Top Mobile Device Security Concerns?

Question

What does everyone see as the top security concerns for mobile devices at the present time? I am working on a paper on the topic, but it seemed worth asking here to see if I might have missed anything.

Answer 1

Sometimes users are the biggest concern because they do not read.

A lot of people root their Androids or iPhones (jailbreak) and forget that they make a device run beyond the normal user rights.

For instance with android this means an attacker might get complete control over a cellphone. Also this means when you install an application not from the market it might include code to access your phone. If angry birds would ask them to access their contact lists and get access to be able text, a lot of users would just grant it, because otherwise they can't play their game.

(I know angry birds is on the market, but maybe something alike)

The same goes up for an iPhone by the way.

Answer 2

Mobile devices are a great source of information leakage because they often have inadequate or nonexistent security controls available. As an example up until the latest release of windows phone 7, you could only validate that the client device had a numeric unlock code (rather than an alphanumeric unlock). Some devices don't support DRM content (which makes users simply not use it which can lead to data leakage). Additionally (as other mentioned) patching is problematic. Even under a "corporate" account, mobile devices are updated at the whims of the mobile carrier, who would usually prefer that you buy a new device with the updated OS (and extend your contract as well)

Answer 3

The biggest problem with mobile device is that they cannot be physically protected.

When we use a computer, or computer-like device, we imbue it with some of our powers. For instance, the machine on which I am typing this text stores a cookie which the Web browser uses to authenticate me; the StackExchange server duly recognized me as being me simply by having a look at that cookie. Thus, my machine has the power to "be me", at least in the view of the StackExchange server.

This power could be stolen from me, if my machine was remotely compromised, or if it was stolen as a whole. To a large extent, risk of physical theft is kept low by virtue of the machine never leaving my home. On the contrary, mobile devices are by nature destined to roam through a variety of environments where physical protection against theft is much harder to maintain. Worst case is the mobile phone: mobile phone users are prone to wave around the device while walking in crowded streets, and they often pay little attention to their surroundings at that time. Mobile phones are the number 1 most stolen object in modern Western urban environments.

My second biggest concern would go to network exposure. A desktop system in a given organization will be linked to the outside world through some wires and switches and routers. Hence, it is possible for the system administrators to shield desktop systems from external hostility by applying more or less aggressive filtering on the routers in both directions -- what is known as firewalls, proxys... Strengthening each individual system is hard and tiresome because OS vendors are prone to include zillions of nifty "services" which can come with as many remotely exploitable security holes. For a non-mobile system, we can at least sanitize its environment through inelegant but simple and efficient expedients such as blocking ports. Mobile systems, on the other hand, are destined to get their network connection through various mediums over which we have no control. We cannot keep the mobile device behind a paranoid firewall; the device is directly exposed to the Internet at large.

My third concern is about system administration. We know that one of the most efficient protections against many network security threats is to keep the software up-to-date and fully patched. A large part of the daily work of system administrators is to make sure that updates are duly applied everywhere. This is boring and tedious, but at least always feasible, with desktop machines, which can be kept connected continuously, and are physically available at all times: a sysadmin can always use his legs and get hold of the machine itself if some updates cannot be applied remotely (or if the machine was carelessly switched off). This is not so for mobile device. The mobile phone, tablet or laptop of any employee is under his responsibility; "automatic updates" can sometimes be activated, but the user still must make sure that the machine is switched on when needed, and sometimes he has to positively act to make the update happen (e.g. when a Windows system needs to reboot to finalize an update, the user is prone to postpone the reboot, and with the "sleep" features of laptops, users reboot very rarely). That's not about blaming the user (he is not a sysadmin), but merely pointing out that mobile devices are less likely to be as well maintained as non-mobile devices.

Answer 4

The NIST published in July 2012 a draft set of guidelines for securing mobile devices. It's a pretty thorough treatment of the topic, and the concepts are pretty stable. Section 2.2, "High-Level Threats and Vulnerabilities", addresses your question most directly. Sections 3 and 4 discuss the tools available to improve security and manage security policy.