The state of Mobile security 2019

This is a companion article to Mathew Shaver’s excellent piece on the state of UEM in 2019. Matthew covered changes Apple and Google recently made in their approaches to device management, and how industry needs to adapt to a new reality. Citing the film, “The Right Stuff,” Matthew illustrated our collective inertia in responding to a condition that has already come to be, i.e. new frameworks for device management that we ignore (Sputnik is here!…we know…sit down!) Matthew’s premise is that we’re paralyzed when it comes to adjusting to frameworks we already know about. So, how should we react to the things we didn’t know about, the kind that introduce themselves in a very unwelcome manner? As the immortal Big Lebowski would frame it, what do we do when, “New shit has come to light?” Let’s look at this through the lens of mobile security. 

I won’t bore you with statistics, every security vendor has these by the bucketful and all of the stats conveniently agree with a narrative they are trying to sell you. The premise of this article is, the world has changed, the attack vectors are different than what they were in the past, and given that all this new shit has come to light, we oughta do something about it. 

Who moved my cheese?

Malware, malware, malware. When the mobile security discussion was breached, if it was at all, malware is all we heard about for a very long time. Even then, malware was largely perceived as an Android issue, since Apple has always maintained a highly curated app store, at least it seemed like there was less of it (with the exception of some notable biggies like Xcode Ghost.) But these days Google seems to have addressed many security and malware issues with Google Play Protect and Android Enterprise. I’m not saying we don’t need to protect ourselves against malware, we do.  This was “epicly” proven when Epic Games decided to cut out the middleman and publish Fortnite directly from their website instead of Google Play. Overnight there were tons of sites hosting the app, and sometimes that app was actually malware. 

What can malware do? It can serve up adware, collect data about users, harvest data from other apps, and of course, sometimes it can execute a device exploit. Even if an app isn’t malware per-say, It’s important to look closely at what data apps are accessing or collecting and where they are sending that data. Mitigating malware and controlling data leakage through apps should be a part of your overall mobile security strategy, but it’s only a small piece of the puzzle. 

Glory Days

The big issue I see is that we focused nearly exclusively on malware, and even then, only a very small percent of organizations invested in protecting against it. Meanwhile, the enterprise continued to pour hundreds of billions of dollars into protecting networks and services with firewalls and Intrusion Protection Systems… even as those services moved to the cloud. When organizations finally did notice they were storing a lot of information in the cloud, we rebooted the old firewall idea and funneled our data through Cloud Access Service Brokers (CASBs). At the same time, even as mobile and cloud use was exploding in the enterprise, we doubled-down on our endpoint protection strategies, trying to secure PCs which have been experiencing flat-line growth for the last 5 years or more. Yes, it’s still important to have secure networks, but often that’s not where the data is anymore. So, what are the biggest mobile threats today?

The Four Horsemen of the mobile apocalypse

Man-In-The-Middle attacks. It all sounds like a fun game doesn’t it until someone starts siphoning off your data , collecting your passwords, injecting code in your browser sessions, and or redirecting your web traffic. All it takes is a $99 pineapple and some pretty basic knowledge to execute these. It’s amateur hour out there. 

Phishing. We know most web traffic now originates from a mobile browser. That same link you click on from your desktop can also be hit from Mobile Safari, Chrome, or whatever your browser-du-jour is. It’s just as easy to Phish credentials from a mobile device as it is from the desktop. To top it off, mobile has a risk factor we don’t always find on the desktop. Malicious links and even code can be delivered through an SMS message. 

Ransomware. Ransomware on the mobile device itself is a problem, with products like SLocker simply locking up your device until you pay. The bigger threat though is Ransomware holding hostage an entire network. Mobile just magnifies the attack surface- a phone or a tablet can be a very good way to get in to an otherwise secure network. 

Vulnerabilities, Roots, and Jailbreaks This could be a whole article. A book even. There are many ways to Pwn a device, from self-initiated jailbreaks, to exploits that take advantage of known vulnerabilities before they are patched, to government grade exploits like Pegasus (available for 650K to Hack 10 devices, plus a 500K initiation fee). When a device is exploited this way, it becomes the perfect spy tool. It has a camera, a microphone, and it knows all of your passwords, and all of these can now be controlled by someone else. 

