Subject & Code
Information Security risks: mobile apps
Table of Contents
32.0 Information security risk
32.1 Physical risks
52.2 Malware attacks and other nonphysical risks
62.3 Communication Interception
As established in this report, the three key information security risks found to be associated with mobile apps security include physical risks, malware attacks and other nonphysical risks, and communication interception.
The executive management is therefore informed that mobile apps are at great risk of unauthorized physical access because of their miniature physical attribute, which make them vulnerable to theft. An increased usage of mobile ads also significantly exposes mobile app users to significant attacks from malwares. Additionally, mobile devices are highly exposed to security breaches as they still lack sophistication in the areas of secure anti-viruses, reliable configuration settings, as well as firmware updates. Bluetooth and Wi-Fi connections also make mobile devices to be particularly vulnerable to attacks from malicious mobile apps.
This report recommends greater emphasis toward using traditional controls like tamper proof passwords and secure screen locks to prevent access to private mobile apps. Mobile users should only access mobile apps that have been stamped with an author or vendor’s identity. Use of permissions-based access control and encryptions is also recommended. There is also a need for greater emphasis on policymaking on information security of mobile apps.
The purpose of this report is to examine the information security risks associated with the use of mobile apps for individuals and organizations. It also provides some recommendations on how to limit these risks.
2.0 Information security risk
The three key information security risks that can be identified in current mobile apps security literature include physical risks, malware attacks and other nonphysical risks, and communication interception.
2.1 Physical risks
Mobile apps are at great risk of unauthorized physical access because of their miniature physical attribute, which makes them vulnerable to them. By design, mobile devices are characteristically undersized, portable and particularly lightweight (O’Leary et al. 2016). Although their miniature sizes make them suitable for users who are always on the move, they also present significant risks of physical theft, as they can easily be stolen and hacked into to access data. According to Gajar et al. (2013), the portable nature of mobile devices poses significant risks the device’s overall security alongside the information contained in the mobile apps, as the devices can easily be stolen to access the data. What this also implies is that even a clever anti-virus software and intrusion-detection system are incapable of overcoming security risks posed by malicious individuals with unauthorized physical access to the mobile device. As regards the mobile apps, some commentators like O’Leary et al (2016) have also suggested that circumvention of a password or security lock may not be difficult for an experienced hacker. This also implies that mobile devices present cyber attackers with easy-to-breach encrypted data (Zineddine 2012). An example may consist of corporate data stored in a mobile device, as well as passwords that reside in apps like the iPhone Keychain (O’Leary et al 2016. In reality, this effortlessly grants unauthorized users access to corporate virtual private network (VPN) and emails. Additionally, total deletion of data is not likely when the mobile device’s built-in factory reset or when the mobile device’s operating system is re-flashed. This implies that secret or confidential corporate data stored in storage apps can still be accessed years later through forensic data retrieval software (O’Leary et al. 2016).
This is the case with mobile health apps, also known as mHealth apps. According to Adhikari et al. (2014), use of mHealth apps among patients and healthcare providers presents significant security and privacy breach risks. When patient data cannot be completely deleted from a mobile app, then it implies that someone else may still have access to the data through the use of forensic data retrieval software. This implies that healthcare providers cannot completely guarantee sufficient protection of patient privacy (Adhikari et al., 2014).
2.2 Malware attacks and other nonphysical risks
Mobile malware are, by nature, socially engineered and designed to trick mobile phone users into presenting a hacker with private information that can facilitate further attack. Mobile apps downloaded from the internet, particularly rogue applications, have been found to contain malicious codes. According to Gajar et al. (2013), what makes mobile devices particularly exposed to security breaches is because they still lack sophistication as regards secure anti-viruses, reliable configuration settings, as well as firmware updates. In other words, non-business oriented mobile apps or unauthorized apps can easily affect the device’s integrity as well as the private data it contains (Sarrab & Bourdoucen 2015).
Although researchers still acknowledge that mobile users are still not subject to a similar degree of drive-by downloads that that desktop PC users are exposed to, the increased use of mobile ads area exposing mobile app users to significant attacks, a situation dubbed “malvertising.» There are indications that mobile users who use Android operating systems are the prime targets or “malvertising,” because of their prevalent use and easy to develop mobile apps (Ramachandran et al. 2012; O’Leary et al. 2016). For instance, mobile malwares like Trojans that have been specifically developed to steal data are capable of operating over a Wi-Fi or mobile phone network. Hackers often end the Trojans via SMS requesting a mobile user to click on a link provided in the message to access an app online. Afterwards, the malware is delivered through an application, before spreading freely to mobile devices. Gajar et al. (2013) also acknowledges that while mobile devices utilized a range of operating systems, the frequent changes in addition to technological advancements imply that they become outdated relatively fast. Hence, controls lack as regards security or data.
