The past couple of years have witnessed a dramatic surge in the number of sophisticated mobile devices being used as access points to online services and enterprise networks. At the same time, these devices acquired more capabilities, in terms of storage size and web technology adoption. There’s no doubt that mobile computing is the next big thing.
- According to a 2010 North American Technographics Benchmark Survey, 33% of Smartphone owners download applications at least monthly.
- Forrester estimates that the revenue from paid applications on Smartphones and tablets was $2.2 billion worldwide for 2010 with a CAGR of 82% through 2015.
- Gartner notes that mobile transaction volumes will rise from $1.6B in 2010 to almost $12B in 2014.
Organizations around the world are increasingly tapping into the business potential of mobile applications by allowing end-users to directly access back-end data systems and applications. The three most common use cases are:
- Consumer-facing applications that promote new revenue streams, cuts support costs, strengthens customer relations and builds brand loyalty.
- Employee-facing applications that increase internal productivity and streamlines operational processes.
- Partner-facing applications that simplify the value-chain and reduces its associated overhead costs.
The proliferation of sophisticated mobile devices (SmartPhones, Tablets, etc.) is going to have a substantial effect on application and data security in the coming years. In particular, we are going to see organizations struggle to accommodate the increase in number and variety of these devices, while maintaining traditional data and application security practices.
Add to the mix a growing variety of applications that are a gateway to enterprise systems, including CRM, ERP, and document management. While we are used to concerning ourselves with lost or stolen laptops, it turns out that missing mobile devices may be just as big of a pain point.
But there’s a dark side: hackers are gearing up. Research into hacker forums indicates an exponential growth in technical discussions exploring mobile exploits. Where consumers and business go, by necessity, data thieves follow. For instance, note the recent, rapid rise in cyber attacks that use Facebook as the attack vehicle.
How can data be lost with mobile devices? Here are some recent examples:
- Devices can be lost or stolen—Apple’s iPhone comes with up to 32GB of internal storage, while its bigger sibling iPad can accommodate up to 64GB of memory. (For context, one million records holding names, addresses, and social security numbers will occupy approximately 0.5GB.) Mobile devices are no longer mere address books or email readers.
- Applications can be used to spread malware—We’ve already seen the popular Angry Birds game be used as a vehicle to spread malware on the Android platform.
- A new attack surface area—For example, a new point of access means a new username/password to steal and access data. Careless mobile use can expose important credentials.
- Old attacks get reformulated for mobile platforms—For example, we have seen the Zeus botnet, one of the most common malware used for PCs get refocused to attack mobile devices.
- Online service providers—However, the storage of sensitive information is not the only new concern with mobile devices. As mobile devices become mainstream, online service providers must accommodate their offerings for these platforms; creating a special version of the applications to match each devices’ capabilities. In this process, it is not uncommon to see older vulnerabilities surface once again. I have witnessed well protected applications’ online version for mobile devices display common vulnerabilities: the CitiGroup incident in 2009, a more recent CitiGroup issue, and AT&T’s well publicized mishap with respect to iPad owners. In particular, many mistakes are made around identification and authentication; where application programmers mistakenly trust attributes of the data stream that can be forged by an attacker without the particular mobile device. Thus, the applications themselves become more vulnerable.
I expect exponential growth in the number of incidents related to mobile devices in the next few years. From theft or compromise of information in these devices, through massive infection campaigns, and up to frequent exploit of the vulnerabilities introduced into the server side.
Organizations need to start planning to secure the devices and their interaction with the enterprise networks. Tools and procedures need to be put into place, such as anti-malware, encryption, and authentication. Special monitoring requirements should be set for access of these devices to enterprise resources (databases, files, Intranets).
On the other hand, application providers need to get their act together with respect to serving these devices, including vulnerability mitigation, reevaluation of trust, and incorporation of new authentication/authorization channels.