With all the reports of mobile malware, vulnerabilities and attacks, things must seem pretty confusing to the consumer. Is the sky really falling? Let's explore some of the practical aspects of mobile security a bit from the consumer's point of view.
First off, it's always important to put these reports into perspective. Over the past few months, we've heard of malware in Google's Android Market, weaknesses in Apple's iOS and all sorts of other badness. Many, though not all, of these reports were released by folks who want to sell you a security add-on or service. That's not to say the reports were false, but their severity should always be taken with a grain of salt.
Yes, there's been a bunch of malware found in the Android Market. Those apps were removed. And there have been published vulnerabilities affecting Android and iOS, but by and large, the respective vendors are patching those.
So, rather than focus on the bad, let's take a look at the sorts of actionable things a consumer can do to use these fabulous devices more securely. There isn't likely to be a shortage of new problem announcements anytime soon, after all.
Let's start by understanding the risks a bit, in practical consumer terms. Without a doubt, the biggest risk any mobile device consumer faces is loss or theft of the device itself. If someone has your mobile device, chances are there's a wealth of juicy information they can farm from it, from passwords to emails and other documents. Here's where you need some perspective: More than likely, if someone finds your device (say, at the coffee shop where you misplaced it), they're either going to turn it in to lost and found or just steal it for their own use. The percentage of folks who would actually try to farm your data from the device is likely quite low. You need to be aware that the threat is real, but also that it isn't the inevitable result of losing your device.
Your second-biggest risk might be having your network communications intercepted by someone on the public Wi-Fi you're using. It's a much lower risk than losing your device, but it's a very trivial attack for someone to pull off. An attacker can run a network sniffing tool and sit in your coffee shop, capturing all of your network data, with pretty much zero chance of being caught or even noticed. Tools for this are easily available.
Now, let's address these two most prominent risks.
To avoid exposing sensitive data on your device:
* Avoid storing anything truly sensitive on the device. Perhaps you have a credit card you regularly use for Internet transactions. You can go ahead and use that in your mobile apps without storing it in the apps. If your app has a choice to "remember" your data, opt out. Same goes for passwords and other credentials in general. There's a trade-off, of course -- using your gadget is going to be more of a hassle because you'll be entering passwords, credit card numbers and other information more often.
* Get your apps from reputable sources. With iOS, that's pretty much Apple, unless you've jailbroken your device. Here's more free advice: Don't jailbreak your device! Whatever app security Apple has is completely circumvented when you jailbreak. This might not be a popular sentiment, but jailbreaking an iOS device is probably the worst thing you can do from a consumer security standpoint.
For Android users, try to stick with the big Android Markets. Avoid the shadier ones. And stick with the "bigger" brand names that have been in the community for a while, have garnered many (high) reviews, and so on. Avoid the newest apps that sound like they're too good to be true -- they may well be.
* If you do want to store some sensitive data in an app, consider doing a bit of cursory analysis of the app. On iOS, there are freely available tools, like iPhone Explorer, that allow you to poke around a bit to see what files an app uses. Locate the app and dive into its file storage a bit. First and foremost, look for credentials being stored in plain text. You can also use tools like hexdump to look at database files, executable files and so on. Look for system credentials and other sensitive unencrypted data in these. If you find nothing, that doesn't mean it's safe, but it is likely that the app developer is at least taking some basic precautions to protect your info.
To help prevent your data from being intercepted on a public Wi-Fi:
* Avoid public Wi-Fi. This isn't a great option for a lot of people, but it does ensure that your data won't be intercepted on the Wi-Fi. You should also be aware that 3G data is not a whole lot more secure, but it's at least nominally better against off-the-shelf attacks available today.
* Use a VPN. Without a doubt, your best defense against interception on that public Wi-Fi is a VPN from your mobile device to your destination network. There are cheap or even free VPN services available to consumers these days. Note that your data will be in plain text beyond that VPN endpoint (unless you also use SSL). Also, many employers provide VPN access for their employees. Use that if it's available to you.
* Use SSL whenever possible. You won't normally have the option of turning this on or off in an app, but if you're using a Web app, you might. When given the option, use SSL. If you want to see if your app uses SSL, it is relatively easy to set up a test rig to watch it in action. Set up a wireless share on your laptop, and run all network traffic through a proxy server (e.g., BurpSuite, WebScarab) on your laptop, and then observe how the app behaves. If your app is sending sensitive data -- including session credentials -- without encryption, avoid it at all costs.
These are just a few things you can do, but they're a pretty good start.
It's important to put things in perspective, especially as we're bombarded with reports of doom in the news. Of course we take some risks in using mobile devices. The thing to remember is to accept or reject risks from an objective and informed standpoint. Don't blindly accept things without doing at least some investigation.
With more than 20 years in the information security field, Kenneth van Wyk has worked at Carnegie Mellon University's CERT/CC, the U.S. Deptartment of Defense, Para-Protect and others. He has published two books on information security and is working on a third. He is the president and principal consultant at KRvW Associates LLC in Alexandria, Va.