InfoSecurity Professional INSIGHTS Newsletter
InfoSecurity Professional INSIGHTS is our bi-monthly e-newsletter, associated with our members-only digital publication, InfoSecurity Professional. Similar to the magazine, it will deliver timely, compelling content written with the professional development of infosecurity practitioners in mind.
InfoSecurity Professional INSIGHTS February Sponsor
A Spotlight on Cybersecurity: 2022 Trends and 2023 Predictions
Get on-demand insights and strategic advice on how to prioritize and improve your security stance as we look toward the challenges and opportunities of the coming year. Recorded session available now. Stay Informed »
February InfoSecurity Professional INSIGHTS
Are Mobile Devices Secure Enough for Zero Trust
By John E. Dunn
In the history of computing platforms, it’s hard to think of a more chaotic security situation than that unleashed upon consumers and businesses in the years after Android’s introduction in 2008.
Things have improved dramatically in recent times after overdue reforms by Google. Nonetheless, the sense that mobile devices remain an opaque risk still lingers. But how far should organizations probe into the security state of more recent mobile devices, and should this go as far as pen testing? They don’t after all, pen test, most other devices.
The short answer is that mobile devices are an order of magnitude more complex and revealing than other types of endpoints. They constantly move in and out of networks, they include a raft of sensors not found on other devices, and they can of course track location. Apps are constantly installed and uninstalled.
Despite this promiscuity, they are increasingly touted as an authentication token in zero trust environments. That central role in security could quickly turn today’s occasional targeting of mobiles into something more sustained.
The corporate answer to the mobile device security riddle is mobile device management (MDM), basically an extension of client server security to mobile devices. For any organization that wants to secure devices by policy across multiple operating systems and device types, MDM offers a much-needed route to sanity.
What MDM can’t always help with is the underlying security of the device at day one, that is vulnerabilities that might be lurking at its lowest levels. This used to be a largely theoretical worry but half a decade of sustained nation state attacks on mobile devices have made people think again.
For example, in 2021, Google's Project Zero recorded 58 Android zero-day vulnerabilities that had been exploited in the wild, a record number and double the figure for the previous year. The half year report to June 202 reported another 18, a slowing of the trend but still far from a non-trivial number.
This underlines how mobile devices are now under attack. Unfortunately, because many of these events are relatively small-scale or go unrecorded, there is an understandable tendency to assume mobile devices are less of an issue than desktop and laptops.
Peeling Back the Issues
In terms of software vulnerabilities, mobile devices are really like the layers of an onion, each governed by a different security and assurance process. This is why mobile device risk management is hard work.
- The apps installed by the operating system vendor, for example Google’s application suite.
- Any additional apps installed by the device manufacturer and/or carrier, for example the copious bloatware comes with every Samsung smartphone.
- The apps installed by the enterprise itself plus additional apps (WhatsApp, Signal) that are considered part of modern communications.
- The operating system itself.
- The low-level chip firmware which these days will be patched and updated by the platform maker (Google, Apple) under direction from the relevant hardware maker.
In addition, both Android and Apple are found to have UX design flaws or logic oversights that also have a bearing on security. These tend to be discovered and publicized by independent researchers or vendors under rules of disclosure that mean they will be fixed by the time they enter the public domain.
Most enterprises will mandate a list of models approved for use. Some might even have a smaller list of devices that are not allowed, even in a supposedly patched state. Increasingly, and often confusingly, some of this led by official example, for example U.S. Government bans (in some cases later reversed) on some Chinese smartphones.
Follow The Apps
According to Lukáš Štefanko, a mobile malware researcher for security company ESET, while the frequency and commitment to long-term OS updates matters (Google, Samsung and Apple have or are migrating to at least five years of support for their devices), the vulnerability of ordinary apps is always the biggest risk, especially those bundled with the device. This isn’t about rogue apps but legitimate ones with lurking flaws.
“Take into consideration whether the device has a stock OS or includes custom overlays with additional vendor apps. This extra layer could contain vulnerabilities and become an entry point for potential attackers,” he said.
These apps could contain flaws that might put at risk any apps that are subsequently deployed for company use, said Štefanko. When pen testing apps, this is always the first layer to look closely at.
“Security flaws could be escalated or chained from vendor to company apps and result in security problems affecting either the devices or maker.”
The advantage of more advanced device pen testing is that an organization will get an assessment of the vulnerabilities across all layers of the mobile stack from lower levels to user apps.
According to Štefanko, for BYOD devices, stalkerware seems to be on the rise while for corporate devices the biggest threat is remote access Trojans (RATs) allowing complete device takeover.
“These can monitor users via the microphone, camera, or GPS. On top of that, they can remotely control devices by misusing remote access while using a keylogger they can monitor all user input email and other internal systems.”
What’s clear is that turning today’s smartphones into a device that forms a fundamental layer of zero trust authentication will require a new scrutiny of devices CISO are still inclined to take on trust.