Have you used your mobile phone today?
If so, you're at risk.

By Kevin De Snayer

Let’s see if I can guess your daily habits. You wake up, probably to an alarm from your mobile device, you roll over and check your email, schedule, and see what the day has in store. From there, you get ready for your day, starting off the morning with some light surfing of social media and news sites, order a coffee on the way to the office—potentially from a mobile app, and the day begins. Sound about right?

It’s okay if this sounds familiar. This is almost everyone’s daily routine—including mine. And the one common thread that ties this together, regardless of preferred apps, social sites, and so on, is the fact that your mobile device is at the epicenter of it all.

So, what’s the issue? After all, with more than 2.9 billion mobile devices worldwide, representing a total of 5 million apps available for download between the Apple app store and Google Play store, what could possible go wrong? Do you really want the answer?

Before we get into the real nitty gritty of mobile cyber security issues, let’s first talk about the nature of information on the device itself, and how it can pose a very real and imminent threat to data security.

Long before information leaves your phone, many private data files can be easily accessed by other people who may have access to your device, or through specific apps that may be granted access (or through special circumstances may natively have access to passwords for purchases, etc.), all these pose a threat. In fact, some apps can even access other apps—you see where this is going?

So now let’s discuss the connectivity issue. If people and apps can access information that in turn can be sent to … well … somewhere. This brings about an entirely new set of challenges. And to be clear, none of this is yet to be determined as nefarious. Apps are just apps, but they rely on data to perform their intended functions. It’s where the data goes that is the issue.

The first weak point in the chain is the server, as any information shared between the app and the host has to go through one. The best defense for server side vulnerabilities is to implement a simple scanning technology to ensure nothing is being shared that shouldn’t be shared.

Now, to get slightly technical for a moment, and I promise only for a moment, there is the issue of something called Insufficient Transport Layer Protection. In a nutshell, this is the route that data takes when leaving the device and traveling to the server itself and back again. If the transport layer is insufficiently secured, hackers can intercept the data. One of many ways to prevent this is to simply require a more robust SSL chain verification.

Okay, so now back to the not so technical, but equally important. Mobile device types such as iPhone and Android are always connected to the cloud—and the cloud is not some magical place that’s hosting your data, it’s just someone else’s computer. This connection means that the apps residing on those device types are in constant contact with each other and the outside world.

The biggest issue here is that app developers may not implement the best security protocols, meaning that your apps could be making security decisions on your behalf as to what to share and what not to share—unfortunately, sharing information that you wouldn’t on your worst day authorize. This can put you at risk. In these cases, it may be difficult to know what is being shared. This is where mobile device management together with mobile security can greatly help mitigate risk.

In all, I don’t mean to scare anyone—perhaps just a little if only for education and safety. Mobile devices remain a major security risk for companies of all sizes. The best defense, find a cyber security partner who knows how to lock these and many more issue down to ensure data remains safe, and people’s lives are not affected.

And if you’re interested, we are just a call away—that is if you dare use your mobile device to call us in the first place … maybe email would be better? Oh wait …