Evil 8: Mobile Security Threats

CSA (Cloud Security Alliance), an non-profit organization with a mission to promote security best practices within cloud computing, has come up with a list of ‘Top Threats to Mobility’ from a cloud centric view point. These threats, named as ‘Evil 8.0’ by CSA, have been listed below. Though, these threats are cloud centric, they are very relevant to all mobile end users and enterprises which are not on the cloud.

 

1. Data loss from lost, stolen or decommissioned devices

Data leakage happens when devices with no or weak passwords and no or weak encryption are lost / stolen. Also device users may discard / sell their mobiles without permanently deleting the data on the devices while disposing them off.

 

2. Information-stealing mobile malware

When mobile users download apps from third party market place rather than from official market place of the OS, they undergo the risk of downloading malware. Most malware have been designed to steal data from the host device.

 

3. Data loss and data leakage through poorly written third-party apps

Certain data collection processes of applications are of questionable necessity. They collect data more than needed or advertised.

 

4. Vulnerabilities within devices, OS, design and third-party applications

Mobile devices mimic desktop computing in most ways and therefore carry vulnerabilities similar to desktops. The OS and applications may be susceptible to injection / exfiltration attacks. These vulnerabilities include weak coding techniques, weak password mechanism and weak encryption in the apps.

 

5. Unsecured WiFi, network access and rogue access points

Mobile devices largely use Wifi network. If these wifi network are unsecured, data transmitted can be easily tapped by hackers through freely available sniffing tools. Fake (rogue) wifi access points in public places like airports pose like genuine access points and thereby gobble up all the data traffic sent through them.

 

6. Unsecured or rogue marketplaces

Earlier we had seen malware being distributed through unofficial market places. Many unofficial market places are by themselves rogue market places to push these malwares.

 

7. Insufficient management tools, capabilities and access to APIs (includes personas)

The right level of access should be given for the right user. Anti-virus software may need low level access but may be denied thereby the anti-virus software may not have the ability to read programs in memory for real-time protection. The reverse is also possible, i.e user unlocking the phone completely to allow unauthorized app or user to read and modify all information on the phone including config settings.

 

8. NFC and proximity-based hacking

This threat is still in its proof-of-concept phase. In NFC (near field communication) communicate with other devices over short range wireless technology for sharing sensitive information like payment transactions, contact information and coupons. Because of their sensitivity they are highly vulnerable and are likely targets in the near future.

 

Comments are closed.