Many people think their mobile devices are inherently secure. After all, cybercriminals historically focused their efforts on PCs, and many smartphones, tablets, and laptops come equipped with robust security features. Unfortunately, one sad fact remains: No internet-connected device is ever immune to cybersecurity threats.
Countless security threats exist, and cyberattacks against mobile devices can be just as devastating as those that use desktops as entry points. With more and more organizations adopting BYOD policies, mobile device security is increasingly crucial. In an Apple environment, following Mac security best practices is a good start. Understanding mobile threats can help you further fortify your posture.
We’ll tell you about some of the top mobile device cybersecurity risks so that you know what to look for.
1. Failure to install updates
Software developers release updates for a reason. Sometimes, it’s to improve the functionality or fix bugs. Other times, it’s to patch critical vulnerabilities that jeopardize data security. When updates target performance, they’re not as pressing. However, businesses should install critical patches as soon as possible. Delaying patching can open the door to major cybersecurity threats.
The release of a critical patch broadcasts exploitable vulnerabilities to threat actors. They scramble to take advantage of these weaknesses before businesses apply patches. In fact, a Ponemon study found that a whopping 60% of data breach victims reported that the incident was related to a known vulnerability for which they had not applied the available patch.
Forgive us for immediately focusing on a Windows-based cybersecurity attack not specific to mobile devices, but we’d be remiss not to mention the 2017 WannaCry ransomware attack. This ransomware worm exploited a known vulnerability in the operating system to infect 300,000 computers across 150 countries. Notably, the attack hit the U.K.’s National Health Service hard, putting patient care at risk. The most frustrating part: a patch for the vulnerability was available.
Luckily, this is one of the easiest cybersecurity threats to tackle head-on! When a patch is released for a critical vulnerability, apply it as soon as possible. Heck, maybe just stay on top of your patching in general. It’s easy to get bogged down with other tasks, but patching and updating need to be high priorities.
2. Social engineering
Across all platforms, social engineering is a major security threat. It relies on deception to convince users to hand over confidential information or perform a desired action.
Phishing is the most well-known form of social engineering. The victim traditionally receives an email that appears to come from a legitimate source. It asks them to click a malicious link, download a malware file, or reply with requested personal information. According to an IBM report, phishing is the second most common cause of breaches, accounting for 16%. It’s also the most expensive, averaging $4.91 million in associated costs. In many cases, strong email security with effective filters coupled with regular employee training can thwart a phishing attack.
Cybercriminals may also use other forms of social engineering to target mobile users. Smishing relies on fraudulent SMS messages, and vishing uses phone calls.
Uber’s network was breached after an attacker reportedly texted an Uber employee claiming to work with the corporate IT team. The employee is said to have handed over their password, giving the hacker access to Uber’s systems.
Don’t get us wrong: Users will still make mistakes. That’s why a layered approach to cybersecurity is best. But training at least points them in the right direction.
3. Improper configuration
Many mobile devices have robust security features, but they work only if enabled. Use a strong passcode, enable encryption, turn on the “find my device” feature, turn off Bluetooth when you’re not using it, and limit what information you share with apps.
If you use cloud-based services in conjunction with your mobile fleet (and who doesn’t?), you should also consider the configuration of your cloud security. This includes access management, encryption, database management, monitoring, and more.
Sensitive information from four airports in Colombia and Peru became public due to a misconfigured Amazon S3 bucket. Around 1.5 million files, including personal identifiable information (PII) and sensitive company data, were accessible without any required authentication. Oopsies. Big oopsies.
Choose administrative access carefully to ensure everyone who could make changes is highly qualified. Additionally, perform regular scans and audits to hopefully find any misconfigurations before bad actors do.
4. Lost or stolen devices
Your employees probably never misplaced their bulky desktops. But as devices become more portable, they’re also increasingly easy to lose. An employee may absentmindedly leave their smartphone, laptop, or tablet in a coffee shop or on public transportation, inadvertently providing outsiders with easy unauthorized access to corporate data.
Mobile devices also pose a valuable target for thieves. Whether someone purposely targets your business to steal secrets or they’re just looking to make a quick buck by selling your devices, it’s all too easy for someone to nab an unattended device.
Car break-ins may not be a top concern for most IT teams, but they can have far-reaching impacts. In 2017, a thief nabbed a laptop from the car of a Coplin Health Systems employee. That laptop contained data related to 43,000 patients, including their Social Security numbers, home addresses, dates of birth, financial information, and more.
Luckily, Coplin Health Systems did a lot right: The laptop was equipped with security controls, it was password protected, and the device’s access to the corporate network was promptly revoked. However, data on the hard drive wasn’t encrypted, putting it at risk. While there was no evidence that the thief accessed personal information or attempted to connect to the corporate network, Coplin Health Systems had to notify affected patients, work with law enforcement, and stay on the lookout for any signs of a breach.
