Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

4/16/2014
07:30 AM
50%
50%

Mobility: Who Bears The Brunt Of Data Security & Privacy

OS manufacturers, app developers, and consumers all have a role to play in smartphone data security. But not everyone is equally responsible.

The way I see it, there are three key players when it comes to mobile data privacy and security: the OS manufacturers (Google, Apple, Microsoft); mobile app developers; and the device users themselves. Each party has a role to play but they are not equally responsible or capable of having a significant impact.

Why is this important? For one thing, smartphones are just that -- smart. With access to limitless apps, the Internet, social media, GPS, video camera, a microphone, and more -- today's mobile devices have made life much more efficient and convenient, but also less secure. With this convenience comes a responsibility to protect private user data contained on, as well as transmitted to and from the device. But where does the bulk of the responsibility fall? Let's discuss.

Manufacturers: innovation, patches, and transparency
When Apple and Google released the first smartphones back in 2007 and 2008, both companies knew that security was important and they added more security-focused functionality with each successive release. Yet, despite a continual focus on locking down the OS, in the intervening years, many exploits have been discovered and many more are sure to follow.

Late in 2013, we reached a tipping point on a global scale when smartphone shipments surpassed those of feature phones. At around the same time, we experienced two major exploits: Master Key for Android and GoToFail for Apple, both which shook the confidence of the software industry, particularly those responsible for the underlying OS technology that supports today's mobile devices. The exploits drove home the fact that Apple, Google and Microsoft must now drive greater security through innovative functionality like Apple's biometric fingerprint scanner on the iPhone 5s, by rapidly patching discovered exploits, and by making smartphone security more transparent and effective.

Developers: finding the right incentives
Mobile app development also plays a massive role in mobile data privacy. In fact, it is during the development process where the biggest impact on data security can occur. The problem is that mobile app developers have little incentive to place data security in the spotlight. The reason is simple: developers make money by selling apps and very few consumers are willing to pay for apps. Instead, people prefer free ad-supported versions, which include an ad-engine, which compensates developers based on the amount of user data that is collected.

From a security perspective, that creates a big mobile app development issue, an issue contained within the security of the app itself. Consider the recent SnapChat hack where an insecure application program interface (API) was used to collect 4.6 million user names and phone numbers. There was also the WhatsApp encryption oversight, where a static encryption key was used for storing SMS history, making it trivial for another app to export and decrypt the message log. These are pretty big oversights considering both companies are valued in the billons. If the OS manufacturers are doing their part to provide data security functionality, it is up to app developers to understand and implement this technology, making users data security a top priority.

Consumers: understanding the risks
Lastly are the device users themselves. This is where I would place the least burden for data privacy since the typical consumer is far from a data security expert. The consumer's motivation is to use the device to make life easier. Thinking about security doesn't fit into that mentality.

A reasonable expectation is for users to understand where risk lies and how to manage that risk. For example, a central problem of the app development process is that people are unwilling to purchase apps, despite the fact that a paid app without an ad-engine offers much greater protection against privacy compromise and data loss. As for problems stemming from poorly designed and easily exploited apps, the technology is already improving with app container solutions and phones with maximum security as the focus, such as the BlackPhone released at the 2014 Mobile World Congress.

There is a lot of work to be done to improve mobile data security, and no one party can do it alone. What is important is that data privacy and security remain a primary focus. As a society, we rapidly continue moving to a mobilized digital world with many amazing benefits -- let's just be sure that losing our privacy isn't one of the prices we have to pay.

Grayson Milbourne is the Security Intelligence Director for Internet security company Webroot. Over the past 10 years he has worked in various areas of the company, spending the past seven years focused on threat analysis. His areas of security intelligence expertise range ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/16/2014 | 12:25:17 PM
Re: Changing consumer behavior on free apps
As a consumer, i really like the idea of having a security rating on an apps in the app store. That's a very simple idea -- but agreeing on the rating system would be a challenge!
gmilbourne
50%
50%
gmilbourne,
User Rank: Author
4/16/2014 | 12:22:20 PM
Re: Changing consumer behavior on free apps
I do agree and it is why I think consumers share the smallest burden when it comes to protecting their privacy on mobile devices. As for developer incentives, that is a really tough problem. One angle could be to provide higher app store rankings to apps which apply security to private data, such as a security certification. Think PCI-DSS but for private data on your device. I think something of the sort is going to be needed as we embrace the Internet of things. Basically a set of standards which ensures private data is treated securely on any device capable of sending that data elsewhere. Apps which have this standard will be more appealing to consumers as well and will lead to more app installs. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/16/2014 | 8:27:57 AM
Changing consumer behavior on free apps
That's a really interesting point about making consumers understand the security consequences of using free versus ad-supported mobile apps. But I doubt that consumers will be too receptive to your idea. It's more incumbent on the developer community to push for better incentives for writing writing more secuire, ad-supported apps. Any ideas on what that might those incentives should look like? 
RDP Bug Takes New Approach to Host Compromise
Kelly Sheridan, Staff Editor, Dark Reading,  7/18/2019
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12162
PUBLISHED: 2019-07-23
Upwork Time Tracker 5.2.2.716 doesn't verify the SHA256 hash of the downloaded program update before running it, which could lead to code execution or local privilege escalation by replacing the original update.exe.
CVE-2018-18669
PUBLISHED: 2019-07-23
GNUBOARD5 5.3.1.9 has XSS that allows remote attackers to inject arbitrary web script or HTML via the "board title contents" parameter, aka the adm/board_form_update.php bo_subject parameter.
CVE-2019-10101
PUBLISHED: 2019-07-23
Jsish 2.4.84 2.0484 is affected by: Reachable Assertion. The impact is: denial of service. The component is: function Jsi_ValueArrayIndex (jsiValue.c:366). The attack vector is: executing crafted javascript code. The fixed version is: after commit 738ead193aff380a7e3d7ffb8e11e446f76867f3.
CVE-2019-9815
PUBLISHED: 2019-07-23
If hyperthreading is not disabled, a timing attack vulnerability exists, similar to previous Spectre attacks. Apple has shipped macOS 10.14.5 with an option to disable hyperthreading in applications running untrusted code in a thread through a new sysctl. Firefox now makes use of it on the main thre...
CVE-2019-9816
PUBLISHED: 2019-07-23
A possible vulnerability exists where type confusion can occur when manipulating JavaScript objects in object groups, allowing for the bypassing of security checks within these groups. *Note: this vulnerability has only been demonstrated with UnboxedObjects, which are disabled by default on all supp...