Zimperium's Mobile Security Blog

My Four Truths (So Far) Regarding Mobile Security

My Four Truths (So Far) Regarding Mobile Security

I started working at Zimperium late January this year in the marketing communications department, and well…I’m busy.  

Every day is something new. Monday – OS problem. Tuesday – “Joker” malware downloaded. Wednesday – Phones could be hacked with a single text message. Thursday – Phishing scams on the rise. Friday – OS patch fixes jailbreaking flaw. Saturday – this blog. 

As the “new guy” (relatively speaking), I’ve determined there are four truths (so far) when it comes to mobile security:

An endpoint is an endpoint is an endpoint.

We protect our computers with antivirus, firewalls, VPNs, anti-spyware and every “anti-X solution” we can find. However, we don’t do the same with our mobile devices, even though mobile devices are always with us and contain virtually the same information as our laptops and computers. Hackers know this, making the mobile device an easy target. According to our State of Enterprise Mobile Security Report for 1H2019, it is no longer a matter of if or when an enterprise’s mobile endpoints are at risk – – they already are. 

Your mobile device is like “world’s colliding” and the bad guys love it.

Your work life meets your social life on your phone. Right next to your travel apps are your company’s email, HR and CRM apps which are right by your banking app and social media apps. “I’m going to follow up on that customer request right after I set my lineup on my fantasy football app and pay the mortgage.”

It’s easier now than ever before for the bad guys to hack information. The bad guys are drooling over the prospect of learning about a possible company merger, accessing your banking records and credit card, getting company directories, business plans and financials, and finding your travel account information. 

The bad guys are brand agnostic and will find a way.

Android and iOS mobile operating systems have strengths and weaknesses when it comes to protecting the devices. Android has a more open third-party app environment compared to iOS and it is not surprising that malicious Android-based apps are more prevalent than iOS-based apps. 

The majority of iOS compromises occur via network attacks. While this is a clear nod to Apple’s practice of vetting apps and developers, as well as its prohibition of third-party app stores, this very well may change – an unintended consequence of the recent United States Supreme Court ruling.  

The reality is, the bad guys are persistent and will find a way. Many times they are targeting their victims based on who they are, where they work, what industry they work for and where and when they meet. They will attack your device and the network you use (or think you use). They will use phishing and malicious app attacks to compromise your mobile device. 

We are unintentional co-conspirators in our own attack.

The fact is, we help the bad guys. We do. We make bad choices. For example, according to our latest Mobile Security Report, mobile OS vendors created patches for 440 security vulnerabilities (a 30% increase over 1H2018), the majority of which were critical. However, we aren’t always quick to update our phones – –  60% of Android devices were more than five versions behind the latest release; 28% for iOS. 

Some of us jailbreak or root our devices, allowing for customization of phones and downloading of free apps from third-party stores. Doing so, opens the door for malicious apps to find its way onto phones.    

The majority of us have our phones set to automatically sign into WiFi networks at locations we’ve already been. Unfortunately, hackers can “fool” our phones into signing into similar networks they own. 

As you can see, each of these decisions makes us more vulnerable to an attack.  

One employee. One attack. 

And here is the scary part for businesses. All you need is one employee. One employee to fall victim to an attack. Think about that and then think about this:

  • How many employees do you have?
  • What data/company information are your employees accessing off of their phones?
  • Do your employees check company email? Do they text with colleagues, customers, partners?  
  • How many employees have mobile devices they take with them outside the relatively secure environment of your office? To restaurants? Shopping? The airport? Trade shows? Home?

Back to my first point. We spend billions to protect company computers and laptops. But what about our mobile devices? Mobile devices are now the de facto platform for productivity in business.

Today, the traditional computing devices (e.g., servers, desktops and laptops) upon which enterprises have focused their security and compliance efforts represent only 40 percent of the relevant endpoints. The remaining 60 percent of enterprise devices are mobile. 

It’s glaringly obvious and urgent to me that every organization – large and small – needs to invest in mobile threat defense. And this is coming from the new guy.