Vulnerabilities / Threats
10/8/2012
02:47 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%
Repost This

Does Mobile Antivirus Software Really Protect Smartphones?

Bad news: Many mobile antivirus apps are useless. Here's what mobile device management and mobile application management experts say you should focus on instead.

Notwithstanding platform differences and root access restrictions, Clay stated that mobile antivirus programs have a place: "If you cannot detect malicious software, there's potential for abuse or attack," he said. Still, enterprises need more than partial solutions. Aside from shifting their attention to MDM/MAM proper, how do security vendors cope?

Backend approaches, which are distinct from an app's on-device processes, are a popular option. Sean Sullivan, a security advisor with F-Secure Labs, said in an email that his company's products apply limited "heuristics on the client side" but that "full-fledged" behavioral analysis, though something his team would "really love," would require companies "to root/jailbreak the [device]." As a result, F-Secure uses emulation and automation on the back end to analyze potential new threats.

A similar approach is to assess the reputation of app sources, a tactic that Trend Micro--among other companies, such as Symantec--has developed.

This technique--which Clay characterized as "dynamic," with heuristic-like qualities--can consider not only an app's maliciousness but also its effects on battery life, bandwidth, and other variables. He said his team seeks to collaborate with app vendors by giving them access to reputation-based data and by vetting every app, an approach that he said allows companies to avoid "burdening the end user." It also provides a potential safety net for exploits that developers inadvertently leave open, applications developed in-house, and apps that were initially released in legitimate form only to be republished "in malicious form."

Tim Wyatt, lead security engineer for Lookout, similarly advocated an approach that does "most of the heavy lifting on the backend." In an interview, he stated that Lookout has built a mobile threat network of over 25 million registered devices that, according to the company's website, is "constantly analyzing threat data worldwide to identify and proactively block new mobile threats as soon as they emerge. He asserted that the "benefits from discovering telemetry of other users in our network are much bigger than [mere] detection."

In short, many antivirus apps provide little protection but some security vendors manage to buck the trend, mostly by compensating for the root access limitation. Nevertheless, Wyatt asserted that there are "no one-size-fits-all solutions" and that businesses must adopt comprehensive strategies that fit their needs.

When it comes to such strategies, Mike Davis endorsed MDM/MAM tech that blacklists malicious programs and otherwise manages what can be installed on workplace devices. He said the long-term solution, however, involves separating work data from personal data--a capability that vendors such as RIM, with BlackBerry Balance, and AT&T, with Toggle, have begun to offer.

Nonetheless, MDM and MAM products might not complete the equation either. Davis also said workers need training. The best way to avoid problems is to not install questionable applications, he remarked, but some users knowingly download dangerous apps from unofficial marketplaces because they mistakenly believe benefits justify the risk.

Cisco representatives have similarly looked outside application-based protection, arguing that security measures be implemented into networks themselves. Jack Danahy, director of IBM's Institute for Advanced Security, meanwhile, suggests a more low-tech consideration: that security might be simpler if users confine themselves to the apps they actually need for productivity, rather than trying to include--and protect--every function imaginable.

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-1421
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Craig Knudsen WebCalendar before 1.2.5, 1.2.6, and other versions before 1.2.7 allows remote attackers to inject arbitrary web script or HTML via the Category Name field to category.php.

CVE-2013-2105
Published: 2014-04-22
The Show In Browser (show_in_browser) gem 0.0.3 for Ruby allows local users to inject arbitrary web script or HTML via a symlink attack on /tmp/browser.html.

CVE-2013-2187
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Apache Archiva 1.2 through 1.2.2 and 1.3 before 1.3.8 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters, related to the home page.

CVE-2013-4116
Published: 2014-04-22
lib/npm.js in Node Packaged Modules (npm) before 1.3.3 allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names that are created when unpacking archives.

CVE-2013-4472
Published: 2014-04-22
The openTempFile function in goo/gfile.cc in Xpdf and Poppler 0.24.3 and earlier, when running on a system other than Unix, allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names.

Best of the Web