|
|
Written on
Feb 08 2012
11,435 views,
1 comment
|
by
Brian Madden
One of the topics that's come up for discussion a bit in the past few years is about malware (viruses, software to steal your contact info, etc.) for mobile phones. This is especially an issue for BYOD environments because the mobile phones that users select might not have the same security standards that IT would prefer. (Or, maybe they *could* be secure, but since the users are admins then they just install insecure apps. And in many cases they don't even know it.)
Some people argue that malware isn't really a big issue in mobile phones because the phone makers have app stores with verified apps, so it's unlikely that users will find apps that are dangerous. But remember that it's possible to configure a Blackberry, Android, or Windows phone to get apps from locations other than the official app stores, and who knows what those apps can do? (And even Apple, who forces users to use only their App Store, had an issue with security where a specially-crafted PDF that was downloaded could wipe the phone.)
Of course some people argue that users need to be trained not to visit dangerous websites so that they're not exposed to these potential threats. But have you considered that it's easy to send a user to a "random" website by embedding in into a QR code?
Seriously, how many people just blindly snap pictures of these and are whisked away to whatever site is on the other end, complete with malware, fake app downloads that look real, and phishing websites. (Newer QR code readers show the user a preview of the URL before they visit it, but I'm not sure that's enough for regular users. Personally I like Norton's free QR reader that runs the URLs through their threat analysis cloud and gives a big green "SAFE" label before the user continues. Even my mom could understand that!)
And antivirus software isn't nearly as sophisticated on mobile devices as it is on real computers. Part of the problem is that mobile operating systems have special rules for how their apps can run and what they can do, and these rules apply to the antivirus software too! So for example, you might be able to get an antivirus app for your iPhone, but it will only scan email attachments that you specifically send to it--it's not going to just work in the background and san everything automatically.
The problem with mobile phones is that they have a lot of personal data on them, including where you are. They're in your pocket at all times and they have cameras and microphones in them. A compromised mobile phone has virtually unlimited value to an attacker, and a user only has to be tricked once to give a bad app permissions to do whatever it wants.
While the best advice from the analysts is to just download apps from the official app stores (and to not jailbreak your iOS device), what can you to as an IT professional? Do you lock the phone up and not allow the users to do anything? Do you look for an MDM or BYOD solution?
Long term this shows the viability for real software that can separate the user environment from the work environment. I don't know if that's as intense as VMware's Horizon Mobile or something like what Blackberry is doing in their Playbook 2.0 software. But I do know that having all that corporate data on devices with end-user admin rights makes me nervous. Now what?
(Note: You must be logged in to post a comment.)
If you log in and nothing happens, delete your cookies from BrianMadden.com and try again. Sorry about that, but we had to make a one-time change to the cookie path when we migrated web servers.