Thankfully, strong passcodes and remote wipe capabilities can help mitigate the damage of lost or stolen devices. But don’t neglect other methods, such as encrypting data and enforcing your security policies.
5. Bad password hygiene
Sloppy password practices spell certain disaster for your mobile security. If your passwords are compromised or easily guessable, intruders could access your cloud-based services.
Weak passwords may be even more problematic if a device is lost or stolen. Hackers could unlock the phone and access corporate apps and data before your employee even reports that the device is missing.
No one is immune to bad password habits. No one. According to Vanity Fair, the hacker group OurMine claimed to gain access to several of Mark Zuckerberg’s social media accounts using the password “dadada.” No capitalization. No numbers. Only six characters. No special characters. Wow.
Multifactor authentication (MFA) provides an extra layer of security, but it should be your last line of defense. Enforce a strong password policy that promotes complex passwords and bans password reuse. And maybe explicitly mention not using “dadada” since, apparently, that’s a thing.
Malware is a scourge on devices everywhere. Apple users frequently assume that their devices are safe thanks to the UNIX-based operating system and the relative rarity of Mac-specific malware. But enterprising cybercriminals now design ransomware, spyware, adware, trojans, and other malware that are up to the task.
According to Verizon’s 2022 Mobile Security Index, over 30% of breaches involve malware. Ignore the risks, and you’ll make a cybercriminal’s day.
A mobile banking virus targeting Android devices aims to encrypt phones for ransom. Often, victims receive a download link via SMS or phishing. The link takes them to install a fake Android app that appears legitimate. It installs a trojan that can track keystrokes, record videos, and more. This malware attack reportedly hit users in the United States, Russia, Spain, and India.
Security features offer some degree of protection, but skilled hackers constantly come up with new tactics. Unfortunately, the best course of action isn’t easy: Maintain a layered approach to cybersecurity with balanced prevention, detection, and response measures.
7. Machine-in-the-middle (MitM) attacks
Free Wi-Fi is almost as alluring as free pizza. But overindulging in either may fill you with instant regret. Machine-in-the-middle (MitM) attacks, also known as man-in-the-middle attacks, frequently leverage public Wi-Fi networks to intercept mobile traffic and steal sensitive data. The attackers may collect login credentials, financial information, or other details to steal the victim’s identity, change their passwords, or transfer funds.
Without proper network security, an MitM attack could even affect your corporate network. However, these cybersecurity incidents are more typically associated with public networks, so they disproportionately affect mobile devices.
Not all cybersecurity threats are perpetrated by cybercriminals. Such was the case in 2015 when reports emerged that Lenovo had shipped laptops with Superfish adware installed. Superfish followed the hallmarks of an MitM attack, resigning SSL certificates for HTTPS sites with its own self-generated root certificate.
Standard security best practices apply. In particular, encourage users to avoid public Wi-Fi when possible and log in to your VPN if they must use an unsecured network. MFA also comes in handy, preventing compromised credentials from spelling certain doom.
8. Network spoofing
Also known as an evil twin attack, spoofing takes MitM to the next level. Rather than lying in wait to intercept traffic, attackers set up a trap for users by masquerading as a trusted source. They create free rogue Wi-Fi networks that appear to belong to legitimate sources, like coffee shops. Mobile devices are particularly susceptible to network spoofing since on-the-go users may be a little too eager to connect to free Wi-Fi.
In 2016, Avast Software conducted an experiment around Republican National Convention sites. It set up fake Wi-Fi networks with fairly suspicious names, including “Google Starbucks" and "I vote Trump! free Internet." By the end of the convention, 1,200 people connected. Now imagine how devastating this could be if someone with malicious intent used convincing network names.
Users should avoid joining unknown wireless networks, which you should spell out in your IT policy. If they absolutely must get that sweet free internet, then they should use your VPN. And if, for some vexing reason, they connect to public Wi-Fi without VPN, they (or preferably your security team) should at least check the device afterward for recently added software or email accounts that may be signs of compromise.
9. Improper session handling
Authentication tokens verify legitimate users, allowing them to continue accessing a resource without logging back in. Improperly handling a session token typically involves accidentally sharing it when the app communicates to the backend server. This may allow a malicious actor to impersonate the app user and access sensitive data.
A bug allowed some users on mobile devices to stay logged in to Twitter after resetting their passwords. That means if a user had reset their password because their device was lost or stolen, whoever was in possession of that device may have had access to the account.
Also, use a vulnerability scanner to help monitor and audit sessions for suspicious activity.
