Mobile security in the enterprise, though not a new issue, is an increasingly serious subject today as mobile threats become better understood. Offering perspective, Pradeo just released a Mobile Security Threat Report that contained some eye-opening findings. Their survey of 3 million devices found, for example, that 67% of Android apps and 61% of iOS apps exfiltrate data.
Their survey of 3 million devices found, for example, that 67% of Android apps and 61% of iOS apps exfiltrate data.
The bulk of that data exfiltration is legal (though hidden in fine print) and relates to things like hardware and phone network metadata. However, most users are not aware of how much personal data their devices are leaking, permission or no permission, e.g. 15% of exfiltration involves personal contact information; 7% is user profile information and 8% is audio/video recordings. Even when it’s legit, the exporting of private SMS messages, videos and so forth to unknown third parties should cause concern.
One concern should be the security of the sites that store the exfiltrated data. “You may trust Apple or Verizon with your personal information,” said Roxane Suau, VP Marketing at Pradeo. “But, in a lot of cases, you data is going to companies you’ve never heard of, with unknown or unverifiable security practice. Who knows who’s got your recordings and contact records?” As Suau further explained, exfiltration can also mask malicious data theft.
The Pradeo report listed a host of other security problems for mobile devices. These include the growth of malware and cryptojacking on mobile devices, network threats, OS exploits, hidden root kits and more. Hackers are aware that employees rely on mobile devices for their jobs, so they are targeting apps and mobile operating systems to steal confidential data, network log in credentials and more.
Strong mobile security policies appear to be one answer to these vulnerabilities. Certainly, corporate security managers are learning the hard way not to impose poorly thought through mobile policies. “If you tell employees, go ahead and bring your own device, but, by the way, we retain the right to wipe your personal device if we so choose, you’re not going to enjoy policy success,” said Brian Egenrieder, Chief Revenue Officer at SyncDog, which provides mobile security solutions. “People will work around it, guaranteed. Good mobile security policies have to be fair, practical and, ideally, invisible,” he added.
“If you tell employees, go ahead and bring your own device, but, by the way, we retain the right to wipe your personal device if we so choose, you’re not going to enjoy policy success.”
The SyncDog approach is to provide an encrypted container on the device where the worker can perform corporate work tasks. The SyncDog container is “defense-grade” and uses FIPS-compliant, AES 256-bit encryption to secure data and IP. This protects data on the employee’s device as well as when it’s in transit. SyncDog includes a suite of mobile productivity apps like Office 365 and DropBox that work inside the container.
“From a policy perspective, we try to be easy,” Egenrieder explained. “The policy is, install the container and work in it. If you do that, you’re in policy. Whatever else you do with the device, we don’t care.”
Pradeo also enables risk mitigation through the enforcement of a simple policy. They approach mobile security through in-app self-protection. Their solution comprises self-protection module that uses Artificial Intelligence (AI) to detect threats based on global threat intel. The module works as a Software Development Kit (SDK) that gets embedded in the app source code. It’s an unobtrusive solution that does not affect user experience.
A company can specify use of Pradeo as a required policy for any app used in the workplace. And, like Pradeo, policy enforcement is automatic. The user may not even be aware that there’s a policy in effect.