Comment: It’s Time for Smartphone Security

DeBolt says its time to take a serious approach to smartphone security
DeBolt says its time to take a serious approach to smartphone security

Without a shadow of a doubt, the mobile market is taking over, and mobile malware is on the rise. More smartphones are being sold than PCs and according to a recent report, more than 400 million smartphones will be sold around the world this year alone. As users become more sophisticated in how they access the web, so too are the hackers by adapting personal computer exploits to work against mobile platforms.

That said, we’re seeing more and more mobile malware threats. In fact, a recent report found that mobile malware threats increased by 46% last year as criminals continued to embrace new opportunities on smartphones and tablets. Another study found that the Android is the number one target of mobile hackers. It’s no wonder that the global security market is estimated to reach $14.4 billion by 2017.

More folks than ever before now own a mobile phone and as a result, smartphone hacks are becoming just as commonplace as PC ones. Mobile safety is a growing concern, and it’s important for internet security providers to address this trend. There are a number of precautions that your users can take to make sure their information is protected. I’d like to highlight some of the most important mobile security safety tips. Your users should take note of the following.

First, it’s recommended that your mobile device users apply an access code, password or pattern sequence to lock and unlock the device. If they’re an Andriod user, make sure they’re careful. The Android ‘pattern’ lock option is more susceptible to being guessed according to research performed at Penn State University. What’s interesting here is that the researchers were able to follow the ‘smudges’ on the screen to guess the sequence. Whenever possible, I suggest setting a pin number as the unlock code.

Make sure that your organization’s mobile device users avoid automatically uploading photos to social networking sites such as Facebook, LinkedIn, Twitter and others. Sharing too much personal and private information can put them at risk.

Android 2.1+ devices with Google+ offer an ‘instant upload’ option where photos and videos are immediately uploaded to Google's servers. At times they may forget this feature is activated and upload information they might not necessarily want to share or that might not be safe. There are privacy and physical security concerns if every photo and every video is uploaded prior to review. Not to mention, images and videos require high bandwidth to transmit and use of this feature may put your users over the limit on the data plan.

Encourage your employees to not share their “location" within a GPS-enabled application unless absolutely necessary. The ability to know exactly where someone is based on a phone’s physical location can be a significant privacy and physical security concern.

Many apps today use the GPS embedded in mobile devices to ‘tailor’ content for the user. Per the Google+ help documentation: "Users 18 and over have their location attached to each post by default. You can remove your location by touching the X [in the post]." If the location is removed from a post, the application will still remember the setting and not share location information in future posts. Your users can also opt-out totally from location services, but this disables key features, such as Maps application. Your users must weigh the benefit of the customized content against the security concerns of sharing their physical location at any given time.

The Firesheep browser plug-in demonstrates how easy it can be to capture a user's credentials on an open WiFi connection and login as them with a simple double-click. That said, make sure your users do not send data in clear text over public WiFi hot-spots. Make sure that they review their email and social networking applications to ensure encryption (HTTPS) is used for the entire session, but if possible it is best if they avoid open WiFi hot-spots altogether.

These are just a few safety suggestions for your users to take into consideration when operating mobile devices inside and outside the workplace. Mobile security is a growing issue, and it’s best to stay ahead of the curve when it comes to protecting personal and private information.


Don DeBolt is the director of threat research for Total Defense, Inc. Over the last 12 years he has lead both security operations teams and threat research teams on the quest of identifying and protecting against the latest digital threats. Currently DeBolt oversees Internet Security Intelligence and Global Threat Response for Total Defense (formerly CA). From 1996 to 2000, he learned the art of penetration testing while consulting for both Ernst & Young and Deloitte and later took a position with one of the first managed security services providers, Counterpane Internet Security. In 2004, DeBolt moved to threat research, where he is helping evolve research operations and research technology in line with the growth of malware. DeBolt leverages a global team of researchers and advanced crawler and Honey-Client technologies to proactively acquire malware samples and threat intelligence. He is an avid cyclist and enjoys commuting to work by bicycle.

What’s hot on Infosecurity Magazine?