It is no easy feat to recall going through life without the vast variety of mobile devices that are now part of our day-to-day. What is more, it is downright impossible to imagine a future without these devices. Recent times have been marked by a diversity of trends that revolve around flexibility and that have by now become well established: Bring Your Own Device (BYOD), Choose Your Own Device (CYOD), Bring Your Own App (BYOA) and Bring Your Own Cloud (BYOC), among others.
Along with our growing dependence on these devices, we have been witnessing new advances, both in hardware and software architectures, which clearly demonstrate that Moore’s law continues to apply. These developments have been accompanied by a large body of research aimed at enhancing mobile security.
However, the prevailing public perception still views even the most capable phones as less secure devices than the average desktop computer, even with applications running in sandbox environments and with operating systems that are increasingly focused on security.
A quick analysis – whether dealing with ensuring physical or logical access, the authentication of digital identities, platforms for software tokens, or even the use of mobile phones as tools for verifying transactions in desktop computers – shows that mobile devices have by default an equivalent or better security posture than ordinary computers.
If properly managed and protected, mobile devices are an effective platform for securing digital identities and online transactions. This is courtesy of a number of factors, including:
Mobile devices are not an easy target
The properties of desktop malware – involving application-to-application migration, keylogging, and memory hooking – are still not present in the vast majority of samples of mobile malware. In addition, mobile vulnerabilities tend to have a short life cycle.
Mobile devices have a smaller attack surface
Mobile malware and the exploitation of vulnerabilities usually target specific hardware, firmware and operating system versions, which reduces the likelihood of large-scale compromises and, thus, the likelihood of profiting from them.
Mobile devices have a security-based architecture
These days, devices that are not rooted or jailbroken are more secure thanks to a multilayered approach that is central to the development of mobile operating systems. The applications installed on the phones are digitally signed, which determines the privileges of each app together with the permissions that the user can grant to them individually.
Mobile devices use sandboxing techniques
The apps are executed in sandbox environments, which means that, in principle, they cannot share, or gain access to, data belonging to other apps. This is an important feature that helps defend against sophisticated mobile malware.
Legitimate apps are ‘centralized’ in official stores
The success rate of app review processes by official stores is up for debate. However, there is no doubt that, with legitimate software available ‘under one roof’, software installation processes are simplified and the risk of installing malicious code is reduced.
Mobile data networks are more secure than public Wi-Fi
Sometimes we’re in coffee shops or shopping centers when we need to carry out transactions that involve sensitive data, such as buying online or checking our bank accounts. In these situations, using the data network of our wireless carrier is certainly better than connecting our device to any open Wi-Fi network.
Mobile devices are easily integrated with security-enhancing solutions
Solutions offering digital certificates, single-use codes known as one-time passwords (OTP) or application-specific PIN-unlock options further enhance the security of your device.
Granted, not all that glitters is gold, and mobiles also come with some drawbacks in terms of the protection of information. There are a number of risks that users may face when trying to secure their information on mobiles and tablets, including software updates that are dependent on the manufacturer and may never be deployed, the difficulty in analyzing the properties of digital certificates when browsing, a large amount of malware that sneaks into official stores, vulnerable apps, increased susceptibility to theft, loss or breakage, etc.
The truth of the matter is that, these days, it is difficult to expect any device, user or application to be infallible. A great deal of security that a system provides is determined by the configuration set by the user and by the way in which he or she uses it. After all, many threats that result in millions of compromises begin with a fraudulent email, a phishing website, or an instant message within (not necessarily) complex multi-platform social engineering schemes.
written by Denise Giusto Bilic, ESET We Live Security