Mobile threats are a huge challenge for technology managers. With many security measures initially developed for a stationary world of desktop computers and local data centres, the rapid proliferation of consumer-focussed mobile devices caught security managers on the hop and they’ve been playing catch up ever since. We spoke to one of RSA’s mobile security specialists, Salah Machani, at this year’s RSA Conference in Singapore about these threats.
Toy soldier picture from Shutterstock
“There are two big things I can think of with mobile threats. One is authenticating users when it comes to using the mobile device. Then, when we look at Android specifically, there are a lot of threats. The main reason for that is developers are allowed to publish applications without vetting those applications”.
One of the issues, says Machani, is many applications ask for access to data and hardware and users give those permissions with scant consideration. As a result, all sorts of information can be collected by apps and accessed by potential attackers.
iOS isn’t immune from this although the attack vector is a little different with ads embedded in popular apps and games sometimes asking for location information – something we’ve noticed when playing particular games on our iPhone.
“It’s mostly about collecting information – it’s not about injecting viruses or code in the app because the platform doesn’t allow for that. For example, it could be about collecting location information and then misusing that information,” says Machani.
One of the key issues remains user behaviour according to Machani. Some of the challenges are addressed by things such as “just in time” permissions. For example, access to the camera or location services are only requested when they are needed and not at the time of installation so users understand the context of a request.
“By knowing the context of the request, it makes sense to release location information because I’m doing something that requires location,” he explains.
Machani says there’s significant investment being made in understand how users actually use their devices. This covers everything from how they hold their phones to the time it takes to execute particular operations.
For example, in a banking application, the bank’s back-end systems may know how long it takes for you to typically conduct a transaction. It may even, over a period of time, ascertained your “normal” behaviour – the sequence of transactions you normally complete.
Systems operated by banks can then detect anomalous behaviour and either warn you or block potentially fraudulent transactions.
However, there’s work being done to bring that fraud detection to the device by putting the analytics engine into a Secure Element chip so that the processing can be handled locally for faster response. That’s something Machani says Google is working on for future versions of Android.
The author of this article travelled to Singapore to attend the RSA Conference as a guest of RSA.