Underlying vulnerabilities in mobile device software has also opened up the door to potential security breaches. In an article describing mobile application security flaws, (Westervelt, 2010) wrote that it was discovered that many mobile application security vulnerabilities were similar to those found in early web applications. The Homeland Security Newswire published an article on the ‘new’ cybersecurity threat of smartphone apps that do more than they say they do. The article discussed the mobile security firm Lookout, that started the “App Genome Project”, which has scanned hundreds of thousands of apps for malicious code. They did this to gain an insight into what apps are doing and to understand if “bad things are happening in the wild.” (HSNW, 2010). Many apps contained hidden code mainly used for analytics and advertising, however it demonstrated how easily code, malicious or otherwise, could be hidden or embedded in a mobile application.
Both vulnerability assessments and penetration testing will need to be adjusted to accommodate mobile devices, both company issued as well as personal devices, authorized or otherwise. Stricter security policies will be required and the connection of non-company issued devices to an organizations infrastructure will need to be examined more closely. This will cause network scanning activities, typically carried out during vulnerability testing to be refined to include mobile connected devices. The scope of penetration testing can include physical and communications exploits as well as system exploits. Bosworth (2009). Mobile device technology forces the scope to change dramatically as the nature of possible exploits and the method they are introduced can be very different to traditional technology devices. In addition to changes in vulnerability assessments and penetration testing, other changes within the organization can be made to reduce the risk of exploits including employee education, more strict security policies with regards to the usage of mobile devices and separate rules governing both company issued and personal hardware, and technical restrictions enabling only certain individuals or groups to connect such devices to the network.
References:
- Bosworth, S., Kabay, M.E., & Whyne, E. (2009). Computer Security Handbook. Volume 2. Hoboken, NJ: John Wiley & Sons, Inc.
- Homeland Security Newswire. July 29, 2010. New cybersecurity threat: smartphone apps that do more than what they say they do. Retreived from http://www.homelandsecuritynewswire.com/new-cybersecurity-threat-smartphone-apps-do-more-what-they-say-they-do
- Westervelt, R, (2010). Mobile application security flaws a repeat of past mistakes. SecTor 2010. Retrieved from http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1522769,00.html
