Mobile Device Security: Fragmented, Complex, and Taking a Backseat to Usability
Global smartphone sales have finally eclipsed PC sales for the first time in history, and that’s without counting the millions of non-phone devices like tablets that tend to share the operating systems and functionality of their phone-based brethren. Based on these numbers, it is disappointing to see the state of security in devices that have taken the world by storm. Design decisions, policies, and various stakeholders have resulted in a fairly hostile device ecosystem in which, for example, users can be easily fooled into installing malware on their phones.
Sales numbers show a surge in mobile computing, which, if not a harbinger of some form of post-PC computing, is at least an environment where users will have multiple devices of significant capability. Unlike most PCs, however, smart mobile devices typically have mobile network carriers, which is an added layer of complexity to device updates and operation. These carriers have significant control and capabilities, as my colleague Jason Lackey recently described, bringing additional complexity to the traditional roles and interests held by software vendors, hardware vendors, enterprises, and end users.
At any point along this chain, stakeholders could decide to hold back on updates for whatever reason, and the chance for risk to the ecosystem increases. The stakeholders could also seek to take action. For example, a patch may be necessary to improve enterprise network security, but it may adversely impact the user experience that had been enjoyed up to that point. All of these stakeholders have valid reasons to do or not do the things necessary to improve security or usability for themselves or their partners, but their decisions can have far-reaching ripple effects. This could result in users being unable to update their devices until each upstream party permits fixed software to make its way to an end device.
Apple and Google stand at opposing ends of user freedom regarding software trust models. On iOS, users are able to get paid or free apps only through the Apple App Store or through an Enterprise deployment program. Google Android users, however, can get any application they can find available online, or through the Android Market. Application interactions are fairly opaque on the iOS side, with users simply assigning trust to the publisher of the application; for Android, users can view and approve an application based upon broad privileges that it requests.
However, in both cases, while there may be some room for savvy users to make informed decisions or to rely on trusted vendors, both systems create significant barriers for users to enforce their own security. By and large, users will not be capable of making informed decisions about the applications they install. Even with Android’s permission structure, they will most likely be either too complex to comprehend, or too broad to deny based upon the wide range of positive or negative actions allowed under the current model. Likewise, the less-permissive Apple App Store may prevent users from receiving timely updates to software that must be vetted by Apple as an intermediary, or may prevent a wide variety of choice to allow users to use alternatives to software that has been approved but contains known vulnerabilities.
System Designed for Usability, Not Security
Even beyond the trust models employed, modern mobile operating systems contain some glaring flaws introduced by an interest in making their usability paramount. Devices obscure large parts of what is going on behind the scenes, limiting user insight into what information is stored, what is transmitted to which parties, and how it is secured during storage or transport. For example, device encryption has been repeatedly shown to be lacking in capability, and also a point of developer misunderstanding, leading to sensitive information being improperly controlled either because developers can’t or don’t use appropriate methods when handling such content.
Connectivity for mobile devices tends to prefer Wifi over cellular for data, under the assumption that Wifi connections will be more responsive and less likely to incur a usage charge. But if users keep Wifi enabled while on the move, they may find themselves connecting to untrustworthy Wifi hotspots (either automatically, unintentionally, or for convenience). Some users might use corporate VPN connections or secure email configurations to tunnel sensitive traffic if they think of it, but without per-application settings exposed to users, they have little control over what each one does with their data.
Multi-platform usability has also introduced major issues. Researcher Jon Oberheide found that the current implementation of Google’s GTalkService and remote INSTALL_ASSET functionality means that any XSS vulnerability in the Android Market could result in an attacker being able to push malicious software remotely to a user’s phone, even when they are browsing the market from their desktop computer. While the flaw Oberheide discovered has been closed, the potential remains for future XSS flaws to do likewise.
Encourage Security Now, Avoid Cleanup Later
As users increasingly find enablement and flexibility in using powerful mobile devices, storing and processing more sensitive content on these devices, and tying devices to expensive usage-based data plans, the potential for significant loss due to misuse skyrockets. Given the trajectory of mobile device adoption, and the likelihood for users to blend personal and business data on mobile devices, mobile security should be an important consideration for the enterprise. With the complexities inherent in the ecosystem and the compelling interest to make devices as usable as possible, proponents of security in the mobile device arena are fighting an uphill battle. Pushing for security now, including user awareness and technical capabilities, could reduce risk over time as well as reduce costs related to event responses and system redesigns.
Enterprises can play a key role here by leveraging their buying power and the massive market competition in these emerging technologies, though their ability to make many changes may be limited because of competing interests from the other stakeholders. Even so, enterprises should continue to demand that hardware, software, and network providers give them the tools they need to secure the sensitive data they would like to continue to move into the mobile space.