Most security incidents are, in retrospect, our own fault. The more we interact with a computer, the higher the chances that we will open a malicious document, visit a harmful website or mistakenly launch a new app that causes havoc.
Attackers favour human error, and there’s nothing better suited to expose this than the smartphone, a computer that is attached to us 24 hours a day. The dramatic increase in usage of mobile apps for many aspects of our lives, the huge growth in mobile web browsing and the monopoly mobile has on our communications makes smartphones a key target for cybercrime.
Mobile presents unique challenges for our security. Software patching is broken: the rollout of security fixes is slow to non-existent on the Android ecosystem and cumbersome on iOS. Apps are rarely kept up-to date: for thousands of independent micro-vendors, security is the last concern. A further headache arises from the blurring between the business and private roles of the phone. A single tap can now take you from your enterprise CRM app to WhatsApp or a health-tracking app containing every vital sign recorded since you bought your phone.
The first wave of mobile threats to expect will be cross-platform, such as web browser exploits, cross-site scripting or ransomware – the repurposing of PC attacks on to mobile platforms. Mobile attackers are innovative in the methods they use to hide inside apps and operating systems, making them difficult to detect.
We will start to see mobile-specific attacks targeting weaknesses in hybrid apps. These use the internal web browser engine as part of their architecture, and as a result introduce uncontrolled vulnerabilities. Many familiar apps were built this way, providing an easy path for attackers into an organisation’s back-end systems. The threat of botnets – in which hackers take control of a user’s device to enlist them in spam campaigns or DDoS – overflowing on to mobile phones has yet to materialise, but where there’s sufficient computing power and connectivity, they will appear at some point. App stores will continue to be the primary distribution channel for rogue software as it is almost impossible to identify malicious apps.
Again, we’re at the mercy of the bad guys. The mobile security industry is still in its infancy, and has some catching up to do.
Published on Wired