Mobile: Are Security Risks Overblown?
ENISA Researcher: Mobile Technology Has Advantages
As smartphone usage grows, so do emerging threats of mobile malware.
But financial institutions can only do so much. New security solutions aimed at mobile attacks will have to come from mobile vendors, says ENISA's Giles Hogben.
"In a sense ... it's been a message from vendors saying, 'Leave security to us,'" says Hogben, program manager for The European Network and Information Security Agency in Greece and author of a new report about mobile-app security. "But I think we're starting to see some pressure, especially from the business market, to allow more handles for third-party management products and things like [anti-virus]."
The risks that come from the increased usage of smartphones include what Hogben calls "loseability," the ease at which consumers lose their phones. Encryption is a major concern as well, since the data smartphones store aren't encrypted. "And the app security is a concern, since there are things that every app has access to, like the address book," he says in an interview with BankInfoSecurity.com's Tracy Kitten [transcript below].
And with so many apps being introduced and downloaded in the marketplace, it's difficult for mobile platforms to review each and every one. "What they need to be doing really is actually leveraging the work that can be done by third-party security testers," Hogben says.
During this interview, Hogben discusses:
- The challenges of detecting and blocking malicious apps on mobile devices;
- Conflicts between mobile operating systems and HTML permissions in mobile browsing;
- What the market can expect If HTML 5 becomes the standard.
Hogben has led numerous studies about network and information security, including those that touch on topics like smartphone security, cloud computing, social network security and European identity card privacy. Before joining ENISA, he was a researcher at the Joint Research Centre in Ispra, Italy, and led work on private credentials. He has a PhD in computer science from Gdansk University of Technology in Poland and graduated from Oxford University, U.K., in 1994 with degrees in physics and philosophy.
The Smartphone Market
TRACY KITTEN: ENISA notes that the increased use and penetration of smartphones were catalysts for the report about mobile application malware. Can you give us some idea about the size of the smartphone market and how much it's expected to grow within Europe, as well as globally, over the next 24 months?
GILES HOGBEN: Basically, hugely. The mobile market is growing faster than any technology has ever grown before, and that's pretty difficult to do. There are now more Internet-enabled phones than PCs. Just to give you some idea, Google recently announced that they're activating 500,000 Android devices every day. That's pretty amazing, I think. I collected a few stats together about this. In the U.K. for example, around 35 percent of mobile devices are now smartphones. ... Gartner puts the world-wide sales of smartphones in Q2 this year around 100,000,000 devices. It's huge and it's getting huger.
Mobile App Malware
KITTEN: As that market grows, the concern about security grows with it. In the 20-page report that ENISA has put out, mobile application malware is the focus. What specific security gaps do you see isolated to mobile apps that are for instance separate from mobile browsing risks?
HOGBEN: There are loads of really specific risks to mobile phones and smartphones in particular. The first one I would really highlight is what I call "loseability." Mobiles are much easier to lose than even a laptop or PC. Just to give you an idea, something like 100,000 mobile devices were left alone in taxis every year, whereas only around 12,000 laptops were left behind. Obviously, that in itself is not an information security risk, but [it's a risk] if we don't encrypt our data on the mobile device. It's actually extremely difficult to do disc encryption on a mobile device because you don't generally have USB sticks so you can put a key on. You're generally restricted to a pretty short PIN as your last line of defense. That becomes an information security risk as well.