For a cybersecurity perspective, today’s dominant mobile operating systems have considerable advantages over legacy desktop systems. Application isolation means that applications are restricted from interfering with the behavior or data of other applications and have highly restricted access to underlying system functions. The app store software distribution model means that by default applications and their updates are only installed from authorized sources. Features such as these make iOS and Android considerably strengthen the security profile against mobile threat. Enterprises have come to rely heavily on these underlying features to provide security for the mobile employees.
But can we always rely on these protections being in place? And if not, how can we know if the device has been compromised in a way that could lead to a catastrophe in our mobile security defenses ?
The vulnerability spectrum
Unfortunately, like all software, the software running on mobile phones contains flaws. Flaws relating to the security system of the underlying device are termed vulnerabilities. By attacking these vulnerabilities hackers are able to get the device to do things which would otherwise not be possible without the consent and knowledge of the user. A vulnerability can be exploited to do a wide range of potentially harmful things. At one end of the spectrum, a vulnerability may enable an app to show unwanted ads. At the other end of the risk spectrum, a vulnerability could be used to remotely record audio from your phone’s mic.
Hundreds of vulnerabilities are discovered each year. These can be in any part of the phone – the operating system, the firmware or hardware subsystems such as Bluetooth or Wi-fi radio. Software vulnerabilities once disclosed, are generally addressed quickly by Google or Apple through their regular software update cycles. However getting these security updates installed on devices requires action by up to three actors: the end user (who must agree to install the update) and in the case of Android devices, the manufacturers as well as the mobile carrier. The reality is that at any point in time there will be large numbers of devices which have not been protected against known vulnerabilities. In addition, there are always as yet undisclosed vulnerabilities (zero days) which cybercriminals or other bad actors will seek to exploit
The most obvious way to exploit these vulnerabilities is with malware. In the case of iOS, the app distribution model offers considerable protection against malicious software. Apple has been very effective at excluding malicious software from the App Store. Getting an app on to a non-jailbroken device other than through the App Store is confined to a small number of circumscribed use cases e.g. via enterprise distribution or app testing software.
However, as demonstrated by XcodeGhost, there are always chinks even in the best-defended fortress. XcodeGhost refers to a modified version of the IOS Xcode development environment. Apps developed with XcodeGhost were compromised in a way which was not identified by the App Store review process and resulted in a non-insignificant rate of infection. Other malware such as AceDeceiver and Wirelurker have shown that it’s possible to infect an IOS device when physically connected to a compromised Mac or PC.
Pegasus, the most powerful yet disclosed iOS breach, managed to completely bypass Apple’s mechanisms for preventing malicious software installation. It exploited a trio of vulnerabilities known as Trident to perform a jailbreak on an end user device without the end users knowledge. Installation was through an MMS message sent to the target’s device. Once the embedded link was clicked the process of infection commenced. Apple has since patched these vulnerabilities but Pegasus was a powerful demonstration that complacency about iOS and malware is ill-advised.
The more open nature of Android means that there is a non-trivial level of malware on Android devices. Malicious software has on multiple occasions passed Play Store approval. In addition, large numbers of legitimate apps have been infected with dangerous code through the incorporation of compromised SDKs. Google’s anti-virus program ‘Verify Apps’ means that known malware can be quickly be identified on devices but, without user action, malicious apps are not automatically removed.
The key to protecting against device compromise is continuous monitoring of device security health. This means monitoring configurations and behavior. EMM solutions will generally include the ability to monitor the basic security configuration settings. In many cases, it will be possible to use EMM to enforce device configuration policies.
A Mobile Threat Defense (MTD) solution like Corrata’s will also ensure that a broader range of relevant settings are monitored. An MTD solution can check whether end users have impaired device health by changing settings which will leave the device vulnerable. For example turning on USB debugging, allowing sideloading of apps or enabling developer mode. Worse still, they may undermine some inherent protections by disabling Google’s Play Protect or Apple’s Fraudulent Website Warning.
However, it is essential that in addition to monitoring configuration, you also monitor device behavior. The most dangerous threats will be designed to by-pass the standard device level and EMM enforced controls. The only way of detecting them is through continuous monitoring of device behavior. Your mobile threat defense solution must incorporate the ability to capture what’s happening on the device in a timely way. With good data and the right analytics, an advanced mobile threat defense solution like Corrata will help protect against even the most sophisticated attacks.