What is Mobile Security? Understanding Mobile Device Security

In this blog, we breakdown some of those factors unique to mobile devices, which include:

• Defining what mobile security is
• Why is mobile device endpoint security important?
• Out-of-the-box, mobile security is not enough
• How does mobile security impact organizations?
• Benefits of having a mobile security solution
• Mobile device security is a part of holistic security

Defining what mobile security is

Let’s start by explaining what mobile security means.

Mobile security refers to mitigating risks and the prevention of threats on mobile devices, including protecting the data and resources accessed and used by those them.

Why is mobile endpoint device security important?

Similar to computer-based security, as more users and organizations come to rely on mobile technologies for communication, collaboration and working while on the go, mobile devices are increasingly being leveraged to contain, process and/or transmit sensitive data. While this bears little difference to desktop computers in usage, the difference for mobile device security lies in that mobile devices provide new ways of performing personal and professional tasks, in turn introducing new forms of risk that endpoint security solutions designed for desktop computers may not and usually do not address comprehensively.

For example, given the nature of how mobile OS’s are designed, most malware targeting mobile devices thus far operate within resident memory once executed. Once a smartphone or tablet is power cycled, the memory is flushed, and the threat is removed until it is triggered once again. However, users seldom reboot their mobile devices, leading these threats to linger on, causing untold havoc.

Conversely, on desktop operating systems, malware works nearly identically, except that there exist multiple ways by which malware authors can establish persistence, allowing them to retain a foothold within the computer even after being rebooted. Therefore, endpoint security for desktop systems scans memory as well as the system itself for other Indicators of Compromise (IoC). Once identified, the remediation workflow executes to remove the threat.

Though both slightly differ, in the background there are significant differences in how endpoint security operates between mobile and desktop computing platforms. It is this difference, paired with the explosive growth of mobile security and the fact that, after all, mobile devices do utilize network connections to communicate with apps, resources and services over the internet, that poses a greater risk to securing data and end-user privacy. This includes acting as a conduit for facilitating larger-scale network-based attacks – as well as future attacks being actively developed – if left unchecked.

Out-of-the-box, mobile security is not enough

Many who follow our blog know how pivotal security and privacy play when using technology. One of the leaders of this discussion arguably is Apple, whose commitment to both is witnessed in its consistent inclusion of security and privacy frameworks that serve as a tentpole of the platform.

In fact, since its inception on the iPhone by way of Touch ID, Apple has included the security and privacy framework into every piece of hardware – mobile and desktop computing alike – ensuring that anyone using a device across its entire product line will find the same level of protection. However, discussing mobile device security requires Microsoft and Google, alongside Apple, and relates not just to smartphones but tablets and wearables as well.

Even with all their security-focused features in tow, ones like device encryption or biometrics as mentioned earlier, mobile security requires a comprehensive approach in order to keep mobile endpoints safe and ensure data security. This doesn’t imply an inherent weakness in the devices themselves but rather speaks to the nature of the evolving mobile threat landscape. Specifically, one that is impacted by dynamically occurring changes that are hard for organizations to keep up with. For example, in their rush to deploy mobile devices, many businesses overlook the following:

• Critical security protocols that expose them to potential threats
• Holistic endpoint security that addresses existing threats, as well as novel threats
• Rigorous security hygiene procedures that begin with device provisioning and deployment
• Ensuring mobile devices adhere to strong baseline settings
• Adherence to security standards that are crucial for maintaining organizational integrity
• Failure to meet/maintain compliance due to rapid adoption of cloud-based services
• Lack of understanding increased risk factors associated with the rise of hybrid work patterns
• How the expansion of native apps challenge the current enterprise mobility model

While we could go on about endpoint security in general, the focus of this blog is specifically on mobile device security and how the growth of this segment has led to mass adoption at a global level. Furthermore, said adoption has fueled incorporating mobile technology into many different industries, from education with a 1:1 program for students to supply-chain and logistics where they serve as invaluable tools to get supplies where they need to go fast and to remote/hybrid work environments in every industry, thanks in no small part to its blend of powerful computing and lightweight form factor. The ubiquitous design lends itself to helping users access critical resources at any time, from anywhere.

