What is mobile security? And do we need it?

I attended Mobile World Congress in Barcelona, where (among many other things) numerous security vendors were presenting their latest mobile products. I took the opportunity to quiz them. Why do smartphone users need to worry about security software, which many users were glad to leave behind with their PC? I observed that whereas I have often heard of friends or contacts suffering from PC malware, I have yet to hear anyone complain about a virus on their mobile or tablet.

I got diverse answers. NQ Mobile, for example, told me that while mobile malware is relatively uncommon in the USA and Europe, it is different in China where the company has a strong base. In China and some other territories, there are many Android-based mobiles for which the main source of apps is not the official Google Play store, but downloads from elsewhere, and malware is common.

Do you have an Android phone? Have you checked that option to “allow installation of non-Market apps”? One mobile gaming controller I received for review recently came with a free game. Guess what – to install the game you have to check that option, as noted in the documentation.

image

When you allow non-Market apps, you are disabling a key Android security feature, that apps can only be installed from the official store which, you hope, has some level of quality checking from Google, and the likelihood that malware that does slip through will be quickly removed. But what will users do, install the game, or refuse to disable the feature? I am reminded of those installation manuals for PC devices which include instructions to ignore the warnings about unsigned drivers. Most of us shrug and go ahead.

Nevertheless, for those of us not in China mobile malware is either uncommon, or so stealthy that few of us notice it (an alarming thought). Most of the responses I received from the security vendors were more along the lines that PC-style malware is only one of many mobile security concerns. Privacy is another one high on the list. When you install an app, you see a list of the permissions it is demanding, and sometimes the extent of them is puzzling. How do we know whether an app is grabbing more data than it should, for unknown purposes (but probably to do with ad targeting)?

Some of the mobile security products attempt to address this problem. Bitdefender Mobile Security includes an application audit which keeps track of what apps are doing. Norton Mobile Security scans for apps with “unusual permissions”.

Web site checking is another common feature. Software will attempt to detect phishing sites or those compromised with malware.

Perhaps the biggest issue though is what happens to your lost or stolen device. Most of the mobile security products include device tracking, remote lock and remote wipe (of course, some smartphones come with some of this built-in, like iOS and Find My iPhone).

If you do lose your phone, an immediate worry is the security of the data on it, or even worse, on an SD card that can be removed and inspected. Your contacts? Compromising photos? Company data? Remote wipe is a great feature, but could a smart thief disable it before you are able to use it?

Some products offer additional protection. NQ mobile offers a Mobile Vault for data security. It has a nice feature: it takes a photo of anyone who enters a wrong passcode. Again though, note that some smartphones have device encryption built-in, and it is just a matter of enabling it.

Windows Phone 8 is an interesting case. It includes strong Bitlocker encryption, but end users cannot easily enable it. It is enabled via Exchange ActiveSync policies, set through the Exchange Management Console or via PowerShell:

image

Why not let users set encryption themselves, if required, as you can on some Android phones? On Apple iOS, data encryption is automatic and can be further protected by a passcode, with an option to wipe all data after 10 failed attempts.

Encryption will not save you of course if a rogue app is accessing your data and sending it off somewhere.

Mobile security can feels like a phoney war (ha!). We know the risks are real, that smartphones are just small computers and equally vulnerable to malware as large ones, and that their portability makes them more likely to go astray, but most of us do not experience malware and mainly worry about loss or theft.

Businesses are the opposite and may care more about protecting data than about losing a device, hence the popularity of mobile device management solutions. The fact is though: some of that data is on the device and being taken everywhere, and it is hard to eliminate the risk.

Is mobile security a real problem? I hardly need to say this: yes, it is huge. Do you need anti-virus software on your phone? That is harder to answer, but unless you are particularly experimental with the apps you install, I am not yet convinced.

The frustrating part is that modern smartphones come with integrated security features many of which are ignored by most users, who find even a simple passcode lock too inconvenient to bother with (or perhaps nobody told them how to set it). It is hard to understand why more smartphones and tablets are not secure by default, at least for the easy things like passcodes and encryption.

App and privacy issues are harder to address, though maintaining properly curated app stores and only installing apps from there or from other trusted sources is a good start.