Vulnerabilities / Threats
02:47 PM
Connect Directly

Does Mobile Antivirus Software Really Protect Smartphones?

Bad news: Many mobile antivirus apps are useless. Here's what mobile device management and mobile application management experts say you should focus on instead.

Notwithstanding platform differences and root access restrictions, Clay stated that mobile antivirus programs have a place: "If you cannot detect malicious software, there's potential for abuse or attack," he said. Still, enterprises need more than partial solutions. Aside from shifting their attention to MDM/MAM proper, how do security vendors cope?

Backend approaches, which are distinct from an app's on-device processes, are a popular option. Sean Sullivan, a security advisor with F-Secure Labs, said in an email that his company's products apply limited "heuristics on the client side" but that "full-fledged" behavioral analysis, though something his team would "really love," would require companies "to root/jailbreak the [device]." As a result, F-Secure uses emulation and automation on the back end to analyze potential new threats.

A similar approach is to assess the reputation of app sources, a tactic that Trend Micro--among other companies, such as Symantec--has developed.

This technique--which Clay characterized as "dynamic," with heuristic-like qualities--can consider not only an app's maliciousness but also its effects on battery life, bandwidth, and other variables. He said his team seeks to collaborate with app vendors by giving them access to reputation-based data and by vetting every app, an approach that he said allows companies to avoid "burdening the end user." It also provides a potential safety net for exploits that developers inadvertently leave open, applications developed in-house, and apps that were initially released in legitimate form only to be republished "in malicious form."

Tim Wyatt, lead security engineer for Lookout, similarly advocated an approach that does "most of the heavy lifting on the backend." In an interview, he stated that Lookout has built a mobile threat network of over 25 million registered devices that, according to the company's website, is "constantly analyzing threat data worldwide to identify and proactively block new mobile threats as soon as they emerge. He asserted that the "benefits from discovering telemetry of other users in our network are much bigger than [mere] detection."

In short, many antivirus apps provide little protection but some security vendors manage to buck the trend, mostly by compensating for the root access limitation. Nevertheless, Wyatt asserted that there are "no one-size-fits-all solutions" and that businesses must adopt comprehensive strategies that fit their needs.

When it comes to such strategies, Mike Davis endorsed MDM/MAM tech that blacklists malicious programs and otherwise manages what can be installed on workplace devices. He said the long-term solution, however, involves separating work data from personal data--a capability that vendors such as RIM, with BlackBerry Balance, and AT&T, with Toggle, have begun to offer.

Nonetheless, MDM and MAM products might not complete the equation either. Davis also said workers need training. The best way to avoid problems is to not install questionable applications, he remarked, but some users knowingly download dangerous apps from unofficial marketplaces because they mistakenly believe benefits justify the risk.

Cisco representatives have similarly looked outside application-based protection, arguing that security measures be implemented into networks themselves. Jack Danahy, director of IBM's Institute for Advanced Security, meanwhile, suggests a more low-tech consideration: that security might be simpler if users confine themselves to the apps they actually need for productivity, rather than trying to include--and protect--every function imaginable.

2 of 2
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-09-04
WebUpgrade in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to bypass authentication and create a system backup tarball, restart the server, or stop the filters on the server via a ' (single quote) character in the login and password parameters to webup...

Published: 2015-09-04
Directory traversal vulnerability in NEOJAPAN desknet NEO 2.0R1.0 through 2.5R1.4 allows remote authenticated users to read arbitrary files via a crafted parameter.

Published: 2015-09-04
Buffer overflow in NScripter before 3.00 allows remote attackers to execute arbitrary code via crafted save data.

Published: 2015-09-04
Cross-site scripting (XSS) vulnerability in October CMS build 271 and earlier allows remote attackers to inject arbitrary web script or HTML via the caption tag of a profile image.

Published: 2015-09-04
Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the PATH_INFO to the default URI.

Dark Reading Radio
Archived Dark Reading Radio
Another Black Hat is in the books and Dark Reading was there. Join the editors as they share their top stories, biggest lessons, and best conversations from the premier security conference.