Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

4/16/2014
07:30 AM
50%
50%

Mobility: Who Bears The Brunt Of Data Security & Privacy

OS manufacturers, app developers, and consumers all have a role to play in smartphone data security. But not everyone is equally responsible.

The way I see it, there are three key players when it comes to mobile data privacy and security: the OS manufacturers (Google, Apple, Microsoft); mobile app developers; and the device users themselves. Each party has a role to play but they are not equally responsible or capable of having a significant impact.

Why is this important? For one thing, smartphones are just that -- smart. With access to limitless apps, the Internet, social media, GPS, video camera, a microphone, and more -- today's mobile devices have made life much more efficient and convenient, but also less secure. With this convenience comes a responsibility to protect private user data contained on, as well as transmitted to and from the device. But where does the bulk of the responsibility fall? Let's discuss.

Manufacturers: innovation, patches, and transparency
When Apple and Google released the first smartphones back in 2007 and 2008, both companies knew that security was important and they added more security-focused functionality with each successive release. Yet, despite a continual focus on locking down the OS, in the intervening years, many exploits have been discovered and many more are sure to follow.

Late in 2013, we reached a tipping point on a global scale when smartphone shipments surpassed those of feature phones. At around the same time, we experienced two major exploits: Master Key for Android and GoToFail for Apple, both which shook the confidence of the software industry, particularly those responsible for the underlying OS technology that supports today's mobile devices. The exploits drove home the fact that Apple, Google and Microsoft must now drive greater security through innovative functionality like Apple's biometric fingerprint scanner on the iPhone 5s, by rapidly patching discovered exploits, and by making smartphone security more transparent and effective.

Developers: finding the right incentives
Mobile app development also plays a massive role in mobile data privacy. In fact, it is during the development process where the biggest impact on data security can occur. The problem is that mobile app developers have little incentive to place data security in the spotlight. The reason is simple: developers make money by selling apps and very few consumers are willing to pay for apps. Instead, people prefer free ad-supported versions, which include an ad-engine, which compensates developers based on the amount of user data that is collected.

From a security perspective, that creates a big mobile app development issue, an issue contained within the security of the app itself. Consider the recent SnapChat hack where an insecure application program interface (API) was used to collect 4.6 million user names and phone numbers. There was also the WhatsApp encryption oversight, where a static encryption key was used for storing SMS history, making it trivial for another app to export and decrypt the message log. These are pretty big oversights considering both companies are valued in the billons. If the OS manufacturers are doing their part to provide data security functionality, it is up to app developers to understand and implement this technology, making users data security a top priority.

Consumers: understanding the risks
Lastly are the device users themselves. This is where I would place the least burden for data privacy since the typical consumer is far from a data security expert. The consumer's motivation is to use the device to make life easier. Thinking about security doesn't fit into that mentality.

A reasonable expectation is for users to understand where risk lies and how to manage that risk. For example, a central problem of the app development process is that people are unwilling to purchase apps, despite the fact that a paid app without an ad-engine offers much greater protection against privacy compromise and data loss. As for problems stemming from poorly designed and easily exploited apps, the technology is already improving with app container solutions and phones with maximum security as the focus, such as the BlackPhone released at the 2014 Mobile World Congress.

There is a lot of work to be done to improve mobile data security, and no one party can do it alone. What is important is that data privacy and security remain a primary focus. As a society, we rapidly continue moving to a mobilized digital world with many amazing benefits -- let's just be sure that losing our privacy isn't one of the prices we have to pay.

Grayson Milbourne is the Security Intelligence Director for Internet security company Webroot. Over the past 10 years he has worked in various areas of the company, spending the past seven years focused on threat analysis. His areas of security intelligence expertise range ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/16/2014 | 12:25:17 PM
Re: Changing consumer behavior on free apps
As a consumer, i really like the idea of having a security rating on an apps in the app store. That's a very simple idea -- but agreeing on the rating system would be a challenge!
gmilbourne
50%
50%
gmilbourne,
User Rank: Author
4/16/2014 | 12:22:20 PM
Re: Changing consumer behavior on free apps
I do agree and it is why I think consumers share the smallest burden when it comes to protecting their privacy on mobile devices. As for developer incentives, that is a really tough problem. One angle could be to provide higher app store rankings to apps which apply security to private data, such as a security certification. Think PCI-DSS but for private data on your device. I think something of the sort is going to be needed as we embrace the Internet of things. Basically a set of standards which ensures private data is treated securely on any device capable of sending that data elsewhere. Apps which have this standard will be more appealing to consumers as well and will lead to more app installs. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/16/2014 | 8:27:57 AM
Changing consumer behavior on free apps
That's a really interesting point about making consumers understand the security consequences of using free versus ad-supported mobile apps. But I doubt that consumers will be too receptive to your idea. It's more incumbent on the developer community to push for better incentives for writing writing more secuire, ad-supported apps. Any ideas on what that might those incentives should look like? 
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
How Attackers Infiltrate the Supply Chain & What to Do About It
Shay Nahari, Head of Red-Team Services at CyberArk,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7843
PUBLISHED: 2019-07-18
Adobe Campaign Classic version 18.10.5-8984 and earlier versions have an Insufficient input validation vulnerability. Successful exploitation could lead to Information Disclosure in the context of the current user.
CVE-2019-7846
PUBLISHED: 2019-07-18
Adobe Campaign Classic version 18.10.5-8984 and earlier versions have an Improper error handling vulnerability. Successful exploitation could lead to Information Disclosure in the context of the current user.
CVE-2019-7847
PUBLISHED: 2019-07-18
Adobe Campaign Classic version 18.10.5-8984 and earlier versions have an Improper Restriction of XML External Entity Reference ('XXE') vulnerability. Successful exploitation could lead to Arbitrary read access to the file system in the context of the current user.
CVE-2019-7848
PUBLISHED: 2019-07-18
Adobe Campaign Classic version 18.10.5-8984 and earlier versions have an Inadequate access control vulnerability. Successful exploitation could lead to Information Disclosure in the context of the current user.
CVE-2019-7850
PUBLISHED: 2019-07-18
Adobe Campaign Classic version 18.10.5-8984 and earlier versions have a Command injection vulnerability. Successful exploitation could lead to Arbitrary Code Execution in the context of the current user.