Vulnerabilities / Threats
10/8/2012
02:47 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Does Mobile Antivirus Software Really Protect Smartphones?

Bad news: Many mobile antivirus apps are useless. Here's what mobile device management and mobile application management experts say you should focus on instead.

Notwithstanding platform differences and root access restrictions, Clay stated that mobile antivirus programs have a place: "If you cannot detect malicious software, there's potential for abuse or attack," he said. Still, enterprises need more than partial solutions. Aside from shifting their attention to MDM/MAM proper, how do security vendors cope?

Backend approaches, which are distinct from an app's on-device processes, are a popular option. Sean Sullivan, a security advisor with F-Secure Labs, said in an email that his company's products apply limited "heuristics on the client side" but that "full-fledged" behavioral analysis, though something his team would "really love," would require companies "to root/jailbreak the [device]." As a result, F-Secure uses emulation and automation on the back end to analyze potential new threats.

A similar approach is to assess the reputation of app sources, a tactic that Trend Micro--among other companies, such as Symantec--has developed.

This technique--which Clay characterized as "dynamic," with heuristic-like qualities--can consider not only an app's maliciousness but also its effects on battery life, bandwidth, and other variables. He said his team seeks to collaborate with app vendors by giving them access to reputation-based data and by vetting every app, an approach that he said allows companies to avoid "burdening the end user." It also provides a potential safety net for exploits that developers inadvertently leave open, applications developed in-house, and apps that were initially released in legitimate form only to be republished "in malicious form."

Tim Wyatt, lead security engineer for Lookout, similarly advocated an approach that does "most of the heavy lifting on the backend." In an interview, he stated that Lookout has built a mobile threat network of over 25 million registered devices that, according to the company's website, is "constantly analyzing threat data worldwide to identify and proactively block new mobile threats as soon as they emerge. He asserted that the "benefits from discovering telemetry of other users in our network are much bigger than [mere] detection."

In short, many antivirus apps provide little protection but some security vendors manage to buck the trend, mostly by compensating for the root access limitation. Nevertheless, Wyatt asserted that there are "no one-size-fits-all solutions" and that businesses must adopt comprehensive strategies that fit their needs.

When it comes to such strategies, Mike Davis endorsed MDM/MAM tech that blacklists malicious programs and otherwise manages what can be installed on workplace devices. He said the long-term solution, however, involves separating work data from personal data--a capability that vendors such as RIM, with BlackBerry Balance, and AT&T, with Toggle, have begun to offer.

Nonetheless, MDM and MAM products might not complete the equation either. Davis also said workers need training. The best way to avoid problems is to not install questionable applications, he remarked, but some users knowingly download dangerous apps from unofficial marketplaces because they mistakenly believe benefits justify the risk.

Cisco representatives have similarly looked outside application-based protection, arguing that security measures be implemented into networks themselves. Jack Danahy, director of IBM's Institute for Advanced Security, meanwhile, suggests a more low-tech consideration: that security might be simpler if users confine themselves to the apps they actually need for productivity, rather than trying to include--and protect--every function imaginable.

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0640
Published: 2014-08-20
EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote authenticated users to bypass intended restrictions on resource access via unspecified vectors.

CVE-2014-0641
Published: 2014-08-20
Cross-site request forgery (CSRF) vulnerability in EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote attackers to hijack the authentication of arbitrary users.

CVE-2014-2505
Published: 2014-08-20
EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote attackers to trigger the download of arbitrary code, and consequently change the product's functionality, via unspecified vectors.

CVE-2014-2511
Published: 2014-08-20
Multiple cross-site scripting (XSS) vulnerabilities in EMC Documentum WebTop before 6.7 SP1 P28 and 6.7 SP2 before P14 allow remote attackers to inject arbitrary web script or HTML via the (1) startat or (2) entryId parameter.

CVE-2014-2515
Published: 2014-08-20
EMC Documentum D2 3.1 before P24, 3.1SP1 before P02, 4.0 before P11, 4.1 before P16, and 4.2 before P05 does not properly restrict tickets provided by D2GetAdminTicketMethod and D2RefreshCacheMethod, which allows remote authenticated users to gain privileges via a request for a superuser ticket.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.