It is no easy feat to recall going through life
without the vast variety of mobile devices that are now part of our day-to-day.
What is more, it is downright impossible to imagine a future without these
devices. Recent times have been marked by a diversity of trends that revolve
around flexibility and that have by now become well established: Bring Your Own Device (BYOD), Choose Your Own Device (CYOD), Bring Your Own App (BYOA) and
Bring Your Own Cloud (BYOC), among others.
Along with our growing dependence on these devices,
we have been witnessing new advances, both in hardware and software
architectures, which clearly demonstrate that Moore’s law
continues to apply. These developments have been accompanied by a large body of
research aimed at enhancing mobile security.
However, the prevailing public perception still
views even the most capable phones as less secure devices than the average
desktop computer, even with applications running in sandbox environments and
with operating systems that are increasingly focused on security.
A quick analysis – whether dealing with ensuring
physical or logical access, the authentication of digital identities, platforms for software tokens, or even the use of mobile phones as tools for
verifying transactions in desktop computers – shows that mobile devices have by
default an equivalent or better security posture than ordinary computers.
If properly managed and protected, mobile devices
are an effective platform for securing digital identities and online
transactions. This is courtesy of a number of factors, including:
·
Mobile devices are not an easy target
The properties of desktop malware – involving
application-to-application migration, keylogging,
and memory hooking – are still not present in the vast majority of samples of
mobile malware. In addition, mobile vulnerabilities tend to have a short life
cycle.
·
Mobile devices have a smaller attack surface
Mobile malware and the exploitation of vulnerabilities usually
target specific hardware, firmware and operating system versions, which reduces
the likelihood of large-scale compromises and, thus, the likelihood of
profiting from them.
·
Mobile devices have a security-based architecture
These days, devices that are not rooted or
jailbroken are more secure thanks to a multilayered approach that is central to
the development of mobile operating systems. The applications installed on the
phones are digitally signed, which determines the privileges of each app
together with the permissions that the user can grant to them individually.
·
Mobile devices use sandboxing techniques
The apps are executed in sandbox environments,
which means that, in principle, they cannot share, or gain access to, data
belonging to other apps. This is an important feature that helps defend against
sophisticated mobile malware.
·
Legitimate apps are ‘centralized’ in official
stores
The success rate of app review processes by
official stores is up for debate. However, there is no doubt that, with
legitimate software available ‘under one roof’, software installation processes
are simplified and the risk of installing malicious code is reduced.
·
Mobile data networks are more secure than public
Wi-Fi
Sometimes we’re in coffee shops or shopping centers
when we need to carry out transactions that involve sensitive data, such as
buying online or checking our bank accounts. In these situations, using the
data network of our wireless carrier is certainly better than connecting our
device to any open Wi-Fi network.
·
Mobile devices are easily integrated with
security-enhancing solutions
Solutions offering digital certificates, single-use
codes known as one-time passwords (OTP) or application-specific PIN-unlock
options further enhance the security of your device.
Granted, not all that glitters is gold, and mobiles
also come with some drawbacks in terms of the protection of information. There
are a number of risks that users may face when trying to secure their
information on mobiles and tablets, including software updates that are
dependent on the manufacturer and may never be deployed, the difficulty in
analyzing the properties of digital certificates when browsing, a large amount
of malware that sneaks into official stores, vulnerable apps, increased susceptibility to theft, loss or
breakage, etc.
The truth of the matter is that, these days, it is
difficult to expect any device, user or application to be infallible. A great
deal of security that a system provides is determined by the configuration set
by the user and by the way in which he or she uses it. After all, many threats
that result in millions of compromises begin with a fraudulent email, a phishing website, or an instant message within (not
necessarily) complex multi-platform social engineering schemes.
When all is said and done, it is useful to bear in
mind the vast opportunities afforded by mobile devices that we carry in our
pockets, and know how to make them safe to use.