Why software isn’t the key security vulnerability on mobile
Make way for mobile. In 2016 280 million desktop or laptop computers shipped globally. The equivalent figure for smartphones was an amazing 1.5 billion. These figures highlight the fact that today’s personal computing platform of choice is mobile. And of course, the overwhelming number of these mobile devices are running either Apple’s iOS or Google’s Android operating systems.
The end of the PC era
This technology revolution has been reflected in enterprise computing as well. The 30 year period when the dominant enterprise endpoint was a PC or a laptop running Windows has come to an end. Enterprises are already cognizant of this change and investing in the tools and infrastructures required to support these new devices: today over 80% of enterprises have some form of mobile device management system in place.
Mobile is a different animal
Naturally enough, when presented with these new endpoints, security professionals may have imagined that the vulnerabilities associated with mobile would be similar to those they were already familiar with. In the Windows world, for example, where the need to protect devices from infection from malware is paramount, this often calls for the installation of anti-virus software (to identify and deal with infection), and to ensure that there are secure web gateways on the network (to prevent bad stuff from getting to the endpoint). These safeguards are well known and ubiquitous in the traditional environment.
But it turns out that mobile endpoints are different. The modern operating systems they use don’t share the same vulnerabilities as Windows. Although there have been a small number of malware incidents documented on iOS (for example xCodeGhost and Stagefright) and a larger number on Android, when compared to more traditional platforms, it is fair to say that they have proven themselves significantly less vulnerable to harmful attacks. That is not to say that the two newer systems are invincible to malware, but to date, the incidence of significant harm to enterprises due to mobile malware has been relatively low.
Exploiting the user
Mobile devices are however uniquely vulnerable to attacks that exploit users rather than software. These social engineering attacks involve fooling an end user into revealing sensitive information or taking some dangerous action. This could involve getting an employee to enter their username and password into a faked version of the company’s intranet page, or their Salesforce account.
These kinds of attacks are particularly effective on mobile, for a number of reasons: firstly, the small screen size means that warnings or other visual clues may not be as visible as they are on a desktop. Often the URL is only visible momentarily, if at all, and important icons indicating risk may not be prominently displayed.
Secondly, mobiles are often used in environments (in the home, while socializing) where it is natural for people to be less conscious of information security risks. One survey reported that users are three times more likely to click on a dangerous link on their mobile devices than on a traditional computer.
Finally, the kind of protection offered by advanced URL filtering (typically implemented on corporate networks as part of a web security gateway) is rarely present on mobile devices.
Mobile sorely needs more protection
This last point raises an obvious question: why don’t enterprises offer the same levels of protection for fixed and mobile users? One reason is the perception that such protection is not needed on mobile. As discussed earlier it is true that the malware threat on mobile is not as pronounced as it is in the PC world. Nonetheless, this doesn’t do away with the need for protection against employees being tricked into entering sensitive data onto malicious sites. And as explained above, this is a protection that is sorely needed on mobile.
The built in protection offered by mobile browsers is patchy and highly variable. In one test, a known phishing site, which was flagged by desktop versions of Safari, Chrome, and Mozilla, was missed by the mobile versions of these same browsers and by phone’s native browser.
The trouble with traffic routing
In addition to the perception issue, there are technical challenges in using secure gateways with mobile devices. Configuring devices to route traffic through a gateway is problematic – for example it’s relatively easy to set an HTTP proxy on Apple devices for cellular, but very cumbersome to do so on Wi-Fi.
Likewise VPN technology, while mature and relatively easy to deploy on fixed networks, has thus far proven troublesome on mobile. And above all, the privacy implications of routing all an employee’s smartphone traffic (much of which is inevitably personal in nature) through a corporate controlled gateway are problematic, to say the least.
The Corrata solution
It was these limitations that drove the team at Corrata to develop a new type of solution for web threat protection on mobile devices. Specifically our team has innovated by creating an on-device content control solution that can filter web traffic at the device level doing away with the need to route traffic through a gateway. With this new architecture, the enterprise mobility market now has an effective solution for web filtering that requires no compromise on user experience or an employee’s reasonable expectations of privacy.