And therein lies the rub, doesn’t it? How does an organization manage mobile devices without diluting the powerful, yet easy-to-use platforms while at the same time not compromising security at the expense of convenience? Or how about the common tradeoff that occurs when incorporating security by ensuring that it does not compromise end-user privacy in an all-consuming aim to secure mobile devices?

As we’ve seen historically, sadly there’s usually a tradeoff when implementing a mobile security plan. The compromise to efficiently being able to work from anywhere is often mobile security as organizations typically fall into the trap of over-protecting or under-managing. Regardless of the category your company falls into, however, the end result remains the same: devices, users and data are left vulnerable.

By ensuring that data security and privacy are always at the forefront (and never an afterthought) of any process running on mobile devices, they don’t have to be.

How does mobile security impact organizations?

Like cybersecurity in general, mobile device security affects multiple aspects of an organization — not just its devices, users or data — though these are certainly factors that are critically affected and often what you hear about most in the media. Some of the other ways a lack mobile security impacts organizations are:

• Loss of company integrity and its public perception/reputation
• Ceasing of business operations and preventing business continuity
• Leaking of confidential information, like trade secrets
• Civil and/or criminal liability stemming from violating compliance regulations
• Device compromises that lead to lateral network movements and subsequent data breaches
• Unauthorized access to protected user data, like PII and PHI
• Hindering the potential of mobile workspaces and distributed workforces

It’s important to note that, while any or potentially all of these security issues may impact your organization, this information is not intended to scare, but rather to inform. Being aware of the mobile threats that exist and how they impact organizations is the first step toward implementing a defense-in-depth strategy that holistically and comprehensively manages mobile devices while mitigating the current and growing list of mobile threats.

Types of mobile device security threats

Below is a list of key threats affecting mobile device security. By no means is this list exhaustive or future-proof but does provide insight into various types of threats so that IT and users alike have a better idea of the vulnerabilities and attack campaigns threat actors are currently leveraging when targeting mobile endpoints.

