Once upon a time, the biggest threat to our data was from a virus or spyware sitting in our desktops and laptops. Spyware used to share our information to remote hackers silently, and malicious sites and apps used to spell all kinds of disasters in our systems. They were tedious to deal with and chaotic, to say the least.
And now, on top of all the existing threats to our data, a new point of vulnerability has emerged. Thanks to human’s need to be mobile and connected at all times, the latest target for hackers and data pirates to exploit is our mobile devices. Mobiles and tablet PCs have been under their attack relentlessly for many years now. And while our computers could be secured with just some precautions- blocking pop-ups, keeping your anti-virus updated and your firewall on at all times, etc.- securing mobile devices is a lot more difficult than that.
Safeguarding your mobile devices has a lot to do with proper mobile using etiquette's and protocols. Simple anti-viruses will not prevent you from a bug in some application which might have opened a hidden backdoor into your device for hackers to take advantage of.
As a business owner, the most embarrassing thing you can suffer from is data theft. It directly raises the question that- if you can’t safeguard your users’ data, why should they trust you with it? This can spell doom for a company which, if not properly handled, can lead to the eventual downfall of the entire institution.
So today, we will be discussing some of the most vicious mobile security threats to your devices and find out how you can protect yourself from them.
But before we kick off, let us take some time first to understand types of mobile security threats regarding your devices.
Broadly speaking, there are four types of mobile security threats.
Application-based threats arise when you download an app which looked legit, but once it is on your device, it opens a backdoor into your device. Furthermore, spyware and malware are common carriers of this disease. They share your data with other users on the internet without you even knowing it.
Web-based threats are the threats which arise when you are accessing a website which looked harmless on the frontend, but on the backend, is downloading malicious content on your device. These are particularly tedious and dangerous threats because net-based threats often go unnoticed.
Network-based threats arise when you are accessing an insecure WiFi connection. Hackers can easily find their way into your device and leave some code fragment or even a small application which will keep siphoning your data to him.
4. Physical Threats
These threats involve the times when you lose your device, and a hacker gets his hands on it. Because he has the actual hardware with him, this hacker has access to all your data. Furthermore, he can very quickly get into your company network with this device and wreak a lot of havoc.
Let us now discuss some of the most violent threats that you need to be on the lookout against.
Top Mobile Security Threats
1. Malicious apps
The biggest threat to mobiles in the smartphone era is, by irony, smartphone apps. Both the Apple App Store and Google Play store have millions of apps. And while most of them are legit and clean, many among them are just security bombshells waiting to go off. As soon as you download these malicious apps, they ask you for permissions to various aspects of your mobile device- contacts lists, speaker, memory, battery, etc. This is common, for an application to do what it does, it needs access to some parts of your phone. But sometimes we don’t realize that the permission lists of some apps, is longer than usual. If that is the case, you need to beware because if an application is asking permission to the parts of your phone it has no business meddling with, it might be a malicious application.
Once a malicious app finds home in your device, it secretly leaks out the company and personal data to people on the internet. Furthermore, these apps could be used to infect your company servers with some virus. If that is the case, then using this app, that virus can very easily get on your company network and bring it down to its knees.
Malicious apps might be one of the most significant points of vulnerability since this malicious app could be used by your competitors to mine out your secret data.
The first thing you need to do is going over an app's permission list before downloading it. If the app is being too greedy, choose not to download it. Moreover, ask your employees not to download frivolous apps on your company devices. They don’t need to have a photo-editing app on their work device. This sort of careless behavior might be disastrous for the entire firm.
Spyware apps are the threat which solely exists to spy on you and your data. And sadly, Android or iOS, no one is safe from them. App stores unknowingly supply spyware to your devices which mine out your data.
Back in 2016, Apple discovered that it suffered from zero-day vulnerabilities which left its devices exposed to Pegasus spyware. It had to release a patch for its OS to filter out the weakness. But by then, this spyware had already done a lot of damage.
Similarly, Android devices have been attacked by fake applications which have cultivated a lot of personal and company data over the years, too. To tackle this issue, Google had to reinforce Play Store’s security with the Play Protect patch.
Choose a single security app with good customer reviews and ask all your employees to download it on their devices. Furthermore, it is a good idea that you buy a premium security app because free ones often don’t give you complete protection. Since a lot rides on the integrity of your network, security apps are something you don’t want to skim over.
Then tell your employees to keep their device OS updated. This will protect them from the latest spyware.
3. Public WiFi
With the help of their mobile devices, companies are technically running 24*7. People are free to work anytime and anywhere. Thanks to the public networks which are provided by cafes, train stations, airports, etc., people can now log in and work wherever they want. But the drawback of these public networks is vulnerability to hackers.
