Mobile security does have a leg up on its desktop counterpart, though greater cooperation is needed.
Editor’s Note: With 2017 virtually upon us, RCR Wireless News has gathered predictions from leading industry analysts and executives on what they expect to see in the new year.
2016 was not a banner year for mobile security. To say security issues within operating systems gained widespread, mainstream attention is a bit of an understatement. Most recently, more than 1 million Google accounts were compromised by a new malware variant called Gooligan. But Android’s woes weren’t alone in 2016: when Apple had to rush out a patch to all iOS users due to a vulnerability that was not only discovered, but actually exploited in the wild, it meant we reached a potential tipping point for the mobile security landscape.
That trend isn’t likely to reverse in 2017. If any brand was perceived as invulnerable before, that perception is now gone. It seems that regardless of your operating system preference (Android or iOS) the next massive vulnerability with a terrifying name (StageFright, Trident, Quadrooter, just to name a few) is just around the corner.
As we head toward the new year, the big question has yet to be answered – have we reached the point of no return with mobile operating systems? Will we continue to see similar vulnerabilities creep up in iOS and Android on a regular basis?
Secure, but not guaranteed
Though the headlines from this year might read as doom and gloom, the reality is mobile operating systems are still more secure than their desktop counterparts. When you take an objective look at both, it’s clear mobile devices still pose a much more difficult path for an attacker and are less likely to be exploited than your PC or laptop.
The reality that mobile operating systems are more secure than desktop operating systems hasn’t happened by accident. Companies have purposely implemented strategies to ensure their systems are less vulnerable to attack. One such strategy is sandboxing, which aims at eliminating the impact of vulnerabilities within apps by making sure they operate in a contained environment and cannot access critical areas of the device. Meaning even if an app has a vulnerability, it cannot be exploited to impact the entire device.
Additionally, code signing of applications and surface hardening have also been implemented to offer better protection, with code signing helping to ensure the source and author of an application is legitimate. This acts as a digital signature that allows the users to know exactly who developed the application and if it can be trusted. Surface hardening, on the other hand, is a defensive measure provided by developer tools and operating systems to protect against memory corruption attacks.
Even with added emphasis to ensure that mobile operating systems are more secure than desktops, they aren’t impenetrable and will remain an enticing target for sophisticated and well-funded attackers, as they offer the best possible environment to hide a malicious payload or backdoor.
Invisibility cloak (not that kind)
By design, companies like Apple have kept their systems fairly well guarded and have not granted security companies and researchers access to investigate the low-level internals of their mobile operating systems. While this design choice may be somewhat understandable, it means that researchers do not have deeper insights into the systems or any issues that might be lurking in there. Because of this, once penetrated, Android and iOS offer the perfect invisibility cloak for malicious payloads running at privileged levels. This was publicly demonstrated by the iOS vulnerabilities that were made public in late August that allowed for spyware and malware to be installed on iPhones with one click. The vulnerability, which was abused by NSO Group, would open up a victim’s phone to full-on surveillance.
Would more access ensure vulnerabilities are brought to light? Probably not, but there would be benefits of deeper investigation into operating systems infrastructure and kernel layer. Specifically, it would help researchers detect anomalies, from hidden processes to covert channels to malicious intent on a device.
A step in the right direction
While access may not change in the near future, there is hope for the year ahead due to increasing levels of cooperation between hardware, carrier and security companies. This added cooperation is helping by allowing for better intrusion detection into mobile operating systems. One such future offering, Qualcomm Snapdragon Smart Protect, takes detection one-step further than antimalware apps and allows for behavioral-based detection. Built in at the processor level, Qualcomm Snapdragon Smart Protect will – in theory – be able to detect a variety of behaviors or irregularities within a device, thus triggering the alarm that a new vulnerability (zero-day attack) has been discovered.
If deployed on a wide level, Qualcomm Snapdragon Smart Protect could work similar to an enterprise-grade host-based intrusion detection system to better identify mobile attacks, such as new variants of mobile ransomware. It would identify suspicious behavior, like an unknown app gaining access to the memory of the device and rewriting data, and would consider that a threat, detecting and protecting against it.
In the same vein, increased cooperation between security companies and carriers could greatly impact how mobile threats are detected. When a mobile security app is installed at the app level, it can only protect so much and can be easily removed. Instead, mobile security installed at the carrier level is much stronger and can provide consumer with much more comprehensive protection.
Back to reality
As long as kernel-level security tools like Snapdragon Smart Protect are still in the developmental phase, cooperation between carriers and security companies remains sporadic on a global scale, and researchers are prevented from accessing mobile operating systems, successful attacks will go undetected – possibly for years. In the end, homogenous systems, such as Apple’s OS, will always be fragile in this sense. Without the ability to introduce diversity into the mobile ecosystem, companies cannot guarantee long-term security.
State or quasi-state sponsored attackers are well aware of this weakness and we can be sure they are investing towards defeating both iOS and Android. Because of this we can certainly expect additional vulnerabilities – both iOS and Android – to be revealed in the coming year. The closed ecosystem ensures that the staying power of any successful attack will provide the best return on investment.
Photo copyright: nk2549 / 123RF Stock Photo