Mobile Security: Saying Yes When You Really Should Say No
With a rising tide of practical smartphone applications flooding the market, it's easy for the typical user to allow convenience to trump security. Some apps, however, require the user to grant the program access to areas of the device that may contain personal information. There's no easy answer regarding when to grant permission and when not to, but keep in mind how many secrets are entrusted to your phone.
03/18/09 4:00 AM PT
Do you use a smarthphone to access bank and credit card accounts? How about accessing Web-based applications at your favorite social network or Web mail provider? Do you synchronize your mobile device with your desktop PC or laptop?
If you answered yes to any of these questions, your are running the risk for a security breach. What's that you say? You don't have any sensitive information that anybody would want? How about your address book?
Or, how about your log-on information, such as user name and password for every Web site you visit. And don't forget to include your account numbers. These are all highly sought-after bits of data that hackers earn big bucks to steal. Information such as birth dates, Social Security numbers -- even family photos -- are all handy tools for hackers to use as social engineering details when looking for a way into your corporate and commercial networks.
"Whether it's our PC or our mobile device, we are investing more of our personal data to them. The average user doesn't understand the connections that can be made," Ray Dickenson, CTO of security software firm Authentium, told TechNewsWorld.
Today's mobile devices can be compromised with key-logging programs, viruses and other tactics hackers use to steal users' identities, he warned.
Keys to the Kingdom
Even fairly knowledgeable computer users often fail to realize how easily they can give up their vital details while using a mobile device like a smartphone.
Sometimes convenience clouds a user's caution. Take, for instance, applications that users install on their mobile devices. Innocently clicking YES to a prompt requesting all access to the device to complete the installation of a hand-held program can be a fatal decision.
"In general, users always want to avoid giving permissions. This type of request does not happen all the time and deserves more scrutiny," Jackie Gilbert, vice president of products and marketing and cofounder of identity risk management firm SailPoint, told TechNewsWorld.
An Innocent Request?
Norman Schultz, IT Manager at Cherry Creek Insurance, wasn't so quick to say yes to all permissions when he installed a video-streaming application to his BlackBerry. He contacted the vendor to ask why the app needed full permission. The reply raised some red flags, so he decided not to use the program.
"I get just as excited about new techy stuff as the next guy, but with recent security issues popping up, I make it a point to take just a little extra caution when installing something new," Schultz told TechNewsWorld.
He was anxious to install QIK on his Blackberry but had questions regarding the download plug-in. He wrote to the vendor's tech support email address. He questioned why the default setting for the video-streaming program wanted access to basically everything on his mobile device.
The list included full permission top access, among other processes, Interprocess Communication, Device Settings Modification, Media Access, Module Management, Theme Data Interjection, User Data, Email/Messaging, PIM, files and key store.
One of the responses he received in a return email from QIK tech support told him the product needed this permission level to get access to his filesystem to upload video files to QIK's servers. Providing all permissions was necessary for the Qik client application to properly operate.
Qik enables live video casting from a cell phone via any 3G/GPRS/WiFi Internet connection. The streaming application drastically reduces the upload time so videos taken with the user's phone are available in as little as half a second to two seconds for uploading to YouTube or embedding on any Web site by copying and pasting embed code, according to the product's description.
"You know, I don't know these guys at QIK, and how do I really know how much information from my BlackBerry is available when I simply 'allow everything?' I mean, I have business and personal information in my contacts -- a lot of confidential info -- as well as notes, tasks and on and on," said Schultz about why he decided not to use the application.
Users must be very careful about security issues, even if the mobile device never connects to the owner's computer.
"We do banking transactions with the same devices we expose to other risks. On a handset that has personal data, I would never trust permissions. You never know when the degrees of separation will be crossed," Dickenson said.
Take, for example, the popular instant messaging application Meebo. It talks to a variety of different clients. It is not uncommon to find ways to access one's personal data from a mobile device connected to a social network, he explained.
Mobile phones and smartphone pose different risks. Smartphones spiked in usage with the popularity of BlackBerry devices and iPhones. Users are finding more reasons to put personal data on their mobile devices, especially the ones with advanced computing features. When mobile devices are synchronized to PCs or with file-sharing services in the cloud, some connections can jeopardize security of data on both devices.
"We are starting to see more mobile malware but still not near the rate of growth now prevalent on computers," said Dickenson.
Any device with a Web browser is a potential security breach waiting to happen. People like convenience and seldom think to turn off the built-in WiFi connection when it is not needed. WiFi provides an always-on security risk if the device is set to always trust a network or automatically connect when in range.
Often, there is no exact right answer as to when users should and should not grant all permissions to mobile applications, noted Gilbert. In situations that involve access to corporate networks or devices that contain company data, the decision usually boils down to risk management strategy balanced with privacy protection.
When the answer focuses on user or worker freedoms versus corporate safety, the company should win the debate. Sometimes, that makes an immediate impact on worker productivity, according to Gilbert.
"In the bigger picture, there is no black-and-white answer," she said.