Mobile threat defense—also known in the past as mobile anti-malware or mobile antivirus—has been around for years. While it has enjoyed a certain level of popularity in the consumer space (especially with Android users), on the enterprise side, adoption is very low, even after a decade.
For these reasons, in 2014 I wrote: "What's the role of mobile anti-malware? Currently there are more questions than answers." A year later I followed up with: "It’s 2015. Are we any closer to consensus on mobile anti-malware?" And then: "It’s 2016, and there’s still no common practice around mobile anti-malware and security products."
However, today in 2017, mobile threat defense is gaining momentum in the enterprise, with high profile partnerships; integrations with enterprise mobility management platforms mostly completed and in use; and vendors landing big customers and reporting more inbound requests.
This article is going to look at the mobile threat landscape. In later articles, I’ll look at how mobile threat defense products work, and where they sit in the enterprise mobility landscape today. (Here's part 2 and part 3.)
Why are we in such a good starting place?
We can all agree that for many reasons, modern mobile devices and operating systems—especially iPhones and iPads—put use in a much better security posture than previous generations of PCs. Mobile has the benefit of arriving two decades later and being designed with today’s environment in mind. Specifically, in mobile:
- Apps are sandboxed and can’t mess with the operating system.
- Inter-app communication is secured and mediated by the operating systems.
- Users can control access to various types of data and sensors via permissions.
- Most apps come from centralized public app stores, which have content guidelines and review processes.
- Must users don’t have the skills to root or jailbreak their devices, or even go outside of the public app stores, so they’re less likely to accidentally get themselves in trouble.
- Mobile operating systems get patched quickly. (I know you’re thinking “but not Android!” We’ll cover that in a second.)
We should also acknowledge the influence of corresponding enterprise mobility management advancements, from the early basic MDM implementations to today’s Apple Device Enrollment Program, iOS Supervised Mode, Android Enterprise (formerly Android for Work), and Samsung Knox.
To get a closer look at the security posture of iOS, you can read Apple’s iOS security guide, as well as the App Store Review Guidelines. These describe all the layers of hardware and software security in place and what acceptable app behavior is, including regarding privacy. I won’t dig into the specifics here, but suffice it to say, I think we can all agree that there’s a huge benefit to what Apple does.
On the other side, we can also agree that Android has gotten the worse reputation for vulnerable devices and bad apps, but for what it’s worth, Android still has almost all the same inherent qualities that give mobile a security advantage over desktops.
Some good Android security resources to check out are source.android.com/security and Google Play’s developer policies. However, what I’m going to focus on is Google’s Android Security 2016 Year in Review report (blog | PDF). It features statistics from Google’s telemetry on devices that use Google Mobile Services, and it highlights newer security efforts.
One of those efforts is SafetyNet, which checks device integrity and gathers telemetry from the Android ecosystem. Another effort is Verify Apps, which does on-device checks to spot and remove potentially harmful applications. Just this year at their developer conference, Google also announced a new user-facing security app called Google Play Protect, which surfaces Verify Apps, Find My Device, and Safe Browsing; plus they launched a new security center page.
A triumph of 2016 was the spread of regular Android security patches. Both users and enterprises can easily look up a given device’s patch level, and many device manufacturers committed to timely patch distribution. Here’s how that’s going, according to the Android Security 2016 Year in Review:
- “In the United States, over 78% of active flagship Android devices on the four major mobile network operators reported a security patch level from the last three months.” (p. 31)
- “In Europe over 73% of active flagship Android devices on the major mobile network operators reported a security patch level from the last three months.” (p. 32)
More recently, Google announced Project Treble. Starting with Android O, it will make it much easier for device manufacturers to push operating system updates.
What are the potential threats?
Now that we’ve gone over the positive aspects of mobile security, it’s time for the negatives. Mobile devices are still just computers, so this means:
- Software can have unpatched vulnerabilities.
- Devices can be lost or stolen.
- Devices can be misconfigured, like with no password or encryption.
- There can be network-based attacks.
- Users can still easily choose to do risky things like jailbreaking, rooting, ignoring updates, and getting apps from sketch third-party sources.
- Users are just as susceptible to phishing—if not more so—since you can’t hover over a hyperlink to see what the URL actually is.
