57% of all our time spent using digital media happens in smartphone and tablet apps, according to The 2017 U.S. Mobile App Report from comScore.
Mobile apps add value to our day-to-day lives, but there’s also a dark side. Just look at headlines such as WannaCry or Twilio. These recent cases demonstrate the “side effects” of mobile apps and how apps can slip under the radar of basic safeguards.
We can follow best practices to protect mobile devices from ransomware or other malware, but what about things like location tracking and data collection? There’s a fine line between delivering convenient services through these types of app behaviors and leaking data and compromising mobile security.
The bottom line is: Are we really aware of what the apps we download are doing on our devices?
Looking at the mobile attack surface, three categories are commonly identified: network exploits, operating system (OS) manipulation and malicious applications.
Protective measures against the first two categories could easily be achieved with a “black-and-white” approach. This involves similar security techniques as for computers, requiring answers to elementary security questions, such as: Is jailbreak or privileged elevation granted? Is a device allowed to connect to public Wi-Fi? Those questions are condensed into a single, unknown equation to be solved.
As for applications, things get trickier. The way mobile apps process data, and the ultimate purpose of doing so, embeds a new parameter into the mobile security equation.
For instance, we may grant permission for geo-location to allow a cab application to retrieve our position in order to send us the closest driver, but this information shouldn’t also be sent to some unknown, remote server.
APIs integrated within apps used by millions of us can collect and potentially monetize users’ data. In other instances, APIs used to accelerate mobile payment processes can mask the SMS code confirmation step, which is known in cybersecurity as a one-time password (OTP) interceptor. These types of behaviors can be considered legitimate, as long as the user is fully aware and properly accepts the terms.
As part of their validation processes, Google and Apple ask developers to justify the permissions required for their apps to run. Unfortunately, this step does not properly safeguard against the misuse of those permissions. There are so many legitimate reasons to use a permission that it could be easy to bypass this control and publish an app with hidden and potentially malicious behaviors.
Analyzing permissions is a first step to get an overview of data that could be processed by an app, but it is not sufficient to determine its nature. It does not solve the mobile security equation.
We might consider the solution to app security a grey area because the sensitivity of data varies from one person to another, or from one company to another.
Consider location data. For most individuals and companies, this isn’t top-secret information, but for others, like government employees, this could be considered highly sensitive information.
So in that sense, we can’t impose a single, unique security policy to be applied across all mobile users.
Contextualization is, more than ever, a key factor when dealing with mobile security. When we focus on an individual or one company, it’s easier to define what is legitimate app behavior and what is not. This is how we simplify the mobile security equation and get back to the black-and-white approach.
Still, we need to determine what mobile apps are really doing on our devices and confront those behaviors with our security criteria.
Dedicated solutions exist to handle mobile security, mostly relying on score-based technologies. Based on the permissions requested by the app and the data manipulated, scoring (or reputation) techniques estimate the risk for the application to have a malicious nature.
However, this approach does not sufficiently provide a proper, factual conclusion on the activities performed by an application, hence why we still have a grey area.
Because Pradeo believes security means accuracy, our research team developed, over the past years, a patented artificial intelligence engine. This reveals and qualifies hidden behaviors of any mobile app, as well as suspicious activities performed on mobile devices.
Discover Pradeo's solutions: