Note: This is a re-created post. Find the original content by using reference links (PFB).

Mobile platforms are going to be harder to secure

Lost and stolen

Lost and stolen smartphones and other mobile devices are the biggest mobile security threat to enterprises, according to security experts watching the evolving threat landscape. Yet, the hype around malware would lead users to believe otherwise.
The risk of an employee leaving their smartphone behind at a restaurant or bar and having it fall into the wrong hands is far greater than an employee downloading malware onto their device.
Device owners rarely use a passphrase or code to protect unauthorized access to their device. That leaves the phone wide open to a thief. Contacts, email messages and data saved in some applications can be easily accessed by the average criminal. While most enterprise mobile security software suites have device location and wipe features, but a lack of security policy around personally owned devices means many employees and their organizations remain at risk. By the time a device is reported lost or stolen, a thief could have already made off with the data.
Near field communications (NFC)

The potential still exists for a sustained and exponential increase in mobile device attacks, but it will likely take years before cybercriminals flock from the desktop to mobile devices, he said. New payment technologies, such as near field communications (NFC), which can turn any smartphone into a virtual credit card, may make attackers take a closer look at mobile platforms.

Fewer security controls

The attack surface is much greater on mobile devices and there are far fewer security controls. You can do everything you can do on a laptop but you also have other things like location information, an SMS channel, voice dialing, a camera and sensors that are a potential way in. These are still the early days and we still need to get a handle on the new risks and threat models and learn how to use some of the security strengths of the mobile platforms correctly

Geolocation madness

A device user’s location can be an extremely valuable piece of data for marketers. It also can add important and valuable functionality for certain applications.

Privacy protection legislation will mostly address location-based services, but look for loopholes put in place for mobile carriers and other entities. We’re going to see indiscriminant use of location-based information become a crime. Cybercriminals could eventually latch onto this location-based services trend with malware and other tricks that take advantage of location data to trick users into giving up more sensitive information about themselves, including account credentials.

Excessive permissions

Application permission requests were built into mobile platforms as a way to improve security, but those notifications, which require the end user to confirm an application’s breadth on a device, are being largely disregarded by device users. People are quick to choose functionality over security and privacy. Most device owners continue to give applications elevated privileges and that means the latest game they downloaded may have the functionality to tap into the device’s messaging app or location data.

Carrier IQ software
This diagnostics application was placed on some devices by mobile carriers, but the software was not always optional, and in many cases users didn’t even know it was on their devices. Security and privacy advocates were outraged because the software could report GPS location data, record which dialer buttons were being pressed and the URLs being visited by device owners.

Unsecure Wi-Fi

Most devices automatically roam for the nearest open Wi-Fi hotspot. Unfortunately, automated tools make it easy for just about anyone to snoop on people or even take over their browsing session. Researchers have demonstrated that by using basic tools of the trade they could take over a person’s unsecure webmail session, Twitter or other social media account. Many services, including Google, have responded, supporting encrypted sessions that protect users on open Wi-Fi, but the threat remains.

Websites that don’t use SSL/TLS encryption correctly could be putting smartphone users at risk to a well-known Wi-Fi hotspot attack called sidejacking.

Mobile application vulnerabilities

The Google Android and Apple iOS app stores have given rise to a new crop of mobile application developers. Mobile application frameworks lack maturity, and when combined with the need for speed, that has resulted in applications with shoddy code, flaws and functionality that is not needed. Some developers churn out new mobile applications too quickly. Researchers studying mobile applications are finding a lot of coding errors. Speed leads to costly mistakes, such as authentication or authorization errors, poor file-system permissions and application permissions that are too lax.

Mobile operating system threats: ANDROID

Android has been the most successful mobile operating system this year and rules more than 50% of the market. This success has made it a target and all the rivals as well as the cybercriminals have made various applications for android that are malicious. All these activities are being performed in order to rage the android users and kill Google’s market.
Google has taken action to delete more than a dozen cloned applications hosted on its Android Market after they were found to be malicious, racking up expensive text messaging charges on owners smartphones. Google’s reaction has been quick, but not quick enough, at least ten thousand users downloaded one of the malicious apps from the list.

One of the most popular hidden Trojan is called DroidDream which gives cybercriminals the ability to break out of Android’s built-in application security sandbox feature.

Flawed Android Apps

Mobile developers building applications for Android devices are making many of the same mistakes as enterprise developers, and those poor coding practices may be rendering encryption and other security features ineffective.


Hard-code cryptographic keys

The Developers sometimes hard-code cryptographic keys to make it easier to develop the application.
40% of Android applications contain at least one instance of hard-coded cryptographic keys. The practice gives every user of an application the same encryption key, which is similar to everyone within an organization using the same password to secure their data. Because Android applications are easy to decompile, an attacker can easily extract and publicize hard-coded keys.
Coding errors abound in mobile apps, because the tools and frameworks for building them are less mature.

Application permissions
As with all Android applications, users must choose to allow the permissions requested by applications before they can be installed. Permissions are displayed by the Android operating system under broad headings that summarizes the implications of the permissions requested. For example the permission to allow an application to send SMS or MMS messages is organized under the easy to understand heading of “Services that costs you money”.  Understanding these permissions can help users avoid applications which make unnecessary requests. In this particular instance, the applications ask for the permission to send SMS messages – a service that will cost you money (something users should think twice about before accepting and proceeding with the install).

Android’s success makes it a target
Microsoft is using the latest malware campaign aimed at rival Android to give away new Windows 7 Phones to the five Android users who tell the best tales of woe.

Other platforms won’t be safe either
We’ve already seen it done in the Android Market and we’re bound to see it happen on other platforms. Rather than traditional desktop malware, “Trojanized” applications could initially cause trouble to individual owners and ultimately be a problem for enterprises. Attackers could steal account credentials and use them against corporate networks or they can tap into freely available information – data found on Facebook and other social networks – to conduct targeted social engineering attacks against employees. In other words, If someone loses their phone and an attacker gets access to that application, the attacker could basically get access to all the data that everyone in the organization can access.

Conclusion:Even though we don’t know how everything is going to get attacked, we can still be prudent in how we go about building mobile applications.