Mobile devices had a booming 2016, with usage of iOS and Android handhelds growing steadily throughout the year. By contrast, desktop operating systems other than Windows 10 and OS X generally showed a decline in growth. In fact, last month Marketing Land reported that global mobile internet usage was higher than that of desktop systems as of October, and predicted that nearly 80% of internet usage will be mobile by 2018.
As with any element of technology, more widespread usage leads to greater and more widespread threats, and mobility is no exception. Here's a rundown of ten mobile risks we experienced in 2016, as well as some solutions to prevent or protect your devices from them (where applicable).
1. Unsecured devices
This is a significant issue and, sadly, it hasn't been a problem exclusive to 2016, but has been a plague in prior years as well. It was reported in January this year that only about one-third of Android users lock their screens with a passcode. Apple users are much more diligent — The Verge reported in April that 89% of iPhones are locked with TouchID or a passcode.
That still leaves millions of devices out there which can fall into malicious hands and render the owner completely at someone else's mercy if the device stores confidential data. Even if it doesn't, someone could still wreak havoc with a found or stolen phone since many people store account IDs and passwords with device apps such as email and Facebook.
Using complex passcodes (your date of birth or street number is a bad choice) and encryption on the device can greatly help reduce the risk of stolen data or malicious mischief. Encryption on removable micro-SD cards which contain private data is especially a must.
2. Lack of Mobile Device Management solutions in place
Businesses can greatly benefit from the use of mobile device management (or MDM) solutions to provide enhanced security for mobile users, especially if a Bring Your Own Device (BYOD) policy is in place.
Microsoft Exchange Server, for instance, has options to block unauthorized devices from connecting to user mailboxes, can require passwords, and can remote wipe lost or stolen phones.
Other third party solutions can implement detailed and granular controls such as whitelisting and blacklisting applications, employing anti-malware protection, enforcing encryption, pushing out updates, enabling and disabling various device functions such as the camera, and in general providing a good standardization of device settings.
Consumer devices do have some measure of available management options; Apple and Android each provide a "find my device" feature for lost phones as well as the option to ring or erase said devices, but this is usually more reactive rather than proactive.
The bottom line: if your business doesn't use MDM, it should. Start conducting research now to find products that match your needs.
3. Apps that request too many permissions
It should raise a red flag when a newly-installed app wants access to various components of your phone, such as your contacts, or functions such as your location service. If you were installing a simple flashlight app, hopefully you would be suspicious if it began making such requests when you launched it.
Unfortunately all of us who use technology are routinely inundated with what I call the "Are you sure you want to do that?" prompt, whereby you are forced to select "Yes" or "OK" to continue with something you're doing. Browsers and operating systems themselves (cough, Windows, cough) are notorious for this and while it's usually well-meaning it puts us in a mindset to just click Yes to make the prompt go away. Don't let apps which may have ill intentions take advantage of your complacency or impatience.
4. Outdated apps
Outdated apps can represent security risks if attackers find exploitable code in them. Reputable app stores like Google Play and Apple's iTunes and App store have options so apps will update on their own.
To check and confirm this is working on Android, open the Google Play Store app, tap the Menu icon, choose Settings, and select Auto-update apps. You can choose to have apps update any time or exclusively over Wi-Fi.
For Apple's iOS 7, go to Settings and scroll down to iTunes and App Store. Tap this icon and scroll down towards the bottom until you see Automatic Downloads. You can activate automatic downloads for Music, Apps, Books and Updates and specify the update intervals (you should pick the most feasible option which will result in the most frequent updates).
Of course, this doesn't guarantee that apps installed from other less reputable places will benefit from this function. Which leads me to number five.
5. Bogus app stores
App stores besides iTunes and Google Play are like Forrest Gump's famous "life is like a box of chocolates" analogy. You truly never know what you're going to get. Maybe it's a legitimate app. Maybe it's otherwise.
Apple and Google vet the apps which they permit to be distributed via their stores, and yet they still deal with a deluge of fake apps which scammers and hackers try to slip past them (which is why you should be judicious even with apps found in the Apple and Google Play stores).
Third party app stores can contain much more dangerous content which can be completely unscreened. One example is the Chinese-based app store called Haima which Trend Micro reported in September contains repackaged apps which aren't vetted by Apple and which can contain malicious payloads. Hiapk and Anzhi are two other third-party app stores which have been known to offer malware-ridden applications.
