Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

4/16/2014
07:30 AM
50%
50%

Mobility: Who Bears The Brunt Of Data Security & Privacy

OS manufacturers, app developers, and consumers all have a role to play in smartphone data security. But not everyone is equally responsible.

The way I see it, there are three key players when it comes to mobile data privacy and security: the OS manufacturers (Google, Apple, Microsoft); mobile app developers; and the device users themselves. Each party has a role to play but they are not equally responsible or capable of having a significant impact.

Why is this important? For one thing, smartphones are just that -- smart. With access to limitless apps, the Internet, social media, GPS, video camera, a microphone, and more -- today's mobile devices have made life much more efficient and convenient, but also less secure. With this convenience comes a responsibility to protect private user data contained on, as well as transmitted to and from the device. But where does the bulk of the responsibility fall? Let's discuss.

Manufacturers: innovation, patches, and transparency
When Apple and Google released the first smartphones back in 2007 and 2008, both companies knew that security was important and they added more security-focused functionality with each successive release. Yet, despite a continual focus on locking down the OS, in the intervening years, many exploits have been discovered and many more are sure to follow.

Late in 2013, we reached a tipping point on a global scale when smartphone shipments surpassed those of feature phones. At around the same time, we experienced two major exploits: Master Key for Android and GoToFail for Apple, both which shook the confidence of the software industry, particularly those responsible for the underlying OS technology that supports today's mobile devices. The exploits drove home the fact that Apple, Google and Microsoft must now drive greater security through innovative functionality like Apple's biometric fingerprint scanner on the iPhone 5s, by rapidly patching discovered exploits, and by making smartphone security more transparent and effective.

Developers: finding the right incentives
Mobile app development also plays a massive role in mobile data privacy. In fact, it is during the development process where the biggest impact on data security can occur. The problem is that mobile app developers have little incentive to place data security in the spotlight. The reason is simple: developers make money by selling apps and very few consumers are willing to pay for apps. Instead, people prefer free ad-supported versions, which include an ad-engine, which compensates developers based on the amount of user data that is collected.

From a security perspective, that creates a big mobile app development issue, an issue contained within the security of the app itself. Consider the recent SnapChat hack where an insecure application program interface (API) was used to collect 4.6 million user names and phone numbers. There was also the WhatsApp encryption oversight, where a static encryption key was used for storing SMS history, making it trivial for another app to export and decrypt the message log. These are pretty big oversights considering both companies are valued in the billons. If the OS manufacturers are doing their part to provide data security functionality, it is up to app developers to understand and implement this technology, making users data security a top priority.

Consumers: understanding the risks
Lastly are the device users themselves. This is where I would place the least burden for data privacy since the typical consumer is far from a data security expert. The consumer's motivation is to use the device to make life easier. Thinking about security doesn't fit into that mentality.

A reasonable expectation is for users to understand where risk lies and how to manage that risk. For example, a central problem of the app development process is that people are unwilling to purchase apps, despite the fact that a paid app without an ad-engine offers much greater protection against privacy compromise and data loss. As for problems stemming from poorly designed and easily exploited apps, the technology is already improving with app container solutions and phones with maximum security as the focus, such as the BlackPhone released at the 2014 Mobile World Congress.

There is a lot of work to be done to improve mobile data security, and no one party can do it alone. What is important is that data privacy and security remain a primary focus. As a society, we rapidly continue moving to a mobilized digital world with many amazing benefits -- let's just be sure that losing our privacy isn't one of the prices we have to pay.

Grayson Milbourne is the Security Intelligence Director for Internet security company Webroot. Over the past 10 years he has worked in various areas of the company, spending the past seven years focused on threat analysis. His areas of security intelligence expertise range ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/16/2014 | 12:25:17 PM
Re: Changing consumer behavior on free apps
As a consumer, i really like the idea of having a security rating on an apps in the app store. That's a very simple idea -- but agreeing on the rating system would be a challenge!
gmilbourne
50%
50%
gmilbourne,
User Rank: Author
4/16/2014 | 12:22:20 PM
Re: Changing consumer behavior on free apps
I do agree and it is why I think consumers share the smallest burden when it comes to protecting their privacy on mobile devices. As for developer incentives, that is a really tough problem. One angle could be to provide higher app store rankings to apps which apply security to private data, such as a security certification. Think PCI-DSS but for private data on your device. I think something of the sort is going to be needed as we embrace the Internet of things. Basically a set of standards which ensures private data is treated securely on any device capable of sending that data elsewhere. Apps which have this standard will be more appealing to consumers as well and will lead to more app installs. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/16/2014 | 8:27:57 AM
Changing consumer behavior on free apps
That's a really interesting point about making consumers understand the security consequences of using free versus ad-supported mobile apps. But I doubt that consumers will be too receptive to your idea. It's more incumbent on the developer community to push for better incentives for writing writing more secuire, ad-supported apps. Any ideas on what that might those incentives should look like? 
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
Jai Vijayan, Contributing Writer,  2/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-1842
PUBLISHED: 2020-02-18
Huawei HEGE-560 version 1.0.1.20(SP2); OSCA-550 and OSCA-550A version 1.0.0.71(SP1); and OSCA-550AX and OSCA-550X version 1.0.0.71(SP2) have an insufficient authentication vulnerability. An attacker can access the device physically and perform specific operations to exploit this vulnerability. Succe...
CVE-2020-8010
PUBLISHED: 2020-02-18
CA Unified Infrastructure Management (Nimsoft/UIM) 9.20 and below contains an improper ACL handling vulnerability in the robot (controller) component. A remote attacker can execute commands, read from, or write to the target system.
CVE-2020-8011
PUBLISHED: 2020-02-18
CA Unified Infrastructure Management (Nimsoft/UIM) 9.20 and below contains a null pointer dereference vulnerability in the robot (controller) component. A remote attacker can crash the Controller service.
CVE-2020-8012
PUBLISHED: 2020-02-18
CA Unified Infrastructure Management (Nimsoft/UIM) 9.20 and below contains a buffer overflow vulnerability in the robot (controller) component. A remote attacker can execute arbitrary code.
CVE-2020-1791
PUBLISHED: 2020-02-18
HUAWEI Mate 20 smartphones with versions earlier than 10.0.0.185(C00E74R3P8) have an improper authorization vulnerability. The system has a logic judging error under certain scenario, successful exploit could allow the attacker to switch to third desktop after a series of operation in ADB mode.