Guest Post: Research Analyst Discusses Mobile Threat Landscape
I’m Chris Sherman, a senior analyst serving Security & Risk (S&R) Professionals at Forrester Research, and today’s guest blogger for MobileIron. I recently sat down with the MobileIron team to discuss how I see the modern mobile security landscape evolving. The following video and Q&A help to illuminate some of the most pressing security threats faced by enterprises today — especially as they relate to mobile devices — and the tools used to address these threats. Watch the video to learn more, and be sure to check out the Q&A below.
1) Where do mobile threats mainly originate from?
In general, we see mobile threats originating from three sources: phishing, malicious applications downloaded from app stores (both official and third-party), and device/app exploits. Phishing is by far the most prevalent and can be used to deliver the second two. Increasingly we’re seeing attackers leverage non-email communications, such as instant messaging apps and SMS. For example, a common mobile-specific phishing attack technique will utilize SMS to deliver a link to a fake company login page for a corporate app, stealing valuable credentials when the user unwittingly clicks the link and enters their login details. If the text is targeted to a specific individual or organization, it’s generally known as spear-phishing. Widespread attacks that leverage users’ fears, such as fake COVID-19 test results, are also on the rise and can lead to ransomware, financial trojans, spyware, and many other tools with nefarious purposes.
We’ve also seen several high-profile mobile exploits affecting both iOS and Android, such as the case with the StrandHogg Android vulnerability that allowed attackers to run malware in place of legitimate apps downloaded from the Google Play app store. Overall, malicious apps and exploits are leveraged frequently, and these risks are increased when users jailbreak their devices. While mobile devices were once thought to be immune to such attacks, this is not the case today.
2) What emerging threat techniques are being used to improve attack success rates today?
One type of attack that has received a lot of press lately is supply chain attacks affecting mobile applications and devices straight from the factory. Supply chain attacks take advantage of the extensive ecosystem of third-party suppliers used in the development of the device or applications. For example, a malicious party could infect a library used in code development, such as the case with the Triada trojan infecting Android devices from the factory in 2019. We’ve also seen other advanced attacks affecting SIM cards where a malicious SMS is sent to a device and exploits a vulnerability to take control of the device (e.g., Simjacker in 2019). Finally, there have been several forced-jailbreak attacks that break down many of the native security measures protecting a target’s device for subsequent exploitation, such as with Checkm8 and iBoot attacks. The bottom line is, security professionals must be aware of all the ways a mobile device can be compromised beyond simple malware.
3) How can an enterprise security team best protect against mobile threats?
First, you should map out your attack surface and identify the mobile threats you are most exposed to, focusing on any unmitigated risks before choosing a vendor with the expertise that matches your need. The point here is to think like an attacker: Ask yourself whether you have employees with jailbroken devices, vulnerable software, or sensitive data that might be traveling through unencrypted channels. Perform a detailed analysis of your attack surface and how data moves between your mobile and stationary environments. As I mentioned in my accompanying video, eliminating any trust assumptions here is critical for a Zero Trust security posture. Wherever access to sensitive data is permitted, there should be access controls in place and appropriate isolation based on real-time risk. Also, consider whether a lack of device-level security is putting you at a greater risk for software exploitation. Mobile technology vendors are constantly improving their operating systems’ native anti-exploit capabilities as they roll out new versions and updates; keeping this software up-to-date should be a priority.
As you begin to rely more on native OS-level security features for device-level security, you can focus more on what matters the most: protecting the apps and your corporate data. You should have app management in place with jailbreak detection and data isolation using technologies like app containerization or virtualization. Browser protection should include malicious URL protection. Overall, the more management you can do in the app layer, the better. This will allow you to decouple protection from the devices and infrastructure and focus on protecting your sensitive data and apps consistently across all device types, regardless of device posture or ownership. Ultimately, it would help if you strived to protect every device with access to corporate resources against threats like phishing and sensitive data theft.