Mobile Security: Saying Yes When You Really Should Say No

Do you use a smarthphone to access bank and credit cardaccounts? How about accessing Web-based applications at your favoritesocial network or Web mail provider? Do you synchronize yourmobile device with your desktop PC or laptop?

If you answered yes to any of these questions,your are running the risk for a security breach. What’s that you say?You don’t have any sensitive information that anybody would want? How about your address book?

Or, how about your log-on information, such as user name and password for everyWeb site you visit. And don’t forget to include your account numbers.These are all highly sought-after bits of data that hackers earn big bucks tosteal. Information such as birth dates, Social Security numbers –even family photos — are all handy tools for hackers to use as socialengineering details when looking for a way into your corporate andcommercial networks.

“Whether it’s our PC or our mobile device, we are investing more ofour personal data to them. The average user doesn’t understand theconnections that can be made,” Ray Dickenson, CTO of security softwarefirm Authentium, told TechNewsWorld.

Today’s mobile devices can becompromised with key-logging programs, viruses and other tacticshackers use to steal users’ identities, he warned.

Keys to the Kingdom

Even fairly knowledgeable computer users often fail to realize howeasily they can give up their vital details while using a mobiledevice like a smartphone.

Sometimes convenience clouds a user’s caution. Take, for instance,applications that users install on their mobile devices. Innocentlyclicking YES to a prompt requesting all access to the device tocomplete the installation of a hand-held program can be a fataldecision.

“In general, users always want to avoid giving permissions. This typeof request does not happen all the time and deserves more scrutiny,”Jackie Gilbert, vice president of products and marketing andcofounder of identity risk management firm SailPoint, toldTechNewsWorld.

An Innocent Request?

Norman Schultz, IT Manager at Cherry Creek Insurance, wasn’t so quickto say yes to all permissions when he installed a video-streamingapplication to his BlackBerry. He contacted the vendor to ask why theapp needed full permission. The reply raised some red flags, so hedecided not to use the program.

“I get just as excited about new techy stuff as the next guy, but withrecent security issues popping up, I make it a point to take just alittle extra caution when installing something new,” Schultz toldTechNewsWorld.

He was anxious to install QIK on his Blackberry but had questionsregarding the download plug-in. He wrote to the vendor’s tech supportemail address. He questioned why the default setting for thevideo-streaming program wanted access to basically everything on hismobile device.

The list included full permission top access, among other processes,Interprocess Communication, Device Settings Modification, MediaAccess, Module Management, Theme Data Interjection, User Data,Email/Messaging, PIM, files and key store.

One of the responses he received in a return email from QIK techsupport told him the product needed this permission level to getaccess to his filesystem to upload video files to QIK’s servers.Providing all permissions was necessary for the Qik client applicationto properly operate.

No Thanks

Qik enables live video casting from a cell phone via any 3G/GPRS/WiFiInternet connection. The streaming application drastically reduces theupload time so videos taken with the user’s phone are available in aslittle as half a second to two seconds for uploading to YouTube orembedding on any Web site by copying and pasting embed code, accordingto the product’s description.

“You know, I don’t know these guys at QIK, and how do I really know howmuch information from my BlackBerry is available when I simply ‘alloweverything?’ I mean, I have business and personal information in mycontacts — a lot of confidential info — as well as notes, tasks and onand on,” said Schultz about why he decided not to use the application.

Users must be very carefulabout security issues, even if the mobile device never connects to theowner’s computer.

“We do banking transactions with the same devices we expose to otherrisks. On a handset that has personal data, I would never trustpermissions. You never know when the degrees of separation will becrossed,” Dickenson said.

Threats Abound

Take, for example, the popular instant messaging applicationMeebo. It talks to a variety of different clients. It is not uncommonto find ways to access one’s personal data from a mobile deviceconnected to a social network, he explained.

Mobile phones and smartphone pose different risks. Smartphones spikedin usage with the popularity of BlackBerry devices and iPhones. Usersare finding more reasons to put personal data on their mobile devices,especially the ones with advanced computing features. When mobiledevices are synchronized to PCs or with file-sharing services in thecloud, some connections can jeopardize security of data on bothdevices.

“We are starting to see more mobile malware but still not near therate of growth now prevalent on computers,” said Dickenson.

Browser Beware

Any device with a Web browser is a potential security breach waitingto happen. People like convenience and seldom think to turn off thebuilt-in WiFi connection when it is not needed. WiFi provides analways-on security risk if the device is set to always trust anetwork or automatically connect when in range.

Bad guys are finding ways to breach a computer and then find aconnection to a related mobile device. For instance, when a userconnects to The New York Times‘ Web site, the device — whether desktop PC ormobile device — connects to 12 different servers. There are cookiessaved in the browser that will run JavaScript, Dickenson explained.

“Browsers are one of the most promiscuous applications ever. They suckin so much data from so many different servers,” he said.

Say YES Ever?

Often, there is no exact right answer as to when usersshould and should not grant all permissions to mobile applications, noted Gilbert. In situationsthat involve access to corporate networks or devices that containcompany data, the decision usually boils down to risk managementstrategy balanced with privacy protection.

When the answer focuses on user or worker freedoms versus corporatesafety, the company should win the debate. Sometimes, that makes animmediate impact on worker productivity, according to Gilbert.

“In the bigger picture, there is no black-and-white answer,” she said.

1 Comment

  • Hey guys just a tip. If you have a G1 google phone there is a app called Adrenaline that encrypts all web traffic that leaves or comes to the phone. It also of course speeds up your web traffic! Really cool! Don’t Know about other phones but I AM sure there are apps out there to help you with this! Also note HTTPS (with MD5) has been broken so you will need a app to really protect you now like this one!

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Jack M. Germain
More in Privacy

CRM Buyer Channels