• Phishing: Social engineering, or campaigns that leverage SMS, email, phone calls, social media and messaging software that tricks end users into divulging sensitive information, such as passwords, or gets them to click on malicious links to compromise mobile devices.
• Malware: Malicious code or applications that compromise the security and privacy of endpoints and users respectively in order to achieve a particular means, or several of them, depending on the malware type or how they’re combined. Examples are:
  • Ransomware: Encrypts private data and prompts the user to pay a ransom for the decryption key or risk losing data forever.
  • Spyware: Gathers information on users, such as what websites they visit, logs keystrokes and copies cookies to allow actors to attack their devices and hijack their sessions.
  • Adware: Delivery of advertisements for products and services to get users to click on them to further compromise a device. Also used to deliver malware to devices.
  • Stalkerware: Similar to spyware, data gathering takes steps to include webcam, photos, telephone and text conversations to track user’s whereabouts, including leveraging GPS to physically track victims.
  • Cryptomining: A tiny program that utilizes hardware resources to mine cryptocurrency for bad actors. Reduces performance and may impact normal device operation.
  • Potentially Unwanted Program (PUP): While PUPs do not have to be malware, typically unwanted apps are packaged together, residing unbeknownst to the user on their device, possibly leading to greater security risks in the future.
  • Trojan: Programs that are masking their true intention, such as malware being repackaged as a legitimate app. Additionally, several trojan apps are legitimate apps that have been cracked (has their internal security broken) to include malicious code. These may be distributed via third-party app stores as free versions of commercially licensed software.
• Loss/Theft: Mobile devices, by nature, are typically removed from offices and/or homes, taken to remote locations to work from alternative locations. This increases the likelihood that mobile devices are lost, misplaced or targeted for theft by criminals, placing the contents of those devices – sensitive data and privacy information – at risk of compromise.
• Man-in-the-Middle (MitM): Also known as “eavesdropping”, this attack is quite common wherever unsecured Wi-Fi hotspots are available. This allows unsuspecting users to connect to unencrypted wireless networks, where attackers may intercept their communications and/or leverage it to gain access to their devices.
• App Permissions: Granting app permissions to resources is not uncommon nor a big cause for concern generally. However, when apps are granted improper permissions or these apps abuse the permissions granted, this may lead to violations of privacy and/or data exfiltration.
• Patch Management: Updates to apps, the operating system and hardware components are made available by developers to fortify the software and hardware, protecting it against known attacks by mitigating vulnerabilities. Without updates in place, devices and apps may become vectors for attacks, compromises and further data breaches.
• Weak/No Passwords: Weak passwords that are easily guessed, not changed from their default or simply not enabled at all represent the “low-hanging fruit” for bad actors. Sometimes, the only protection standing between a compromised device and one that has not been compromised is a strong, unique password to keep data safe.
• Encryption: Fitting hand in glove with weak/no passwords and device loss/theft above that, encryption is often considered the last bastion of security when a device is no longer accessible. Whole disk encryption scrambles the internal data using powerful algorithms that are nearly unbreakable (or may take a few thousand years, give or take) when a strong, unique password is enabled, utilizing multiple key spaces for greater complexity.
• Unsecured Connections: Open Wi-Fi hotspots do not offer any security protection – just internet access. This leaves your devices, data and the network connection being used to communicate all open to threats. It also leaves the resources you’re connecting to on the other end open to attack as well. Securing untrusted connections via VPN encrypts transmissions and connects to endpoints within a secure tunnel to keep free from unauthorized access. Zero Trust Network Access (ZTNA) offers the security of a VPN, while also providing device health checks before granting access each time a resource is requested.
• Misconfigurations: Misconfigured devices, those that have kept default configurations in place or have fallen out of compliance are at a greater risk of being compromised by threats than those that have been hardened against common threats by limiting the available attack surface of your mobile device.

Benefits of having a mobile security solution

Let’s start with the most obvious reason, though it may seem like two reasons, they both go hand in hand as mobile device adoption rates worldwide have and continue to grow at breakneck speeds.

Just how deep is mobile penetration, you ask? According to a survey performed by Statista, in 2023, “the current number of mobile phone users is 7.33 billion, which makes 90.97% of people in the world cell phone owners.” If we factor out feature phones, choosing to only account for smartphones, then “the current number of smartphone users in the world today is 6.92 billion, meaning 85.88% of the world’s population owns a smartphone.”

That figure represents only smartphones. Despite taking a majority of the market share in the mobile device space, it still leaves out other popular device types, such as tablets and wearables, like smartwatches. Each of these devices are also being utilized by users for personal usage as well as at work.

Each mobile device that:

• Processes business data
• Uses work-related apps
• Accesses organizational resources
• Connects to company networks

Even if doing so alongside apps and data for personal use, that isn’t properly managed and secured, poses a risk to the enterprise, compliance and the user’s privacy.

A comprehensive mobile security strategy — one that integrates alongside your existing Mac environment — that provides a holistic management and security plan ensures that:

• Protection extends uniformly across the infrastructure
• All endpoints are secured against modern and evolving threats
• Business resources and user privacy data are safeguarded, regardless of whether devices are company- or personally-owned
• Users can work from anywhere, on any device and over any network connection securely
• Ever-increasing risks impacting devices, users and data are effectively mitigated
• Organizations maintain compliance with regulations

Types of mobile device security solutions

If you haven’t guessed yet, there are a lot of real and potential threats affecting mobile security. And if it continues its rate of growth, it is estimated that approximately 8+ billion mobile devices will exist globally by 2024. While it’s unlikely that every single one of them will be attacked, any attempt to quantify a figure will be pure speculation given the number of variables.

What is known are the mobile security solutions available, how they work and why they’re necessary to protect your mobile fleet and keep your users, devices and data safe and secure.

