As workers become more mobile, IT departments need to take steps to secure smartphones and tablets. But those efforts may be hindered by some incorrect beliefs about mobile security.
As more employees are issued devices or bring in their own personal gadgets as part of a BYOD program, companies need to protect against a variety of mobile security threats, including mobile malware, lost or stolen devices, etc.
However, some of the steps they”ve taken may have been based on wrongly held beliefs about mobile security. Since mobile technology and the techniques cyber criminals use to steal data change quickly and frequently, what was true yesterday may not be true tomorrow.
Right now, these are three commonly believed mobile security myths that could be getting in the way of companies” plans to protect data:
1. Software in official app stores is always safe
All of the major platforms have protocols in place to keep mobile malware out of their official app stores. However, as hackers become more sophisticated, they”re finding ways around those gatekeepers.
For example, it was recently discovered that 32 different apps in Google Play, the official Android app store, had been infected with a piece of mobile malware known as BadNews.
BadNews is an Android virus that has disguised itself as a legitimate advertising network and been embedded into those affected apps. The ads displayed by BadNews link to phony app updates, and once those updates are installed, they secretly send SMS messages to premium rate numbers.
This isn”t the first time an Android virus has made it into Google Play, either. In fact, one study estimated that 25% of the apps in the store pose some kind of mobile security risk, either because they are outright malicious or simply collect enough personal data to cause privacy concerns.
And last year, security firm Symantec discovered two apps in the store that were actually Android viruses in disguise. They were quickly removed, but not before tens of thousands of users downloaded them.
The lesson: Rather than blindly trusting all apps in an official store, users need to keep an eye out and avoid red flags any time they install a mobile app. An app”s user reviews and the number of downloads it has should be a good indication of whether there”s reason to be suspicious.
2. Only Android devices are at risk
It”s no secret that the majority of mobile malware targets Android devices. That platform”s more open nature makes it an easier target for attackers than Apple”s iPhone and iPad. And Windows and Blackberry phones may not have the kinds of numbers that attract criminals” attention at this point.
But that doesn”t mean that only Android users are open to mobile security attacks. There have also been some security concerns with Apple”s iOS.
For example, some groups have become worried about the privacy of after it was revealed that Apple stores users” voice clips on its own servers for up to two years. That led IBM to ban the use of Siri in its BYOD policy.
In addition, some experts have warned that users must properly configure Siri on users’ iPhones to prevent potential security pitfalls.
By default, Siri can be used when a phone is locked, so it’s possible that someone may be able to use the feature to obtain information from a lost or stolen phone without having to get past the lock screen. For example, Siri might be used to access text messages, emails or other documents on a locked phone.
That can be prevented by accessing the “Passcode Lock” option under the “General” section of Siri’s settings and turning the ”Allow access to Siri when locked with a passcode” setting to “OFF.”
However, a YouTube video was posted recently revealing how to bypass an iPhone”s password lock and access some of the phone”s information. That came right after Apple released an update to patch a different password lock flaw.
The bottom line: Users can avoid some mobile security issues by choosing a different device, but as smartphones become more common, they are all coming under some kind of attack.
3. Users won”t follow security policies
Some companies may be wary of BYOD because they assume that users won”t follow security policies when they”re using a personal smartphone that the organization can”t control. Often, that means the company will have no BYOD policy — and users will bring their devices in anyway.
In other words, those companies are still allowing BYOD, but without managing the risks and reaping many of the benefits.
That may be a big mistake. The truth is that many users are willing to follow security policies if it means that they”ll be allowed to use their personal smartphone at work. In fact, one study of federal government employees found that 57% were willing to have IT certify a personal device as secure and would pay for necessary security upgrades in order to get approval.