Mobile Devices and IT Security

With the first example of wild malware on phones beginning to circulate through compromised mobile applications, it is important that we begin to consider some of the information we can share with our user community to help protect not just themselves, but also the data they create and share through these devices.

Recently, the android app store removed 50 or more applications found to have been infected by the DrdDream trojan. This malicious code was embedded in innocuous applications and performed data mining on users and reported information back to command & control nodes through the phone's wireless network. It was not a single incident and other bad software like "spyeye" and "GoldDream.A" prey upon user text and SMS messages.

Even when our user community is not performing business functions on these devices, the IT community here at OSU needs to begin investigating tools and techniques of safeguarding the organization. Device vendors and service providers are beginning to recognize the need to protect smartphones and other devices. AT&T and Sprint both recently began working with anti-malware vendors like McAfee and Juniper Systems to address these emerging threats.

The university at this time does not have a standard tool or technique for protecting our users and their mobile devices. However,  here are some suggestions you can make to your Faculty and Staff while our organization evaluates the approach to these issues and renders direction.

Tools:
Lookout Mobile Security - this free tool for Android phones has limited capabilities but is known to protect against common forms of Android malware.

Security Approaches:
Most users fail to recognize that smartphones and mobile devices carry many of the same risks as laptops or desktops. They understand the need for security software because we've done a pretty good job of instilling that criteria into their business practices over the last few years. It's time to do the same thing for smartphones. Users of these devices should be encouraged to adopt security settings and be cautioned to become just as cautious installing "unknown" or "unverified" applications on their phones as they would be installing software on their PCs.

Many of the same concerns about how to detect legitimate applications exist in the mobile world as do on the PC, but in general we need to begin talking about how we discourage users from exposing themselves to undue risk by grabbing every free application available. Free is seldom really free, there are often hidden strings.

Using new devices is always a struggle of convenience and expertise. We don't expect users to become security professionals just to install the latest Angry Birds clone, but in this new frontier of mobile devices we need to help them understand the inherent risks incumbent in early adoption. We need to help users understand that applications that run games don't need the same privileges as system software, and to blindly agree to permissions just so they can jump into that game or cool application is the kind of nievate that the bad guys rely upon.

When downloading an app, users should pay attention to the permissions it requests. For instance, most games don't need access to your email app or your contact manager.

Also important is considering the source of the application - while the Android Marketplace is host to some poisoned applications, it's far more likely to be safe than some random website hosted out on the Internet. We should encourage our users to do research before installing, and research from more legitimate websites, not just a random Google hit.

iPad/iPhone users may be looking at the more open Android market and laughing thanks to Apple's more controlling approach, but remember that iOS marketplace items have slipped by with malicious code in them already, despite Apple's filtering. No platform is completely safe from these threats since security is often a catch up exercise with these rapidly evolving platforms.

Our users want to use these devices to perform personal and professional business and we should not be standing in the way of this trend. Instead, as It professionals it is important that we work with our users to find safe and secure methods of applying these tools.

If you have suggestions on ways the university community can work to enable a secure approach to mobile devices, please share them on the various mailing lists, such as distcons, or e-mail them to sines.22@osu.edu.