As if we needed more to worry about when it comes to cyber-security, three recent reports highlight the frailty of mobile devices and mobile apps. Each of the reports -- from McAfee Labs, Lacoon Mobile Security in partnership with Check Point, and Stanford University, working with Rafael Advanced Defense Systems Ltd -- focuses on key deficiencies in mobile security.
According to the McAfee Labs Threat Report for February 2015, mobile developers have failed to patch critical secure sockets layer (SSL) vulnerabilities months after the vulnerabilities were disclosed.
Last month, McAfee Labs tested 25 of the most popular Android apps on CERT's list of vulnerable mobile apps and found that 18 of them remain unpatched despite public disclosure and vendor notification. Out of more than 1 million Android apps tested by CERT using automated scans, at least 23,000 have failed dynamic SSL validation testing.
[ Suffering from insomnia? Don't read Why Kasperky's Bank Robbery Report Should Scare Us All. ]
McAfee simulated a man-in-the-middle (MitM) attack and managed to successfully intercept information such as login credentials during supposedly secure sessions. The Superfish adware that Lenovo installed on some of its laptops from September through December 2014 has been criticized because it enables attacks of this sort.
"Mobile app developers must take greater responsibility for ensuring that their applications follow the secure programing practices and vulnerability responses developed over the past decade," said Vincent Weafer, SVP of McAfee Labs, in a statement.
Developers also need to be aware that vulnerabilities may be introduced through third-party analytics libraries. Among 10 analytics libraries found to be vulnerable by CERT, only 4 have been fixed.
McAfee Labs is not alone in its view that mobile devices are insufficiently secure. Last week, Lacoon Mobile Security and Check Point Software Technologies issued a report noting that one out of every 1,000 mobile devices on enterprise networks has been compromised by a mobile remote access Trojan (mRAT). The report suggested that for organizations with at least 2,000 devices, there's about a 50% chance that the internal corporate network itself has been infected with some form of malware.
Lacoon and Check Point said fewer organizations than expected appear to be infected by mRATs, but added that higher than average rates of mRAT infection in certain regions, such as the US, indicate that specific individuals and companies are being targeted. Coming in the wake of the massive Anthem breach, that should prompt some concern.
To further underscore the frailty of mobile security, researchers at Stanford University and Rafael Advanced Defense Systems Ltd. have found that developers can bypass restrictions on location data by tracking mobile power usage over a period of a few minutes.
The researchers in a paper note that there are 179 Android apps in the Google Play store with the permissions necessary to access to voltage and current data. Most, if not all, of these apps presumably use the data for legitimate purposes, such as assessing battery life. But were the developers of these apps determined to track where people go, they could employ the techniques described in the paper to infer the user's location history using power consumption data.
Such research raises the possibility that other seemingly innocuous data could be used to compromise privacy and security. It also amplifies related findings about how privacy often can be pierced by correlating a few salient bits of data.
Mobile security, in short, is a moving target, one that's increasingly hard to keep up with.
Attend Interop Las Vegas, the leading independent technology conference and expo series designed to inspire, inform, and connect the world's IT community. In 2015, look for all new programs, networking opportunities, and classes that will help you set your organization’s IT action plan. It happens April 27 to May 1. Register with Discount Code MPOIWK for $200 off Total Access & Conference Passes.Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio