Mobile (in)security

Introduction

Users of Apple's iPhone/iPad are as of this writing in an interesting insecure situation: Apple's operating system iOS 4.3.3 has a known vulnerability of which there currently is no official patch from Apple. This vulnerability is used to jailbreak iPhones/iPads using JailbreakMe 3.0 - a tool that has been available since 6 July. Intriguingly,  a jailbreaked iDevice (only!) may be protected by PDF Patcher 2, an app created by Comex, which made the jailbreak utility.

This situation is almost identical to the one described in our security article from August last year, A plethora of malware for mobile phones to be expected soon (?).
An updated version of iOS (iOS 4.3.4?) from Apple is expected any day.

However, the underlying problem remains: Users running legitimate versions of Apple's operating system on their devices have no protection mechanism, while those who choose the more insecure approach (jailbreaking) may be protected against this particular vulnerability.

This security article will discuss security on mobile/handheld devices.

Malware for mobile devices 

Current situation

When we made our summing up of 2010 we also looked into our crystal ball to predict what would happen in 2011.  One of the predictions was

• More widespread malware for handheld devices will emerge.

The first half of the year is over, and it is safe to state that this prediction came true. However, we cannot state that malware on mobile devices as of this point in time has become a major threat. We will claim that the reason why is that the cybercriminals have not yet fully determined the optimal way to exploit mobile devices.

Reports about malware for mobile devices are published almost daily. One example is the banking trojan ZeuS/Zbot, which was recently reported for Android operating system (previously also for Symbian, BlackBerry and Windows Mobile). We wrote about this mobile version of ZeuS/Zbot in September last year.

Our impression is that mobile devices running Android operating system are particularly targeted by the cybercriminals. The reason why is presumably that this operating system is very widespread, and its potential for exploitation is better than e.g. Apple's iOS, as the latter has a (potentially) better protection technology. The difference between the screening mechanisms between Apple's App Store and Google's Android Market is also significant for cybercriminals' affinity for Android.

The general situation is that the attacks against users of mobile devices are mass attacks. In our security article last week, Targeted attacks: More "Bang for the Buck", however, we saw that cybercriminals seem to concentrate more about focused attacks, as the potential for revenue is larger.

Most mobile devices do not have content particularly valuable for a cybercriminal, nor are most used for operations, which expose valuable information. These facts also explain why mobile devices are not heavily targeted by cybercriminals (yet).

What to expect

We cannot expect that the current situation prevails. In all likelihood, mobile devices will be more popular as targets for cybercriminals rather than less. Suffice it to mention a few facts that support this statement:

• Smartphones and tablet computers are increasingly widespread.
• Mobile devices will be more integrated into organizations' infrastructure.
• Users of mobile devices are still less aware of threats against these devices, than against traditional computers.

A particular factor that may turn mobile devices into more popular targets, is the pilot tests running in several countries around the world of payment solutions for mobile devices. The potential for exploitation has shown to attract cybercriminals.

For now, it seems like cybercriminals are currently in an experimental phase with respect to how to exploit the potential that mobile devices comprise. When they find sufficiently good business models, the threat against uses of mobile devices will increase rapidly.

Protection mechanisms

There are steps that each user of mobile devices may take to protect himself. And there are steps that an organization may take to protect its assets against malicious mobile devices. These procedures are quite similar in character to protection of traditional computers.

Device configuration

By thoroughly configuring the device, the user may tighten security considerably. Among the many security options available, suffice it in this context to mention

• protection of the device by a passkey,
• enable encryption of the information on the device (and its backup data)
• enable remote wiping to use if the device is stolen
• do not enable remote connection to the device until it is needed, and disable afterwards.

The Australian Government's Department of Defense has made a very useful configuration guide with recommendations regarding securing iOS devices. The device vendors web sites and general security resources on the Internet also provides useful security information.

Operating system and app updates

As mentioned in the introduction, operating systems used on mobile devices have vulnerabilities. Whenever the operating system vendor fixes these, and updates are available, it is important to update in order to tighten the device's security.

The same applies for insecure applications - ensure that you update your applications whenever security fixes are available.

There have been several instances when apps available from Android Store have turned out to be malicious. If you have been unlucky and installed an app that are found to be malicious, follow the instructions provided by the device vendor.

Antimalware apps

Several antimalware products are available for Android and Symbian based mobile devices. Due to the security model in Apple's iOS, no traditional antimalware product exists for this platform - the closest is probably Intego's VirusBarrier, which enables scanning files in special circumstances.

Entering a secure mindset

Your own mindset, however, may turn out to be perhaps the most important security precaution available. Cybercriminals will often attempt to trick you into actions that turn out to decrease your device's security - either by installing malware, or by reducing general security settings.

Among the many precautions you as a user should attempt to automatically enable as part of your mindset, are:

• Do not download apps from places that you do not trust.
• Do not allow a downloaded app permission to access device information that is not reasonable based on what the app is supposed to do.

Organizations should acknowledge that mobile devices to some extent already are part of the organization's infrastructure.

• Create and enforce policies for using mobile devices in the organization.
• Understand that mobile devices obliterate the organization's perimeter, and adjust the security mechanisms accordingly.
• Educate the mobile device users about device security.

Some references for further reading

• iOS Hardening Configuration Guide (Australian Government Department of Defense, Intelligence and Security, June 2011)
• Mobile Malware: Why Fraudsters Are Two Steps Ahead (Trusteer, 11 July 2011)