Smartphone Security: Alarming Complacency Among Mobile Users
Most consumers are unaware of the security risks associated with their smartphones.
Last week, I blogged about a study from Lookout that pointed to the growing threat of malware aimed at smartphones in general and, at least for that study, Android in particular.
The fact that the threat is growing is emphasized, if nothing else, by the number of studies that are being released on the topic. Lookout's study was persuasive.
A study released this week by viaForensics looks at security and consumer Android and iOS applications, and what the firm found wasn't encouraging. One takeaway, for instance, is that many apps store usernames in plain text. This can compromise that app. Since it is common for people to employ usernames repeatedly, other apps and online services also are at risk.
The Red Orbit story goes on in this vein. The bottom lines are that consumer apps are poorly constructed and people tend to take short cuts that are not consistent with good security. It is safe to assume that, at least to some extent, the dangers extend from consumer to business applications, which may be engineered just as poorly. And, after all, the same lazy people are using them. Hopefully, IT, HR and other departments are stepping in and enforcing security policies and rules.
There are other problems as well: British site Ontrack Data Recovery posts about a finding by IT firm Dasient that more than eight percent of 10,000 Android apps sent unauthorized information to unauthorized computers.
The base problem may be the melding of the personal and business mobile devices. They really never were separate, and are aligning more closely than ever. PC Pro cites a Sophos study that says that 28 percent of workers are encouraged to use their personal device by their employer, and a quarter use the same device for work and play.
There are significant feeling of misgivings about all this, according to the story:
That same survey suggested half of those asked didn't feel confident the information on their smartphone would be secure if the device was lost or stolen, while at the same time three out of ten respondents claimed their employer had no security policies in place regarding the protection of that mobile data.
On a related note, it is important to keep in mind that devices far more easily and often go missing than desktops, which essentially stay put unless they are stolen. I don't usually blog about my personal life - IT and telecom can be dull enough, quite frankly, without my help - but once in a while have reason to. Last weekend, I had a nice time visiting friends on Long Beach Island, N.J. Right before leaving, one of the people I was with handed me a BlackBerry that was laying on a bench by the bay. I spent the next half hour calling the guy's contacts in the hopes that they would get word to him that I had the phone and would send it his way or to Verizon.
At that point, I had access to the gentleman's life. Many of the contact numbers rang to businesses, so they were clearly work-related. I don't know what else was on the phone, but a cracker would have made short work of finding out. (The "calling all contacts" plan worked and the owner soon called me back. He was in the area and picked up the phone.)
The bottom line is that the smartphone world is fraught with internal and external threats. They are designed or introduced by the owners. Businesses should be vigilant - perhaps even more than they are for stationary computing assets.