Of the world’s 7 billion people, 6 billion rely on mobile phones or tablets to bank, shop, post to social media, and monitor their health. With all the personal and professional information being shared, it’s important that data from mobile devices be secure. Yet that’s rarely the case.
Securing such information is no small feat. Unlike applications designed for laptop and desktop computers—often created by just a handful of companies—there are now more than 1 million apps for smartphones and tablets designed by nearly the same number of developers. Many of them are novice designers with little concern for protecting the security and privacy of the data their apps collect and store. Moreover, when downloaded, many of the apps have access to other information in the mobile device, making them potential outlets for data leakage and theft.
That’s just one issue. Another is malicious websites. More than half of websites are live for 24 hours or less, which makes them difficult to monitor for harmful content. Malware—short for malicious software—is used to gather sensitive information, gain access to private networks or accounts, or disrupt system operations. Consumers unknowingly encountering malware can give hackers entry into their mobile devices.
Unlike the sophisticed scans that run on desktop systems, mobile devices have limited options for running antimalware or antivirus software; the gadgets don’t have the computing and battery power to handle the workload.
“The threats to mobile devices are part of an enormous problem,” says Greg Clark, CEO of Blue Coat Systems, an information security company in Sunnyvale, Calif. “Many users don’t fully grasp the scope of the efforts contrived to entice them to download malware on their devices.”
Blue Coat issued a report last year on mobile threats, covering some of the concerns above. Clark looks at security in mobile devices as akin to walking through one of the most dangerous neighborhoods wearing an expensive suit and carrying a fancy briefcase. “Some of these mobile devices are roaming through some of the worst, yet most advanced, security-threat spaces in the world,” he says. “These devices are hardly protected.”
Developers could choose, however, to make mobile devices more resistant to attacks, Clark says.
A NEW FRAMEWORK
Methods for increasing security in operating systems have changed dramatically over the years. “It’s been a cat-and-mouse game,” Clark explains. “Security companies like ours find a way to stop hackers, who then find another way in.”
Clark and Qing Li, Blue Coat’s chief scientist, are developing a framework they call an infrastructure-centric security ecosystem with a cloud defense, which mobile developers could adopt for their operating systems. They describe it in an article, “Mobile Security: A Look Ahead,” published in IEEE Security & Privacy magazine.
Their cloud-based framework would be an agile system able to keep pace with evolving threats. The framework would consist of application proxies, real-time content categorization and rating engines, and real-time URL analysis engines to help decide which websites are safe to browse. The Blue Coat model would also filter malware from compromised websites to prevent an attack from ever reaching a user’s device.
Furthermore, the framework would help prevent data leaks by relying on engines designed to block potential breaches that can give hackers access to passwords, online accounts, documents, and more. The cloud feature would make it possible to collect information gathered from all the devices connected with the framework to more easily identify new malicious applications and Web-based threats.
Antivirus and antimalware engines accessible through a cloud-based service would take the load off the devices, Li says. As part of the scanning service, the network could catalog and report on the reputation, risk, and vulnerability levels of each installed application—which would help users decide what apps to keep.
Network-based inspections are scalable, flexible, and able to intercept and disrupt threats, Clark says. “In the Wild West of mobile apps and the rapid sprouting of websites,” he says, “users want their networks to inform them when they are accessing malicious content and proactively terminate the attacking threats. And we want to allow the network to be programmable to offer layered defense for the end points.”
The willingness to have an open network, however, has to come from the users and service providers in order to allow security solutions to inspect and analyze activities to ensure harmful content is not being accessed, Li says. “Mobile security,” he points out, “requires an entire eco-system to participate in the defense of mobile devices and their users.”