According to Gartner, nearly 2.2 billion smartphones and tablets will be sold to end users in 2014. And it’s a good bet that most of them will wind up housing at least some data that belongs to the device owner’s employer.
Principal research analyst Dionisio Zumerle writes in the Gartner report that while security incidents originating from mobile devices are rare, they are increasing. By 2017, he says that 75 percent of mobile security breaches will be the result of mobile application mistakes, largely in the way users configure or set up mobile apps.
"Mobile security breaches are — and will continue to be — the result of misconfiguration and misuse on an app level, rather than the outcome of deeply technical attacks on mobile devices," Zumerle said. "A classic example of misconfiguration is the misuse of personal cloud services through apps residing on smartphones and tablets. When used to convey enterprise data, these apps lead to data leaks that the organization remains unaware of for the majority of devices."
Jared Hansen, founding CEO of secure mobile printing leader Breezy, agrees that transmitting company data through a public cloud can be costly for businesses of any size. “But there are two other common mobile device configuration issues that can lead to data breaches,” Hansen
adds. “One is in allowing mobile app permissions that aren’t actually required for the app to operate, and the other is in failing to encrypt data on the mobile device before it is sent.”
To do significant damage, malware needs to act on mobile devices that have been altered at an administrative level, or through a connected device (such as a printer or storage network) that has been compromised. "The most obvious platform compromises of this nature are 'jailbreaking' on iOS or 'rooting' on Android devices. They escalate the user's privileges on the device, effectively turning a user into an administrator," Zumerle says.
While these methods allow users to access certain device resources that are normally inaccessible (in fact, in most cases they are performed deliberately by users), they also put data in danger by removing app-specific protections and the safe 'sandbox' provided by the operating system. They can also allow malware to be downloaded to the device and open it up to many kinds of malicious actions, including extraction of enterprise data. 'Rooted' or 'jailbroken' mobile devices also become prone to brute force attacks on passcodes.
The best defense is to keep mobile devices fixed in a safe configuration by means of a mobile device management (MDM) policy, supplemented by app shielding and 'containers' that protect important data. Gartner recommends that IT security leaders follow an MDM/enterprise mobility management baseline for Android and Apple devices including:
- Ask users to opt in to basic enterprise policies, and be prepared to revoke access controls in the event of changes. Users that are not able to bring their devices into basic compliance must be denied (or given extremely limited) access.
- Require that device passcodes include length and complexity as well as strict retry and timeout standards.
- Specify minimum and maximum versions of platforms and operating systems. Disallow models that cannot be updated or supported.
- Enforce a "no jailbreaking/no rooting" rule, and restrict the use of unapproved third-party app stores.
- Devices in violation should be disconnected from sources of business data and potentially wiped, depending on policy choices.
- Require signed apps and certificates for access to business email, virtual private networks, Wi-Fi and shielded apps.
IT security leaders also need to use network access control methods to deny enterprise connections for devices that exhibit potentially suspicious activity.
"We also recommend that they favor mobile app reputation services and establish external malware control on content before it is delivered to the mobile device," said Zumerle.
Secure Mobile Printing & Shadow IT
Breezy CEO Hansen notes that survey after survey shows that if employees can’t print from their mobile devices, they will engage in behavior that can seriously compromise security such as transferring files to a cloud storage site, or emailing documents outside the network to an
unsecured desktop computer (at a business center, for example) where they can be printed.
Another common attempt by employees to solve mobile printing problems results in “shadow IT” – that is, the employee reads about or sees an unauthorized app that promises to solve their printing problem, and installs it on a device without IT control or approval. With several thousand printing apps available across the iOS and Android app stores the risks to IT are clear.
Shadow IT in the form of third-party consumer apps is the Achilles heel of many mobile
deployments. Fewer than 1 in 10 mobile device users know that there are malware apps that
don’t attack the infected device, but lie in wait to attack other computers or networks to which the device subsequently connects. Even fewer, about 1 in 10,000, realize that many mobile apps are designed with risky behaviors as a core part of the app.
According to Network World, at least 80% of mobile apps have security and privacy issues designed into the app. Some apps request permissions that aren’t used by the app, creating a security holes that hackers can exploit to steal unencrypted data.
Unmanaged mobile apps can often:
- Access the user contacts on a smartphone (including the contact information that may come from corporate email that syncs to the phone)
- Access the user's calendar information
- Collect or determine the user's location and track her movements
- Pass along any or all of this information to ad networks, analytics companies or other third parties
Network World reports that 96% of iOS apps and 84% of Android apps can access at least
one of these data risk categories.