It has somewhat become human psychology, that every time we see a WiFi network, we seek to make use of it. This willingness to connect to any network which might provide few MBs of data can have disastrous repercussions. It is not extremely hard for hackers to create fake hotspots with legitimate looking names and trick you into connecting with them. And as soon as you do, they have the complete access to your device, because you have provided it to them on a silver platter. These networks can be used for criminal activities. Moreover, if your employee has connected with a hacker and then has logged into your company infrastructure, then the hacker has an unhindered passage to your company servers and data as well.
The first thing you can do is, naturally, don’t access public networks, at least not from your company devices. But if you absolutely must, then you and your employees both must use different passwords and pins for your various accounts. Hackers are usually under the impression that the victims are so naive that they will use the same password and other credentials for all their accounts. Don’t do that. Be smart and bring some variations to your credentials. This way, even if you have invited a hacker into your device, he will not be able to gain complete access to all your accounts.
4. Unencrypted communication
In the digital age, the greatest threat is to your digital data. We share everything electronically these days, from inter-departmental memos to company announcements, everything is done either via email or on tools like Skype, Google Hangouts, etc. And if the data shared is unencrypted, then it is at a perpetual threat of being read by a third person. This can lead to severe data leaks. Furthermore, other than hackers, anyone else can read these messages as well. Your service provider, the application that you use to communicate, and many other such third party institutions or individuals can very easily monitor your company’s inner-communication.
It is always a good idea to use a method of communication which encrypts every message that is sent between various tiers and individuals of the company.
5. IoT related threats
With the rise of IoT application development, we have seen a rapid increase in the number of internet-enabled devices. Smartwatches, smart televisions, smart houses even, anything that can have a benefit from being connected to the internet, is being connected to the internet. Now entire offices work as a single digital-life form. We can move our data from our mobiles to desktops to tablets to big OLED Smart TVs in our conference rooms, all of it to increase work efficiency.
But the problem is, anything that is connected to the internet is under a potential threat. Most mobile devices in an IoT have an IP address, using which they access the internet. Hackers and Malicious applications can very easily mine out the IP addresses of your mobile devices and sneak into your company network. This puts your company’s neural network at threat. Imagine it, an office in which everything is connected to the internet like organs and where the data flows between these organs like blood in veins. Then a malicious software in such a body is like a bacterium which will be able to propagate from device to device, stealing data and spreading various diseases.
The obvious way to protect your mobile devices from IoT threats is to exercise basic mobile using protocols. Ask your employees not to download any apps from third-party sites. Furthermore, keep sending memos out to all your employees, reminding them of all the etiquettes they must follow while handling devices in your company’s IoT.
6. Phishing Attacks
Enterprises fall prey to phishing attacks all too often through cyber-espionage. A phishing attack is a method of fishing out sensitive information- like bank details, social security number, etc.- from a company’s employees. The culprit firstly looks for the public email ids of employees and then disguises as a legitimate, in-house personality which you can trust. Phishing attacks cannot be detected instantaneously, and that is why they are all the more disastrous.
By following strict protocols about sharing personal details, companies can prevent themselves against phishing attacks. Furthermore, you must establish a proper mechanism in which you, as a company, will ask your employees for their details. And then build some method following which, changes in users’ personal information could be made. It happens all too often that a hacker who is portraying as an employee sends the finance department a request to redirect all the money to a new account. It isn’t until later that the finance department realizes that they have been hacked and all the money they have transferred has actually been stolen.
7. Improper Session Handling
When it comes to mobile security threats, the risk of improper session handling can't be ignored. Most of the mobile apps use tokens these days in order to facilitate transactions through mobile devices. In these transactions, multiple actions or steps are undertaken without re-authenticating the identity of the user.
These tokens, like passwords, are generated by apps to authenticate devices. The secure applications generate new tokens in each session and somehow maintain the security guidelines. But some apps generally don't do that, and this leads to serious security issues.
When apps intentionally or unintentionally share the session tokens with threat actors, improper session handling occurs. That is how they are able to impersonate real users. Usually, this occurs when a user navigates away from the app or the website and leaves the session open.
For example, whenever an employee of a company logs in to some company intranet website from a device and forgets to log out, he/she gives a golden opportunity to a hacker to explore that website and other connected resources.
The basic step which must be taken in order to avoid improper session handling is to protect the session ID. The best way to do this is to invalidate session IDs on regular intervals and not disclosing them in the URL itself. Moreover, user authentication credentials should be encrypted properly.
Above are only some of the threats you need to be aware of in 2018. Other than these, you should also be on the lookout for botnets, inactive apps, and vulnerability posed by weak passwords. We are only as safe as we want to be. It is our responsibility to make sure that we do everything in our power to make sure that the integrity of our system is not compromised.