Mobile

4/16/2014
07:30 AM
50%
50%

Mobility: Who Bears The Brunt Of Data Security & Privacy

OS manufacturers, app developers, and consumers all have a role to play in smartphone data security. But not everyone is equally responsible.

The way I see it, there are three key players when it comes to mobile data privacy and security: the OS manufacturers (Google, Apple, Microsoft); mobile app developers; and the device users themselves. Each party has a role to play but they are not equally responsible or capable of having a significant impact.

Why is this important? For one thing, smartphones are just that -- smart. With access to limitless apps, the Internet, social media, GPS, video camera, a microphone, and more -- today's mobile devices have made life much more efficient and convenient, but also less secure. With this convenience comes a responsibility to protect private user data contained on, as well as transmitted to and from the device. But where does the bulk of the responsibility fall? Let's discuss.

Manufacturers: innovation, patches, and transparency
When Apple and Google released the first smartphones back in 2007 and 2008, both companies knew that security was important and they added more security-focused functionality with each successive release. Yet, despite a continual focus on locking down the OS, in the intervening years, many exploits have been discovered and many more are sure to follow.

Late in 2013, we reached a tipping point on a global scale when smartphone shipments surpassed those of feature phones. At around the same time, we experienced two major exploits: Master Key for Android and GoToFail for Apple, both which shook the confidence of the software industry, particularly those responsible for the underlying OS technology that supports today's mobile devices. The exploits drove home the fact that Apple, Google and Microsoft must now drive greater security through innovative functionality like Apple's biometric fingerprint scanner on the iPhone 5s, by rapidly patching discovered exploits, and by making smartphone security more transparent and effective.

Developers: finding the right incentives
Mobile app development also plays a massive role in mobile data privacy. In fact, it is during the development process where the biggest impact on data security can occur. The problem is that mobile app developers have little incentive to place data security in the spotlight. The reason is simple: developers make money by selling apps and very few consumers are willing to pay for apps. Instead, people prefer free ad-supported versions, which include an ad-engine, which compensates developers based on the amount of user data that is collected.

From a security perspective, that creates a big mobile app development issue, an issue contained within the security of the app itself. Consider the recent SnapChat hack where an insecure application program interface (API) was used to collect 4.6 million user names and phone numbers. There was also the WhatsApp encryption oversight, where a static encryption key was used for storing SMS history, making it trivial for another app to export and decrypt the message log. These are pretty big oversights considering both companies are valued in the billons. If the OS manufacturers are doing their part to provide data security functionality, it is up to app developers to understand and implement this technology, making users data security a top priority.

Consumers: understanding the risks
Lastly are the device users themselves. This is where I would place the least burden for data privacy since the typical consumer is far from a data security expert. The consumer's motivation is to use the device to make life easier. Thinking about security doesn't fit into that mentality.

A reasonable expectation is for users to understand where risk lies and how to manage that risk. For example, a central problem of the app development process is that people are unwilling to purchase apps, despite the fact that a paid app without an ad-engine offers much greater protection against privacy compromise and data loss. As for problems stemming from poorly designed and easily exploited apps, the technology is already improving with app container solutions and phones with maximum security as the focus, such as the BlackPhone released at the 2014 Mobile World Congress.

There is a lot of work to be done to improve mobile data security, and no one party can do it alone. What is important is that data privacy and security remain a primary focus. As a society, we rapidly continue moving to a mobilized digital world with many amazing benefits -- let's just be sure that losing our privacy isn't one of the prices we have to pay.

Grayson Milbourne is the Security Intelligence Director for Internet security company Webroot. Over the past 10 years he has worked in various areas of the company, spending the past seven years focused on threat analysis. His areas of security intelligence expertise range ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/16/2014 | 12:25:17 PM
Re: Changing consumer behavior on free apps
As a consumer, i really like the idea of having a security rating on an apps in the app store. That's a very simple idea -- but agreeing on the rating system would be a challenge!
gmilbourne
50%
50%
gmilbourne,
User Rank: Author
4/16/2014 | 12:22:20 PM
Re: Changing consumer behavior on free apps
I do agree and it is why I think consumers share the smallest burden when it comes to protecting their privacy on mobile devices. As for developer incentives, that is a really tough problem. One angle could be to provide higher app store rankings to apps which apply security to private data, such as a security certification. Think PCI-DSS but for private data on your device. I think something of the sort is going to be needed as we embrace the Internet of things. Basically a set of standards which ensures private data is treated securely on any device capable of sending that data elsewhere. Apps which have this standard will be more appealing to consumers as well and will lead to more app installs. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/16/2014 | 8:27:57 AM
Changing consumer behavior on free apps
That's a really interesting point about making consumers understand the security consequences of using free versus ad-supported mobile apps. But I doubt that consumers will be too receptive to your idea. It's more incumbent on the developer community to push for better incentives for writing writing more secuire, ad-supported apps. Any ideas on what that might those incentives should look like? 
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.