Between claims of charlatan mobile anti-virus vendors and disagreements about what is actually mobile malware, it might seem like the hype of mobile security is ahead of its reality. Then demos like the mobile remote access trojan (RAT) at RSA come along and scare the hell out of any smartphone user. So what’s the real story about mobile security today?
At Mobilisafe, we are building a large data set, exceeding 130 million connection events and growing, to help quantify real mobile security risks for our customers. I want to share some analysis from our data to get beyond the fear, uncertainty, and doubt (FUD).
Come One, Come All
We learned that over 80 percent of employees are using personal devices to access corporate data like email. They use a wide variety of devices with a new device model for every seven employees in an organization. These two measures of penetration and diversity are consequences of the increasing affordability of smartphones and tiered data plans. T-Mobile was the first US carrier to offer an Android smartphone for free and each US carrier has tiered data plans with low cost options driving adoption of mobile data services.
In Search Of The Latest And Greatest
Our analysis also showed that 39 percent of devices with access to corporate data were idle for 30 days or more. Were these devices lost, stolen, sold on eBay or Craigslist, handed down to a family member or left in a drawer? These possibilities have significant implications for the personal and corporate data on the device. This high rate of dormant devices is also closely related to the frequency of lost phones and the accelerating adoption of newer devices, even without significant contract subsidies.
One of the most surprising and concerning data points from our analysis was that 56 percent of iOS devices were running outdated firmware. Apple has made the update process easier with the release of iOS 5.0 by enabling over the air updates using WiFi, and yet many people are not applying updates. These updates address security holes like jailbreaking devices with malformed PDFs, executing unsigned code and bypassing lock screen passwords.
The picture is pretty ugly on the Android side as well. The different combinations of handset manufacturers and carriers have resulted in firmware updates delivered inconsistently over cellular data or posted on websites in combination with desktop updater software. Since handset manufacturers generally lack direct relationships with the consumer, update rates are less than 10 percent when manufacturers only post firmware updates on their website. On the carrier side, pushing 100mb+ updates over 3G/4G for millions of phones presents network congestion challenges.
A separate, but equally important issue is updating all Android devices to the latest version available from Google. Handset manufacturer and carrier customization along with carrier test cycles diminish the rate at which these updates are made available. Having lived through many update cycles of Android, I understand the challenges that each of the players face to make this happen and currently there is little motivation for them to do so with the exception of addressing major bugs and security holes.
In spite of Microsoft’s efforts to achieve steady, global distribution and installation of software updates for Windows Phone by coordinating with their carrier partners, they are also experiencing issues similar to Android. Only about 20 percent of the Windows Phone devices we monitor are running the latest version of the platform. Microsoft has this issue across a relatively small number of devices, so it remains to be seen how they can improve as the diversity and volume of devices increases. Given the low penetration of Windows Phone in the mobile market today, there is little risk associated with these devices being out of date because so few vulnerabilities have been discovered.
You Can’t Escape It
So what do all these smartphones and tablets, mostly on outdated firmware, mean for the mobile security landscape? We found that 71 percent of devices we monitor are susceptible to high severity vulnerabilities across 38 different operating system versions. There have been some notable exploits of these vulnerabilities, including DroidDream, which infected an estimated 250,000 phones with an exploit delivered through nearly 60 applications in the Android Market (now Google Play). Simply applying firmware updates would drastically reduce the exposure to known high severity vulnerabilities nearly 400 percent from 71 percent of devices to 18 percent.
The Hungry Hacker
The strongest sign of malicious hacker interest in mobile devices from our data is the growth in vulnerability discovery. In 2012, we are seeing a 400 percent growth in the rate of vulnerability discovery over 2011. With the prevalence of these security holes, the increasing adoption of smartphones and tablets for personal and corporate use and the lack of update hygiene, malicious hackers have an opportunity to feast with exploits that can yield high value data. How high value? How about your credit card limit?
A Perfect Storm
The publicity around mobile malware and viruses has overshadowed a more alarming trend. While there have been several notable, high profile mobile security incidents to date, this pales in comparison to the underlying data we see with intersecting trends of increasing smartphone and tablet usage, commingling of personal and corporate data and increasing vulnerability exposure.
In upcoming posts in this series, I will analyze the implications and consequences of the data we’re seeing for enterprises and mobile ecosystem players and how they can ensure mobile security incidents don’t jeopardize what is shaping up to be the most significant technology disruption in decades.