In 2012, mobile threats were a relatively small but growing percentage of overall web traffic.
The threat landscape was marked by a resurgence of classic scams, which typically attempted to convince users to part with sensitive information – the most popular being a replicate of a bank's website.
However, malicious applications typify another sort of risk for mobile devices. These apps often exhibit malicious behaviour such as in-app purchases. Collectively, these threats don't break the security model of the phone, but simply act in a manner in which they were expected to perform – albeit for malicious reasons. 'Mischiefware', in the true meaning of the word!
Although mobile malware that breaks the security model of the device is still in its infancy, with little evidence of attacks beyond a few incidents targeted at Android, this will change dramatically in 2013. According to the IDG Global Mobile Study, 70 per cent of employees access the corporate network, while 80 per cent access email on personal devices.
In the desktop world, cyber criminals purchase exploit kits and utilise malware networks (malnets) to continually launch malware attacks. For mobile devices however, exploit kits are not yet as common, and so established techniques such as spam and phishing are now successfully migrating to the mobile world.
A day of a mobile user
On average, a mobile user spends 72 minutes every day just browsing the mobile web. During this time, 12 minutes are spent with content related to computers or the internet, while the remaining 60 minutes are spent looking at a variety of content, ranging from social networking, shopping and entertainment, to business and economy.
Mobile users typically access more recreational content than they would on desktops or laptops. In fact, the request for recreational content for mobile users is almost twice as high. The most noticeable difference between these user behaviours, occur within search engines, where desktop users use search engines twice as much as mobile users.
On a desktop browser, users are able to see the complete web address and will quickly realise when the site is fake. This is not possible on all mobile devices. However, the availability of native apps changes the dynamic on mobile devices, making it easier to access the apps and features that are most important. As the mobile malware ecosystem expands, cyber criminals will spend less time targeting mobile users through search engines.
What can be done?
The uniform demand for a quality experience regardless of platform type is creating a split in the application market. Today, users will move between the web, mobile web and native apps – depending on which can meet their experience expectations.
For example, users are opting to use web or native mobile apps to access audio and video content, as these apps can optimise the experience better than mobile web versions, and so the search for the optimal user experience continues to condition users and extends to the use of corporate apps on mobile devices.
As organisations introduce corporate app stores to better manage the applications on their networks, user experience will be a key driver of adoption.
From a security perspective, users will tend to go with the app that provides the best user experience – even if it is not the most secure option. For example, most organisations set size limits on email attachments, and so an employee faced with these limits could split the attachment into two separate files, or upload to Dropbox and just send the link.
This option is certainly not the most secure, and might even violate compliance to relevant regulations. If connecting through a VPN is cumbersome or provides poor performance, the user will find another way of accessing and sharing content.
By not paying attention to user experience, organisations can inadvertently create security gaps. It is crucial that organisations close the mobile gap on the network, by ensuring a visible and consistently enforcing policy, across all three types of apps that may be running on the network:
- Web apps (such as desktop browsers)
- Mobile web apps (such as mobile browsers)
- Native mobile apps
As companies continue to adopt ‘bring your own device' initiatives and allow employees to access corporate assets with their own devices, controls must be extended to those devices as well.
Chris Pace is director of product and solutions marketing at Blue Coat Systems