Wright et al. (2012) acknowledges that that malware attacks on smartphone operating systems, such as Android, are increasingly evolving. They provided an example of “Zeus-in-the-Mobile” (ZitMo), which refers to a kind of malware that typically attacks Android OS. According to Wright et al. (2012), ZitMo tended to targeted Android mobile device users’ banking apps by bypassing the banking two-factor authentication, prior to stealing passwords, credentials as well as gaining access to the bank accounts of the users to transfer funds. Wright et al. (2012), explains that smartphones provide an exceptional means to spreading malware as phones provide immense storage devices, which makes it easy to implant a malware in a smartphone via a mobile app.
2.3 Communication Interception
Gajar et al. (2013) explains that Bluetooth and Wi-Fi make mobile devices to be particularly vulnerable to attacks from malicious mobile apps, which can be used by attacked to infect a device. He acknowledged that mobile user may be tempted to accept a Wi-Fi or Bluetooth connection, which may actually be malicious as well as capable of intercepting all the data to the connected mobile devices. O’Leary et al. (2016) also argues that smartphones that are Wi-Fi-enabled are particularly vulnerable to similar attacks affecting other Wi-Fi-enabled devices. He added that mobile apps that can be used to hack into wireless networks are easily accessible on the internet, which makes man-in-the-middle (MITM) and Wi-Fi attacks easy. This also makes t easy to intercept and decrypt cellular data transmission once hackers exploit a weakness in a Wi-Fi protocol.
In conclusion, mobile apps are at great risk of unauthorized physical access because of their miniature physical attribute, which make them vulnerable to theft. There also seems to be a consensus among researchers who acknowledge that increased use of mobile ads area exposing mobile app users to significant attacks due to “malvertising.» However, what makes mobile devices particularly exposed to security breaches is because they still lack sophistication as regards secure anti-viruses, reliable configuration settings, as well as firmware updates. In other words, non-business oriented mobile apps or unauthorized apps can easily affect the device’s integrity as well as the private data it contains. Bluetooth and Wi-Fi connections also make mobile devices to be particularly vulnerable to attacks from malicious mobile apps, which can be used by attacked to infect a device. In many case, mobile apps can be used to hack into the wireless networks.
Use of traditional controls like tamper proof passwords and secure screen locks is suggested to prevent access to private mobile apps. For mobile operating systems like iOS and Android, Hayikader et al. (2016) suggests that they can use the traditional access control to augment their security. This includes using more authentic and secure passwords that cannot be deduced by intruders. It also requires using screen locks whenever a mobile device is idle.
Mobile users should only access mobile apps that have been stamped with an author or vendor’s identity, such as digital signatures that are resistant to tampering. This allows a mobile user to select an app with a verifiable author.
Use of permissions-based access control and encryptions is also recommended. According to Hayikader et al. (2016), the Permissions-Based Access Control only allows specific apps within the span of the permission to be accessed by the device. It also blocks mobile apps that are incapable of performing actions that go beyond these permissions.
There is a need for greater emphasis on policymaking on information security of mobile apps. There is also a need for collaboration among various stakeholders, such as information systems security experts, computer specialists, lawyers, management experts and even economists with the view of establishing a policy of cyber security. Wright et al. (2012) explains that collaboration among various stakeholders is significant as each stakeholder plays a crucial role in the creation of intra-and international cyber security standard. This will ensure that cyber security policies are upheld by the general society.
Adhikari, R, Richards, D & Scott, K 2014, “Security and privacy issues related to the use of mobile health apps,” 25th Australasian Conference on Information Systems
Gajar, P, Ghosh, A & Rai, S 2013, «Bring your own device (BYOD): security risks and mitigating strategies,» Journal of Global Research in Computer Science, vol 4 no 4, pp.62-70
Hayikader, S, Hadi, F & Ibrahim, J 2016, «Issues and security measures of mobile banking apps,» International Journal of Scientific and Research Publications, vo 6 no 1, pp.36-41
O’Leary, D, Zimmermann, R & Grahn, A 2016, «Mobile Device Security in the Workplace: 5 Key Risks and a Surprising Challenge,» Forsythe Focus, viewed 18 Mar 2017, <http://focus.forsythe.com/articles/55/Mobile-Device-Security-in-the-Workplace-5-Key-Risks-and-a-Surprising-Challenge>
Ramachandran, R, Oh, T & Stackpole, W 2012, «Android Anti-Virus Analysis,» Annual Symposium On Information Assurance & Secure Knowledge Management, June 5-6, 2012, Albany, NY
Sarrab, M & Bourdoucen, H 2015, «Mobile Cloud Computing: Security Issues and Considerations,» Journal of Advances in Information Technology, vol 6 no 4, pp.248-251
Wright, J, Dawson, M, Omar, M 2012, «Cyber security and mobile threats: the need for antivirus applications for smart phones,» Journal Of Information Systems Technology & Planning, vol 5 no 14, pp.1-9
Zineddine, M 2012, «Smart Phones: another IT Security scuffle,» International Conference on Internet Computing , Informatics in E-Business and applied Computing, pp.1-10