An interesting talk by Ken van Wyk on threats to mobile devices at the FIRST/TF-CSIRT meeting last week. While it’s tempting to treat smartphones just as small-screen laptops (let’s face it, users do!) there are significant differences in the threats to which the two types of devices are exposed. These need to be recognised in any plan to secure the devices and the information they store and have access to. OWASP have therefore used Microsoft’s STRIDE threat model to analyse mobile devices and come up with a list of the top 10 risks to them and their information, and suggest things that can be done to reduce the problem.
The two major differences between smartphones and laptops are
- Smartphones, being smaller, are much easier to lose, and
- Smartphone applications tend to make less use of encryption when storing and transmitting information.
Clearly those two differences combine to make security issues a lot worse – if a device is easy to lose, so more likely to come into the wrong person’s hands, then encrypting information to protect it should be more, not less, important.
Unfortunately even though most smartphone platforms do offer secure containers, file permissions and encryption, these aren’t commonly used. This is particularly unfortunate as users tend to treat smartphones as universal authentication devices – it’s very tempting to store all your passwords on a device that feels psychologically attached to your body (despite statistical evidence that it isn’t). Unless you, and the developers of the applications you use, know what you are doing, that could be a really bad choice. Storing sensitive information on the removable storage device is a particularly bad idea – not only can a storage card be removed and read on another device, but the filesystem most commonly used allows any application on the phone to read any file, so a single bad application can compromise all the information on the storage card.
The whole point of a smartphone is to communicate, so you might expect things to be better there. Unfortunately the story is the same: phones can do encryption, but very often don’t. For some reason a lot of known good practice for computers and wired networks – like recognising that session authentication tokens are just as important as passwords or that certificate validation failures indicate a problem – don’t seem yet to have caught on on smartphones, even though the networks they use, being based on radio transmissions, are more likely to expose information to unwanted listeners.
The good news is that many of the OWASP mitigations can be achieved by individual smartphone users choosing carefully which applications they use and how they use them. However this would be easier if smartphone developers took note of the OWASP recommendations and implemented them in their products.