- Apps in the Google Play or the Apple App Store can accidentally put data at risk. (An app’s killer feature can be an enterprise’s worst nightmare.)
- App store review processes don’t always catch everything that’s bad or potentially harmful.
- Even though apps may be mostly okay, mobile devices can still be attacked through text messages or websites. And caller ID phone numbers and cellular base stations can be spoofed.
The list goes on and on—again, they’re still computers. Plus, many have described smartphones as the ultimate risky devices, because they’re easily lost, they have built-in hi-definition cameras and mics, and they can concentrate a lot of sensitive data into one place. For more on the mobile threat model, I recommend the US Department of Homeland Security’s Study on Mobile Device Security, from April 2017.
What’s the real-world rate of incidents?
That’s enough with the threat models—what’s actually going on in mobile? As is reported in thousands of articles every year, there are countless variants of mobile malware, but it frequently turns out that the malware is outside of Google Play and the Apple App Store, or it requires devices to be jailbroken or rooted to be affected. Having said that, let’s look at some numbers. From the Android Security Year in Review (p. 4):
- “By Q4 2016, fewer than 0.71% of devices had Potentially Harmful Applications (PHAs) installed and for devices that exclusively download apps from Google Play, that number was even smaller at 0.05%.”
Many mobile threat defense vendors report higher statistics, and while you might expect that, also remember that they likely have a wider definition of a potentially harmful app. There are plenty of 100% legitimate consumer apps that companies probably don’t want intermingling with their institutional data. Here’s information from Lookout Mobile Security (press release | white paper). (I’m going to write about some other mobile threat defense vendor numbers soon, too, but they track in a similar range.)
- In Q4 of 2016 through Q1 of 2017, 4.7% of Android devices encountered app-based threats, and 0.1% of iOS enterprise devices encountered app-based threats.
And of course, devices get rooted and jailbroken. Here are some numbers:
- Android Security Review: “Worldwide 94.4% of all Android devices report passing the basic system integrity check, from which we conclude that these devices are not rooted.” And: “In 2016, malicious rooting apps accounted for 0.00233% of all installs.”
- Lookout report: Among enterprise mobile devices with Lookout, 1 in 1,000 iOS devices are jailbroken, and 5 in 1,000 Android devices are rooted.
- According to MobileIron’s Security Risk and Review report covering Q4 2016, 11% of companies had at least one compromised (jailbroken or rooted) device in Q4. (Though considering that most companies have thousands of devices, the fact that 89% of them apparently didn’t even have a single one in Q4 seems pretty darn impressive.)
Regarding network-based attacks, the Lookout report said that in the last year, 0.8% of enterprise devices encountered man-in-the-middle attacks.
Last, let’s look at passcodes, lock screens, and encryption:
- In April 2016, Apple said that “89 percent of iPhone owners use either a fingerprint to unlock their device with TouchID or a multi-digit numeric passcode.”
- From the Android Security Year in Review: “Among all devices, 48.9% have some type of lock screen enabled.” (p. 17) Encryption is abysmal, but getting better: There have been recent improvements to how encryption is implemented in Android, and encryption rates are around 80% in Android 7.x, versus around 20% for 6.0 and 10% for 5.1 and earlier. (The report didn’t give exact values.) (p. 24)
The evidence of enterprise breaches and data loss
Malicious apps and compromised devices are out there, but how often do they lead to big data breaches? Reports such as the 2016 Verizon Data Breach Investigations Report have found no "significant real-world data" indicating corporate data breaches as a result of attacks on mobile devices. Anecdotally, I hear of companies having potential incidents, but it turns out that a lot of them are small things like lost devices.
Naturally, we can assume that there have been unreported data breaches, but also, the big data breach headlines we read just aren’t tracking back to mobile devices. The mobile security incidents that we do hear about, like Pegasus, are usually highly targeted, very expensive, and even state-sponsored. You can read more about this from Citizen Lab or from this recent New York Times article.
While the landscape appears to be relatively safe, as I mentioned, more companies are turning to mobile threat defense, for many good reasons. I’ll cover these in part 3 of this series, but first, we’ll look at mobile threat defense technologies themselves in part 2.