• Zero Trust Network Access: ZTNA as its referred to, secures network communications similar to VPN, while providing additional safeguards that protect resources, such as apps and services. With built-in device health checking, IT gains granular insight into devices, including patch levels, if devices are compromised or affected by malware and whether they meet organizational requirements, before access to individual resources is approved. Resources are segmented from others for the purposes of maintaining security; this way, if a user’s access has been compromised for a particular app, only that app is affected and users may continue to work on other resources without fear of lateral movement compromising other resources. Devices failing health checks are denied access, then placed into remediation where the issues are mitigated before access can once again be granted.
• Mobile Endpoint Protection: Preventing malware is just one part of the mobile device security equation. Mitigating threats from phishing, by identifying and blocking domains that leverage malicious URLs in their campaigns and zero-day attacks is a significant step forward in protecting your mobile fleet. Further security from network-based attacks, such as MitM, as well as compliance checking that allows organizations to align requirements to Acceptable Use Policies (AUPs) to minimize misconfiguration of settings through policy-based management further strengthens your device’s security posture and that of your infrastructure – regardless of whether it is local, cloud-based, public and/or private – or a combination thereof.
• Website Content Filtering: Implementing intelligent content filtering of malicious websites to not only minimize the threat from phishing websites, but additionally the reduction in legal exposure from inappropriate use and/or illicit websites while leveraging network-aware security controls that safeguard cellular, wired, roaming and Wi-Fi connections provide an additional layer of protection. Seamless scaling across multiple management models, such as BYOD/CYOD/COPE, for enforcing AUPs on company-owned and personally owned devices alike ensure that organizational resources are protected equally as is end-user privacy – not at the cost of one another.
• Patch Management: No device management would be complete without discussing the apps and devices through their lifecycle. Ensuring that both are sourced and updated, that critical configurations are set properly and consistently across all device types, all while providing a centralized management platform that allows end-users the flexibility to do their work from anywhere, at any time without placing limits on their efficacy – and simultaneously permitting IT and Security teams to quickly respond to any number of issues in real-time. And let’s not forget the capability of supporting the very latest security features, new functionality and software updates from day one.

Mobile device security is a part of holistic security

If your company secures Mac computers, why are you not securing mobile devices?

Regardless of your industry or regional location, organizations worldwide have and continue to adopt Apple devices for work. Consider that in 2021, Apple’s annual revenue was $365.8 billion dollars! The percentage of that revenue generated from iPhone (51.9%) and iPad (8.8%) combined sales was 60.7%. The Apple Watch alone sold more than iPad and Mac (9.8%) individually, accounting for 10.4% of the total revenue.

There’s clearly a demand for mobile devices running iOS and iPadOS, among others running Windows, Android and ChromeOS. More devices equals a higher potential of introducing risk into your organization.

If they are different, why do they need the same level of security?

Well, they are computing devices after all and more to the point, ones that utilize and rely upon the same types of apps, services and processes to get work done safely and securely. Sure there are differences in the ways which mobile device and desktop computer operating systems handle certain processes or the workflows by which users can be productive within these respective OS’s, but make no mistake — they share just as many similarities when it comes to data security as they share differences — making it critical for admins to embrace the similarities while minimizing the risk that the differences could introduce if left unchecked.

How do mixed environments, using personally- and corporate-owned devices, impact mobile security?

For organizations that do not have a mobile device security plan in place, the reality is that there is little difference discerning personally-owned devices from corporate-owned ones when viewed through the lens of risk management. Without the comprehensive protections in place to prevent malware, secure network connections or separate business data from personal data with segmented and encrypted volumes, organizations will experience great difficulty in determining if a device meets compliance, is authorized to access sensitive resources or has opened the door to a data breach after a unpatched vulnerability has been exploited by threat actors.

In other words, IT and Security teams lack the necessary insight into device health in real-time to truly understand the security posture of the devices themselves or how that impacts the organization’s overall security posture.

Now, let’s flip this around. Your organization does have a mobile device security plan that’s integrated alongside the larger, holistic security plan. How does that change things?

