The fragile security of the mobile ecosystem

Mobile devices such as smartphones and tablets have become indispensable in our daily lives. In fact, in Q4 2015, smartphones accounted for around 75 percent of all mobile phones sold worldwide, and the total number of mobile subscriptions at the end of 2015 was around 7.3 billion. Furthermore, according to the Ericsson Mobility Report issued in February 2016, we can expect an additional 3 billion smartphone subscriptions by the end of 2021.

What about security?

While vendors are hard at work getting the most fashionable devices ready for every shopping season, security is usually an afterthought. This creates problems for consumers, whose mobile devices are increasingly used for financial transactions, and generally contain personal information. To make things worse, users are rarely aware of the dangers posed by devices with outdated software.

To be fair, it is very difficult to properly communicate and comprehend the impact of a vulnerability, and it is very easy to sensationalize vulnerabilities, according to Seth Hallem, CEO & co-founder, Mobile Helix. “The providers’ path of least resistance is to communicate as little as possible. Unless there is a vulnerability of such scale that it cannot be kept quiet or its discovery by a third party might lead to a significant legal problem, there is ample motivation for providers to be apathetic in communicating vulnerabilities to consumers,” he concluded.

Can the government help?

In order to understand the security of consumer mobile devices, the Federal Trade Commission (FTC) has issued orders to eight mobile device manufacturers requiring them to provide the agency with information about how they issue security updates to address vulnerabilities in smartphones, tablets, and other mobile devices.

The companies that will receive these orders from the FTC are: Apple, Blackberry, Google, HTC America, LG Electronics USA, Microsoft, Motorola Mobility, and Samsung Electronics America.

Among the information recipients are required to provide are:

• The factors that they consider in deciding whether to patch a vulnerability on a particular mobile device
• Detailed data on the specific mobile devices they have offered for sale to consumers since August 2013
• The vulnerabilities that have affected those devices
• Whether and when the company patched these vulnerabilities.

“These inquiries demonstrate that it’s no longer safe to assume that having security on a device-only level is sufficient. The FTC will place increased pressure on vendors to speed up the deployment of security updates. This will also force IT departments to revamp their internal policy around BYOD, putting more restrictions on what types of devices their users can bring into the workplace,” Kia Behnia, CEO of PowWow Mobile, told Help Net Security.

Mobile OS market

Android continues to dominate the smartphone market. The latest smartphone OS data from Kantar Worldpanel ComTech for the three months ending with March 2016 shows Android’s continuing sales growth across the US, Europe and China.

Market dominance doesn’t equal increased security. Quite the contrary, since a larger pool of users entices cybercriminals to focus on attacking that platform.

While 84 percent of devices are using iOS 9, only 7.5 percent of Android phones are running Android 6.0 Marshmallow. These numbers demonstrate the unfortunate situation in which a great deal of Android users find themselves, as they’re unable to update their devices to the latest version, which doesn’t just come with features, but also security updates.

“Currently, the only way to get an updated OS is to upgrade to a newer device. This seems to benefit both the device manufactures and the carriers – a guaranteed revenue stream from the security conscious. But if you are not due for a ‘free’ upgrade of your smartphone, you are not likely to get the important OS update that will protect you from know vulnerabilities,” says Andy Hayter, an independent security evangelist.

“It remains to be seen if the FTC and FCC have the power (or guts) to force the mobile device manufactures or carriers to step up to the plate to increase the security of our mobile devices. Apple does a great job at this, so I suppose this is mostly directed at Android devices,” he concluded.