6. Decoy apps
In September, I covered the topic of how a supposed Pokeman Go guide actually contained a trojan which had the potential to steal confidential data which could then be sold. This app was made available from a third-party app store. What's especially troubling about this kind of risk is the app SEEMED legitimate and users had no immediate cause for concern — until it began trying to harvest data.
As you can imagine, decoy apps like this will closely match current trends (such as the Pokemon Go craze) so as to attract as many victims as possible.
7. Mobile app malware
The last three entries in the list lead directly to this one, which is the risk of mobile app malware which can be installed deliberately or via exploited vulnerabilities. Legitimate and bogus apps alike may be subject to malware which can operate in many different ways and comes in several types of forms.
Exploitable vulnerabilities such as Stagefright are bad enough, but other vulnerabilities can lead to the installation of spyware such as Pegasus, malware such as Hummer and Hummingbad, and ransomware.
A report discussed on TechRepublic in August listed five threats that had either emerged, or gotten worse, over the last few months:
- Android GMBot - A spyware, usually from third-party app stores, that tries to trick users into giving up their bank credentials.
- AceDeceiver iOS malware - Malware that works to steal a user's Apple ID.
- SideStepper iOS vulnerability - A technique that works in between the MDM server and a device to install unapproved applications.
- High-severity OpenSSL issues - Two OpenSSL flaws that can either decrypt traffic or corrupt memory.
- Marcher Android malware - A malware that pretends to be a bank website in hopes that users will give up their login credentials.
Apps and operating systems should be kept up to date religiously to protect mobile devices from vulnerabilities or at the very least to maximize their protection.
It's also important to note that security experts often advise against rooting or jailbreaking phones, since this can render them more susceptible to risk. I realize technical people thrive on experimenting with and customizing their devices, but it's fair to point out the danger involved.
Botnets are technological entities made up of many compromised mobile devices which can then be collectively harnessed like flying monkeys into performing nefarious tasks. For example, they can launch distributed denial of service (DDOS) attacks against websites in an attempt to extort money from the website owner.
Botnets can utilize a diverse array of other tricks; one such example discovered this August operated by checking a specific Twitter account periodically to receive commands, which are critical for impacted devices to operate in sync with one another. Other online elements such as blog pages or messaging system can also be used to control botnet participants. Botnets are even being sold online to bidders willing to pay for their utilization, a troubling sign of what lies to come.
Suspicious phone behavior such as a quickly draining battery can be a sign that your phone is part of a botnet. Also be on the lookout for network connectivity problems, sluggish performance, the presence of unknown applications or the absence of known ones, and text or email communications sent without your knowledge and consent.
9. Exploding Notes
Not all mobile risks are security-related. The infamous Samsung Note 7 phone was recalled in October after several dozen devices caught fire. In fact, the Federal Aviation Administration (FAA) actually banned the Note 7 from being taken on board all aircraft flights.
Samsung began offering extra money to Note7 owners for turning their phones in and recently confirmed that it will shortly release a software update which will completely disable these phones, knocking them out of service for good.
Lesson to be learned here: wait a bit before buying a new device model, to see if design or operational issues such as these begin rearing their heads.
10. Open Wi-Fi networks
The proverbial Wi-Fi in the coffee shop was just the beginning. Wi-Fi connectivity is everywhere now. Restaurants, airports, stadiums hotels and many other places where groups of people congregate offer free open Wi-Fi. It's like that old saying about how you can never have too much money or be too thin. There's no such thing as too many Wi-Fi networks, especially for devices without global data access.
However, Wi-Fi availability isn't necessarily a good thing at times. Open, unsecured Wi-Fi networks can pose a significant security risk, especially if you're using credentials to log into other sites or accessing confidential data. Wi-Fi traffic can be "sniffed" and unencrypted data may end up stolen — including passwords, credit card data or other sensitive details.
If you're connecting to an open Wi-Fi network to play Candy Crush, that's probably not such a big deal. If you're logging into your company's Exchange server, however, that might be something else. If you're doing something which might lead data or credentials to fall into the wrong hands, make sure to do it over a virtual private network (VPN) or use your own Wi-Fi hotspot or some other secure means for access.
Security: It might not be the outside world that's the largest threat to businesses
BlackBerry is focusing on security and software with the new DTEK60 phone
Blackberry teams up with Zimperium to help secure mobile devices for enterprises and governments
Report: Android and iOS apps both leak private data, but one is definitely worse for the enterprise
Scott Matteson is a senior systems administrator and freelance technical writer who also performs consulting work for small organizations. He resides in the Greater Boston area with his wife and three children.