Get yourself an IdP

As we morphed into the new “perimeter-less” world of cloud services we had a bad habit of creating passwords with every new service (and let’s face it, often we had no choice). That spurred new identity federation and single-sign-on solutions and created a new framework for identity that could operate outside of the corporate network, the IdP. If you haven’t looked at Okta, Ping, Onelogin, Sailpoint, or even Microsoft ADFS to juggle the proliferation of passwords, you should. Keep in mind though, a password can still be Phished or obtained in any number of ways. More on that later. 

2FA is nice, but you still have a password

Adding on Two-factor authentication can absolutely help protect your assets, but you shouldn’t declare mission-accomplished once you’ve done this. Tokens and SMS codes can still be phished and social engineering can be used to reroute phone numbers to a hackers device. Deploying 2FA can lead to help desk issues and deployment challenges too, and even more importantly, lazy people don’t want to jump through hoops to access a service. 

Make it easy for your users

Whatever security you do employ, it should be unobtrusive. We don’t want to inhibit productivity. Native Single-Sign On and seamless VPN’s that can be leveraged without needing to manually launch an app should be leveraged. Certificates should be used for authentication, and moving forward, we should also look at emerging security standards that can leverage the biometrics on a device, like FIDO 2

A New approach to security

Forrester calls it Zero Trust. Gartner calls it CARTA (Continuous Adaptive Risk and Trust Assessment). The essential takeaway is you never trust an endpoint until you can be sure its safe, and you continue to verify that the device is in compliance ALL THE TIME. This requires a layered approach to security. Leverage MDM/UEM to make sure a device is in compliance with your company policies. Overlay that with a Mobile Threat Defense solution to protect against MiTM attacks, device exploits, malware, and Phishing. Make sure the threat defense solution is really looking at device behavior so you can successfully detect and remediate zero-day exploits. And, make sure the device is in compliance before you allow it to access company resources and data. Continuously monitor and check in to make sure the device is still safe. Rinse, lather, repeat.  

Conditional Access with device integrity

Jack Madden of published a great article that posed the question, where should we implement conditional access? The CASB industry will say– we can do this for you by funneling all your traffic through a service broker before it hits the target resource.There definitely are some benefits in this architecture, especially when it comes to UEBA (User Entity Behavior Analytics), for instance, did someone just download a Terabyte of data, does that set off any alarms? The IdP industry will also say they are the logical point of enforcement. Both have some merit, but neither of them actually know if the device that is trying to access a resource is secure. It takes an MDM/UEM footprint on the device to know if the device is in compliance and is managed by the organization. Only UEM can truly know if an app is managed (meaning the app and its data can be removed) before it tries to access company data. These products can all work together to produce a Zero Trust environment, but they need to talk to the MDM/UEM solution. That’s the ONLY way to know if a device should be trusted to access a company resource. 

We don’t have a budget for that

Companies do have security budgets for commonly accepted threats, but by and large, those budgets are dedicated to protecting the networks of the past. They continue to invest in desktop security but they don’t have a mobile security budget. That’s fine but let’s look at the facts. Most internet traffic is mobile. That’s not news, we know the numbers keep going up every year for mobile browser traffic (more than half of all web traffic is mobile), number of minutes spent on the device, the number of times we touch the device, the absolute anxiety we feel when we leave the device behind… Just look at your own habits and the people around you. Desktop is being relegated to the tasks that are easier to do on desktop (like a spreadsheet… PowerPoint, a long email). The rest, and all of the rest, anything that is easier to do on mobile will happen on mobile. 

Call to Action

Start ringing the alarm bell. Begin building a Zero Trust strategy for mobile today. Beg for budget if you need to, and examine how your current MDM/EMM fits into your new zero trust framework. After all, when new shit comes to light, do you want to be the one left holding the bag?

Discuss this article on MobilePros!

Jump straight to the Mobile Threat Defence channel for members:

Or click below to join our community:

This Post Has One Comment

  1. Sylvain Yelle

    Great blog Russ. Hits the spot in this world of the disappearing perimeter.

Comments are closed.