10. Risky apps
Malicious apps are an obvious threat to devices, but other apps can be just as dangerous.
Purposefully malicious apps might covertly collect information, send SMS texts, record calls, subscribe to services, download other malware, or even take control of the user’s device. Further complicating the situation, some malicious apps mimic legitimate apps, so it’s difficult for the average user to differentiate between the two.
While Apple reviews apps before they’re available in the App Store, malicious mobile apps can still make it through. The same is true of Google Play and other popular platforms. Users might also jailbreak their phones to install apps from outside the App Store. That’s even more dangerous (and super cringey).
A lot of legitimate applications are also just unsecure, including many from the App Store. Hackers may target these apps to steal data.
Broad permissions could prove especially problematic if an app is malicious or compromised. Some apps may seek access to the following:
Facebook alone identified 400 malicious apps designed to steal user login information. That’s a lot of nefarious software.
Write into your security policy that employees should only download apps from approved sources, such as official websites and app stores.
Also check the resources allocated to each app. In settings, you can see how much cell data each app uses and what resources are turned on. A periodic review of this information can help identify anomalies associated with attacks. Additionally, review your email accounts regularly to watch for rogue accounts hackers may add.
11. Malicious links
A malicious link, also known as a malicious URL, may exploit a vulnerability in a web browser, download a malicious app, install malware, or ask the user to submit personal information. These sites often look official, so device users may not notice the difference. Cybercriminals frequently distribute malicious links via email- or SMS-based phishing attacks.
Let’s be real: We’ve all received the same text message saying our Amazon accounts were suspended. It always provides a convenient link to save the account. The funny thing is — I’ve never clicked the link, but I’m still getting my Subscribe & Save extra-large Squishmallows without any problem. That’s because that link isn’t really from Amazon. It’s likely a malicious link targeting my login credentials.
If an employee falls victim to a scam like this in their personal lives, it can lead to a frustratingly high bill for car parts, electronic devices, and presumably Crumbl Cookies (even threat actors need snacks). But if a similar scam targets your business information, the cybercriminal may get something even more valuable than a Classic Pink Sugar: access to proprietary information, customer and employee PII, and more. That’s not so sweet.
As a general rule, if you aren’t expecting it, don’t click it. Seems simple in theory, right? Now the trick is helping users apply that. Training can help. Then again, so can incorporating “Don’t click the link” into your daily recitation of the company pledge of allegiance.
12. Exploitable vulnerabilities
Attackers may take advantage of vulnerabilities in firmware, operating systems, applications, or network services. Unfortunately, there’s no surefire way to prevent all vulnerabilities. Firmware and operating system developers frequently uncover new vulnerabilities. Software and hardware issues leave networks at risk. Even established mobile apps sometimes have flaws.
In 2019, researchers at cybersecurity firm Promon discovered a vulnerability dubbed StrandHogg. This Android vulnerability allowed threat actors to take control of legitimate apps. Masquerading as the app, the cybercriminals could request access permissions to send and read SMS messages, access the camera, or use the microphone.
Think of your systems as a bucket. If there’s even one tiny hole, water leaks out. You have to patch that hole to secure your bucket. Similarly, you must patch mobile devices to make sure nothing gets in or out unless you want it to. Critical updates address known vulnerabilities to fix holes in your defenses, so it’s essential to implement them as quickly as possible.
13. Encryption issues
End-to-end encryption scrambles data to keep it safe in transit. Unfortunately, gaps may occur during which the data is unencrypted. These encryption gaps are kind of like leaving a bag of cash unattended. If you’re lucky, it might all be there when you get back, but you’re kind of asking for someone to help themselves.
Encryption gaps are prevalent with unencrypted public Wi-Fi networks. However, unencrypted apps, particularly messaging apps that employees use for work, can also give threat actors easy access to sensitive data.
Similar problems occur when a mobile application uses weak encryption algorithms, making it easy for hackers to figure out passwords and access data.
In 2018, Kaspersky Lab uncovered some apps that transmitted unencrypted data over HTTP protocol. Most were part of advertising networks. This unsecure transmission could expose user data, including device information, device location, and personal information.
You’re probably sick of reading this, but you should require employees to use a VPN when connecting to a public network. VPNs create encrypted tunnels to keep your private data private — like your own private road to a comfortable security posture.
Password managers add another layer of security. Software like Keeper, LastPass, and 1Password can help by securing passwords in an encrypted vault. They also prevent the use of plain text passwords and eliminate the need to enter them manually.
An effective mobile device management (MDM) solution is one of the easiest ways to enhance your security posture. SimpleMDM streamlines device enrollment, monitoring, updating, and licensing so that you can protect your environment with less hassle. Start your free 30-day trial, or keep reading the SimpleMDM blog to learn more.