From a cybersecurity perspective, today’s dominant mobile operating systems have considerable advantages over legacy desktop systems. Application isolation means that apps are restricted from interfering with the behavior or data of other apps and have highly restricted access to underlying system functions. The software distribution model of the Apple App Store and Google Play Store means that by default, applications and their updates are generally only installed from authorized sources. Features such as these considerably strengthen the security profile of iOS and Android against mobile threats and enterprises have come to rely heavily on these underlying features to provide security for mobile employees.
But can we always rely on these protections being in place? And if not, how can we know if the device has been compromised in a way that could be catastrophic to our mobile security defenses?
The Vulnerability Spectrum
Unfortunately, like all software, the software running on mobile phones contains flaws. Flaws relating to the security system of the underlying device are termed ‘vulnerabilities’. By attacking these vulnerabilities hackers are able to compromise the device and get it to do things which would otherwise not be possible without the consent and knowledge of the user. A vulnerability can be exploited to do a wide range of potentially harmful things. At one end of the risk spectrum, it may enable an app to show unwanted ads, while at the other end, a vulnerability could be used to remotely record audio from your phone’s mic.
Hundreds of vulnerabilities are discovered each year. They can be found in any part of the phone – including the operating system, the firmware, or the hardware subsystems such as Bluetooth or Wi-fi radio. Software vulnerabilities once disclosed, are generally addressed quickly by Google or Apple through their regular software update cycles. However getting these security updates installed on devices requires action by up to three actors: the end user (who must agree to install the update) and in the case of Android devices, the manufacturers, as well as the mobile carrier. The reality of this is that at any point in time there will be large numbers of devices which have not updated to the latest software and therefore have not be protected against known vulnerabilities. In addition, there are always as yet undisclosed vulnerabilities (or ‘Zero Day’ vulnerabilities) which cybercriminals or other bad actors will seek to exploit
The most obvious way to exploit these vulnerabilities is with malware. In the case of iOS, the app distribution model offers considerable protection against malicious software. Apple has been very effective at excluding malicious software from the App Store. Getting an app on to a non-jailbroken device other than through the App Store is confined to a small number of circumscribed use cases, e.g. via enterprise distribution or app testing software.
However, as demonstrated by XcodeGhost, there are always chinks even in the best-defended fortress. XcodeGhost refers to a modified version of the iOS Xcode development environment. Apps developed with XcodeGhost were compromised in a way which was not identified by the App Store review process and resulted in a significant rate of infection. Other malware such as AceDeceiver and Wirelurker have shown that it’s possible to infect an iOS device when physically connected to a compromised Mac or PC.
Pegasus, the most powerful iOS breach disclosed yet, managed to completely bypass Apple’s mechanisms for preventing malicious software installation. It exploited a trio of vulnerabilities known as Trident to perform a jailbreak on an end user device without the end users knowledge. Installation was through an MMS message sent to the target’s device. Once the embedded link was clicked, the process of infection commenced. Apple has since patched these vulnerabilities but Pegasus was a powerful demonstration that complacency about iOS and malware is ill-advised.
The more open nature of Android means that there is a non-trivial level of malware on Android devices. Malicious software has on multiple occasions passed Play Store approval. In addition, large numbers of legitimate apps have been infected with dangerous code through the incorporation of compromised SDKs. Google’s anti-virus program ‘Verify Apps’ means that known malware can be quickly be identified on devices but, without user action, malicious apps are not automatically removed.
The key to protecting against device compromise is continuous monitoring of device security health. This means monitoring configurations and behavior. EMM solutions will generally include the ability to monitor the basic security configuration settings. In many cases, it will be possible to use EMM to enforce device configuration policies.
A mobile threat defense (MTD) solution like Corrata’s Mobile Internet Security solution will also ensure that a broader range of relevant settings are monitored. Corrata’s solution can check whether end users have impaired device health by changing settings, such as turning on USB debugging, allowing sideloading of apps, or enabling developer mode, which will leave the device vulnerable to compromise.
However, it is essential that in addition to monitoring configuration, to detect device compromise you must also monitor device behavior. The most dangerous threats will be designed to by-pass the standard device level and EMM enforced controls. The only way of detecting them is through continuous monitoring of device behavior. Your mobile threat defense solution must incorporate the ability to capture what’s happening on the device in a timely way. With good data and the right analytics, an advanced Mobile Internet Security solution like Corrata will help protect against even the most sophisticated attacks.
To learn more about Corrata’s Mobile Internet Security solution and how it can help to protect your employee mobile devices from vulnerabilities and compromise , visit www.corrata.com or email us at firstname.lastname@example.org.