Security

Why haven't we seen the smartphone security apocalypse in iPhone and Android yet?

Mobile phones present a ripe attack vector for hackers, but so far we've avoided the nightmares of Windows 95. Is it just a matter of time?

phonelock.jpg
Image: iStockphoto.com/Julia_Sudnitskaya

Finally, the mobile security apocalypse is upon us. A recent BBC headline warned: "Android bug fear in 900 million phones." For those of us who lived through Windows 95, widespread, catastrophic malware and security vulnerabilities were the norm, not the exception, which is why one of life's great mysteries has been the apparent absence of massive mobile security threats.

Despite everyone carrying around multitudinous attack vectors 24/7, when was the last time a friend or family member called you up to ask how to remove a virus on their phone? Something like the extremely destructive Chernobyl virus that plagued Windows 95? Probably never. Yet, that was a routine occurrence in the early days of the desktop.

But, according to a new MobileIron report, enterprises are about to get a severe wake-up call as "The velocity of mobile attacks is increasing," but a mere 8% of enterprises are enforcing OS updates to keep employee phones secure.

What, me worry?

Security is one of those things that only seems obvious in retrospect. Intuitively we know that mobile security must be an issue, with billions of phones in circulation. Yet, as individuals and employers, we do very little about it.

SEE The state of mobile device security: Android vs. iOS (ZDNet)

For many of us, we haven't needed to. Apple's iOS, for example, is a closed system that has made it difficult for hackers to crack its security. However, according to noted security expert Eugene Kaspersky, iOS' closed nature is actually the very thing that makes it most problematic:

[T]he most dangerous scenario, I am afraid, is with iPhones. It's less probable because it is very difficult to develop malware for iPhones, because the [operating] system is closed [for outside programmers]. But, every system has a vulnerability. If it happens—in the worst case scenario, if millions of the devices are infected—there is no antivirus, because antivirus companies don't have any rights to develop true end-point security [for Apple].

Given that MobileIron found that 81% of devices used in the enterprise are iOS, this could portend trouble. Even so, it is Android, not iOS, that gets targeted 92% of the time, according to a 2013 Juniper Networks study.

Regardless, the problem for enterprises is that they seem to exercise very little control over the mobile devices on their networks, as Conner Forrest reported on MobileIron's findings:

  • 40% of companies had missing devices, up from 33% in Q4 2015;
  • 27% of companies had out-of-date policies, up from 20% in Q4 2015; and
  • 8% of companies were enforcing OS updates, which was comparable to Q4 2015.

Personal devices on corporate networks

This isn't so hard to understand when we remember the personal nature of mobile devices. Back in the days of the Chernobyl virus, "personal computers" were often paid for by their companies. Today, Gartner estimates that 40% of all "enterprise devices" are actually personal smartphones and laptops, and I'd wager that the percentage of personal smartphones in use is actually significantly higher.

After all, even if the enterprise buys the phone, I've seen plenty of employees skirt mobile device management policies to be able to use "their" phone as they choose. Mobile is personal, and individuals will go to great lengths to keep their mobile devices off of IT's radar...

...though not off the network. And that's where the risks lie.

In an increasingly connected and interconnected world, everything—including our lighting systems—creates a potential attack vector. While it would be nice to believe that widespread malware attacks are a thing of the desktop past, that would also be incredibly naive, given how tempting today's targets are.

Many of us (myself included), remember when the desktop was ripe with Chernobyl virus-like attacks. It would be foolish to believe that we're not headed there on our mobile devices, too, though in a much bigger way. And yet, we still haven't had a Chernobyl. The question is, "Why?"

What do you think?

I'd love to hear your thoughts. Are we headed for another Chernobyl-like virus in mobile? What is the biggest threat mobile presents in the enterprise? Share your thoughts in the comments or on Twitter.

Also see

About Matt Asay

Matt Asay is a veteran technology columnist who has written for CNET, ReadWrite, and other tech media. Asay has also held a variety of executive roles with leading mobile and big data software companies.

Editor's Picks

Free Newsletters, In your Inbox