87 percent of companies rely on smartphones and business apps – the overwhelming majority of which are BYOD. Maybe because they’ve been gaining an extra 240 hours of work per year from employees? Or maybe because it’s a seemingly simple way to save on budget (an average of $350 per employee, per year).
Just like they’ve changed our personal lives, smartphones and tablets are also transforming the workplace. They’ve got tremendous benefits in terms of flexibility, mobility, and connectivity.
But like everything, they don’t come without risks.
Mobile devices are a favorite target for hackers for many reasons. Read on to discover the special security challenges created by mobile devices, what mobile pentesting accomplishes, and why mobile device management (MDM) solutions often fall short.
Threats to mobile apps have been increasing in the past several years and they experienced a spike during the pandemic. Research in the last months of 2019 showed that 72 percent of fraudulent activity and breach attempts involved apps. In the first quarter of 2020, app incidents climbed to 26 percent from 13 percent, making apps the number one means through which hackers attempted to access data.
It’s easier to phish on small screens as users may not be able to see details that would otherwise signal an email as fraudulent. While errors like spelling mistakes or grammatical errors are easier to identify, some indicators like fake domains and fake email signatures are harder to detect on mobile devices. Typically, mobile devices don’t display the sender’s address in the view window, so the user would have to be aware to actively check the address rather than rely on the sender making a mistake in the body of the email.
Mobile devices (and their applications) are typically designed for entertainment rather than security. Users purchase and engage with their phones and tablets for social media apps, video streaming and reading. The average use is not aware where potential threats could lie in their applications or even what data they are providing (such as their name, email addresses, IP addresses, in-app behaviors, etc). Research shows that 28 percent of smartphone users don’t even use a screen lock.
The general public mistakenly assumes that manufacturers handle security. And while these companies often tout a commitment to data privacy, there’s actually no convincing evidence that mobile devices from one company are more secure than others.
Quantity Over Quality
App stores hold such a high volume of apps, with potentially thousands of new apps coming into the online store every day. Google Play alone has 2.7 million available apps. As such, these stores can’t vet each app that comes through, and they have to rely on some level of trust.
Malicious hackers have no qualms uploading their malware packaged as a legitimate app. A study late in 2020 found that 67 percent of all malicious apps on Androids came from the Google Play Store.
Public Wi-Fi is everywhere these days, and most people don’t think twice about connecting to it. Hackers know this and often exploit data sent through unsecured and unencrypted public Wi-Fi. In some cases, rogue hotspots are also used by hackers. These are fake hotspots set up in public areas to appear as real connections. In reality, they are really just lures for cybercriminals to intercept data and inject malware to connected devices.
To address these issues in the workplace, many companies turn to MDMs. While they’re generally a good idea, they aren’t the silver bullet that many companies think they are. Here’s why.
MDM stands for mobile device management. It’s a platform or software that allows network administrators to monitor and manage devices. Businesses deploy them when employees rely on company-issued mobile devices to work.
While these advantages certainly are appealing for employers, especially in the work-from-home era, MDM solutions also present a few critical shortcomings.
MDM seeks to bolster security by making it difficult for malware to get onto the device in the first place. These solutions provide network administrators with visibility into each device, allowing them to feel like nothing is going unnoticed. In reality, this is creating a false sense of security as the device can still be susceptible to attack, even while under supervision.
An MDM is useless if:
MDMs are notoriously easy for hackers to compromise. Consider this 2019 attack, where a single compromised device allowed malware to spread unfettered. It successfully infiltrated around 75 percent of a multinational conglomerate’s mobile devices before discovery.
MDMs are easy to attack because they tend to be higher maintenance than other security solutions.
What makes an MDM high maintenance?
One key shortcoming of using an MDM is that your employees might resent the feeling of being watched. For many employees, it mimics the feeling of having a manager watching your shoulder at any given moment. In fact, it’s the use of tools like MDMs that often lead employees to abandon company devices altogether, opting to use their personal devices instead (which host their own array of security risks).
Another major problem with MDMs occurs with Bring Your Own Device (BYOD) policies. Apple’s struggle with BYOD and its device enrollment plan illustrates the increasing incompatibilities between privacy, data ownership, and the need to protect corporate data.
Mobile pentesting is a specialized penetration testing service meant for mobile applications and devices. In this pentest, security professionals try to compromise your mobile apps to gain access to:
Unlike pentesting or penetration testing as a service (PTaaS) that targets your entire cybersecurity strategy or computer network, mobile pentesting only looks at potential vulnerabilities in your apps and mobile devices. This more targeted service means it’s a much deeper probe to discover anything criminals might exploit.
MDMs have their place in a security strategy, but they should be kept as just that – as a component of an complete, overarching strategy that secures your hardware and software from every angle.
As the better alternative to MDM, a mobile pentest delivers a few critical advantages:
An MDM solution combined with mobile pentesting can significantly bolster your mobile security posture. However, there are a few more things that you should do to ensure that sensitive data stays safe.
Whether you’re relying on company-issued devices or using a BYOD policy, do:
Mobile devices like smartphones and tablets are commonplace in many companies. They can deliver an extra degree of flexibility and connectivity for employees, empowering them to get more done on their own terms. However, companies still have very real concerns about the protection of sensitive data. As a result, they turn to mobile device management solutions.
We’ve revealed how MDMs aren’t necessarily the overarching solutions they’re often perceived to be. At best, they provide only a degree of protection while allowing for remote monitoring of employees. At worst, they create a false sense of security that hackers can exploit.
In contrast, mobile pentesting secures your device at the app level. Mobile pentesting finds flaws from an outside perspective and helps you build confidence in your application security.
301 Moodie Dr. Unit 108
Ottawa ON K2H 9C4