For starters, there’s protection against modern threats. Not just ones that impact desktop or mobile operating systems, but rather all supported platforms — regardless of the device type or ownership model. Next, there’s coverage that protects the infrastructure comprehensively. It spans across devices, users, resources and data repositories to ensure that security is a fundamental requirement that is addressed top to bottom and end to end.

What are the use cases for mobile?

It used to be that mobile devices were not really used by consumers, let alone for business. This goes back almost a decade until the smartphone began to gain the interest of enterprise users, like those that relied on Blackberry to communicate over IM and email while on the go.

With the release of the first iPhone in 2007, users took to the sleek device with its promise of desktop-like features without carrying around a laptop or something far heavier. Years later, the rise of native mobile applications, increased adoption of cloud-based services and greater performance and efficiency have effectively placed a thin, lightweight computer in the pockets of billions of users globally.

Mobile devices have expanded since then, to encompass tablets and smartwatches, to greater fanfare and some incredibly simple yet powerful workflows that help keep users productive — working smarter, not harder.

Any scenario is a use case for mobile. That said, some of the more commonly seen ones by industry are:

• Healthcare: Health practitioners have taken to mobile technology to perform wellness checks through tele-health sessions with patients.
• Education: Students rely on 1:1 programs that have transformed how teachers deliver lessons while effectively exchanging multiple books, paper, pencils and other materials for a tablet.
• Logistics: Cloud-based services combined with tablets and smartphones allow teams to manage inventory, ensure manifests are accurate or track product shipments anywhere across the globe.
• Retail: Large, clunky POS systems and antiquated credit card imprint machines have given way to thin, large screened mobile devices that simultaneously handles sales transactions, keeps a database of customer information, provides up-to-date inventory data in real-time and does it all with a tap or two.
• Finance: The FinTech industry has adopted mobile in ways that make it easier than ever before for consumers and businesses to keep track of their financial standing and myriad investments, all without having to stand in line at the bank.
• Sales: Long the trappings of the road warriors, mobile devices lend themselves to greater performance while sipping battery power and allowing teams to keep in contact from just one, lightweight device.
• Aviation: Pilots must carry nearly 40lbs. of documents, like navigational maps and aircraft manuals in their kitbags. With the adoption of tablets, the clutter and weight was reduced to 1.5lbs as part of their electronic flight bag.

Why is now the right time to invest in mobile device security?

When it comes to security, there’s an aphorism, more anecdotal in nature that identifies the time before a security incident as being the time when businesses do not feel the need to invest in protection because it’s deemed an unnecessary expense…until a security incident occurs and then, businesses are much more willing to throw money at the incident in order to make it go away.

Simply put: when things are quiet, it’s easy to lose sight of the good endpoint security is doing because security incidents are being mitigated.

Another way of looking at it is that the best time to invest in mobile security is not when your organization is under attack, but rather when IT and Security teams can work together to properly implement the technologies they require to address the unique requirements of the organization without hasty measures being taken to “clean up the mess as quickly as possible.”

Conclusion

Mobile security is a critical, sometimes mismanaged and often overlooked aspect that is part of a greater, holistic security plan. One that comprehensively protects devices, as well as users and business resources, from the modern threat landscape that includes current and novel threats.

Exacerbating the mobile device security dilemma is the fact that user adoption of mobile computing devices continues to rocket with global adoption rates that are second to no other hardware technologies. The increase in devices married with the advancements in mobile technologies means that greater usage and reliance across platforms and touching just about every industry.

When combining the above with continued business migrations toward distributed work forces and the increased targeting of mobile devices by threat actors, organizations shouldn’t want to protect their entire fleet of devices — company- and personally-owned alike — from threats…they need to protect their infrastructure to remain compliant and keep resources safeguarded.

And one of the keys to protecting your environment lies in the integration of mobile security alongside your existing security strategy to ensure there are no gaps in protection — just seamless security that protects all your endpoints without compromising the efficacy of solutions or impacts to user privacy while upholding the user experience.