only the safe ones onto an approved "whitelist" and use mobile device management (MDM) technology to allow your users access to only those applications.

By Matt Peachey, vice president (EMEA), Veracode



« Ian Manocha (UK) - On the Road to Open Data


Roel Castelein (Asia) - Does Cloud Computing Spell the End of Piracy in Emerging Markets? »

Recommended for You

Trump hits partial pause on Huawei ban, but 5G concerns persist

Phil Muncaster reports on China and beyond

FinancialForce profits from PSA investment

Martin Veitch's inside track on today’s tech trends

Future-proofing the Middle East

Keri Allan looks at the latest trends and technologies


Do you think your smartphone is making you a workaholic?