Mobile threat defense is finding its groove, but what exactly is it, what does it do, and how does it work? That’s what I’ll look at today.
For some context about the mobile security landscape and a longer introduction to why we’re having this conversation now, head back to the first part of this series. For more on how mobile threat defense fits into the market, who’s buying it, and why, head to part 3.
Defining mobile threat defense
Just saying that mobile threat defense is a mobile version of antivirus isn’t completely accurate; and mobile threat defense doesn’t really replace or even necessarily compete with enterprise mobility management (MDM and app management) either. There are a few places where it overlaps with EMM, but mostly the two technologies are adjacent and complementary.
Mobile threat defense applies to three different areas: devices, applications, and networks. It used to be that vendors specialized in one or two of these areas, but now most do all three.
Device-level mobile threat defense
The big challenge at the device level is the same thing that makes the mobile landscape so safe to begin with: mobile operating systems are very restrictive and locked down. Mobile threat defense agents, especially on iOS, only have the same level of access as any other app, so they can’t get under the hood and scan every single part of the operating system.
Given these challenges, mobile threat defense agents still probe the device to the greatest degree possible. They can:
- Check device configurations, like OS and patch level; whether developer mode or USB debugging is enabled; whether apps from unknown sources are permitted; and whether screen locks or encryption are enabled.
- Test for jailbreaking or rooting.
- Look for anomalies; for example, a malicious app could cause the battery to drain faster than usual.
- On Android, call the Google SafetyNet API. This enables an app to check if the device is the same as the one that passed Android compatibility testing, and if it’s protected by Verify Apps.
App-level mobile threat defense
This aspect of mobile threat defense is sometimes referred to as mobile app reputation service (MARS). App reputation services will do static and dynamic code analysis, and look at things like developer and app reputation, URLs that the app uses, effective security implementation, the permissions the app requests, and more.
Remember that one user’s favorite productivity app could be an enterprise’s data-stealing worst nightmare, so evaluating apps isn’t simply a matter of whether they’re malicious, even if we’re just talking apps in the official app stores. Reputation services typically assign a numerical score to apps, and classify them by what types of threats they exhibit.
How do you know what apps a user has installed on their device? Android agents can poll the device, but on iOS, apps from the Apple App Store are not allowed to do this for privacy reasons. So for iPhones and iPads, you’ll have to either enroll the device in MDM, or use a mobile threat defense agent that’s distributed as an in-house enterprise-signed app.
Mobile threat defense agents can send and receive data, looking for signs that it was tampered with, in order to watch out with issues like man-in-the-middle attacks or SSL stripping. Some may offer remediation by starting a VPN session.
One interesting part of the mobile threat defense discussion is the position of device makers. ...Really, what we care about is Apple’s stance.
I already mentioned the issue with polling for user-installed apps on iOS; another issue is background activity, which is obviously something that a security agent will need. iOS 7 opened up the background options, but it’s still not wide-open. For example, the native iOS mail app still downloads messages sooner than the Gmail and Outlook apps. Mobile threat defense vendors have to face this challenge one way or another.
Then there’s the question of what Apple really thinks. Some commentators believe that mobile security apps are completely unnecessary, but on the other hand as I mentioned, even legitimate apps can put enterprise data at risk. I think we’re a long way from Apple opening up special security agent permissions or anything like that, but if you know where to look, you can find references to mobile threat defense vendors being part of something called the Apple Mobility Partner Program.
Mobile threat defense agents can be deployed freestanding, essentially just sending notifications to the user or a management system, but for enterprise uses, they become more powerful when integrated with EMM. In particular, MDM can give more visibility on the device (such as the iOS app polling issue mentioned earlier) and more direct control for remediation. Mobile threat defense is also sometimes embedded in consumer apps, especially banking apps and content streaming apps (as a DRM measure).
For policies, again, remember that mobile threats aren’t always black and white. Some policies might concentrate just on compromised devices or outright malware, while others may be concerned about vetting exactly how all apps interact with enterprise data. Threat remediation may be via user or admin notifications, changing EMM configurations, or, if the system is integrated with an identity management system, changing access controls.
In the final part of this series, we’ll look at what type of organizations are using mobile threat defense, why they’re using it, and what they’re doing with it.