The latter half of December is (unofficially) “predictions season,” when luminaries of various ilk get out their crystal balls and take a stab at predicting what sweeping changes will transform our world. I suppose that’s as it should be. The advent of Christmas and the New Year put everyone in a reflective mood, and make us curious about what lies on the other side of the holidays.
In the security world, things are no different. There’s a cornucopia of “security predictions” at this time of the year. So many, in fact, that Gartner Inc. Research Director Anton Chuvakin has taken to collecting them on a Delicious thread - so far he has 17. If you take the time to read through them all, one clear trend emerges: the accelerating shift from personal computers to mobile devices is upending everyone’s plans. But the specifics of that transformation - and its impact on security - may surprise us yet in the coming year.
Of course, you don’t have to be Nostradamus to predict that mobility will be the dominant trend in 2013, as it was in 2012...and 2011. Smartphone ownership among adults in the US increased by 10% in the last year alone, according to data from the Pew Center Internet and American Life Project, and 45% of adults now carry one. Tablets like the iPad and Samsung Galaxy- products that didn’t even exist three years ago - are now in the hands of one in four adults in the US. In the workplace, BYOD - or Bring Your Own Device - policies that welcome employee-owned consumer devices like smartphones and tablets on enterprise networks are the official or unofficial policy at most workplaces. Naturally, more mobile device users means more targets of opportunity for cyber criminals, and that means lots of innovation around mobile threats and attacks - with weak application security infrastructure being a common theme.
Lookout Mobile Security’s 2013 mobile threat predictions call out SMS toll fraud as the number one attack vector in the coming year. Premium SMS messages are still one of the only easy ways for cybercriminals to turn infected mobile phones into cash in the bank. An update to the latest release of Google’s Android OS (“Jelly Bean,”) that company’s flawed distribution model, which punts the distribution of updates to carriers and handset makers, means that most Android users worldwide will continue to be vulnerable long after Jelly Bean became available, Lookout says.
With most mobile threats coming in the form of malicious mobile applications that mobile device owners willingly (if unwittingly) install, porous and features-first mobile application platforms on popular devices offer would-be hackers and cyber criminals avenues for attack. In just the latest example, Trend Micro researcher Yinfeng Qiu wrote about a new attack technique on Android systems: “tapjacking,” in which a malicious application developer can use social engineering and an Android user interface feature called “toast view” to trick users into unknowingly interacting with a hidden function that downloads malicious content, makes an online purchase and so-on. Think of this as the mobile equivalent of “clickjacking” in the world of web applications, in which attackers use small bits of code and decoy UI elements to trick web site visitors into interacting with hidden web content. And, because the application wouldn’t be carrying out any malicious actions itself, tapjacking application authors could be confident that their creations wouldn’t raise red flags during an application code review. Symantec predicts that meddlesome mobile adware will become prevalent in 2013, citing a 210 percent increase in aggressive mobile adware in the last nine months of 2012.
Still, the most contentious issues facing mobile device owners in the coming year will center on data privacy. On the one hand, mobile applications are a data goldmine for companies and advertisers. Mobile apps “will remain the central collection point for our personal data – from location information, messaging, calendars to social circles,” Lookout said. But the ease with which mobile applications collect data engenders new dangers and has prompted a response from regulators. Notably, the FTC this month issued updated rules for the Childrens Online Privacy Protection Act (COPPA) that bans online advertisers from tracking the online behavior of children, including photos, video and geolocation information, without explicit consent from their parents. States, including California, have also started to crack down on mobile application makers that don’t provide users with adequate information about what personal data about them will be collected and how it will be used.
But the efforts on behalf of personal privacy and civil liberties are halting at best. Google and Apple lobbied heavily within the Washington D.C. beltway to have their burgeoning mobile app stores exempted from the COPPA rule changes. No surprise: they got what they wanted, opening an enormous loophole in COPPA’s efforts to protect children’s privacy at a time when children and toddlers switch en masse from centuries-old entertainment like dolls, stuffed animals and board games to tablets.
And, of course, efforts to constrain the legitimate market for mobile apps have no effect on either the actions of either the cyber criminal underground, or governments, which have found mobile devices to be a reliable way to monitor the movements and activities of their citizens.
As the writer and philosopher George Santayana famously observed: “those who cannot remember the past are condemned to repeat it." That’s an uncomfortable thought as we contemplate a mobile malware and threat landscape the looks uncannily like those for the PC- and web that preceded it. It’s clear already that mobile application platform makers didn’t learn the lessons of the past - encouraging a free-for-all application development culture that encouraged quantity (of apps) versus quality (of code). In the case of Google, the message on security was - at least initially - caveat emptor (“buyer beware”).
What’s to be done? This blog has called for a “Nate Silver” for application security: a person (or persons) who can shine a light on the hocus-pocus that often holds sway in conversations about application security. Security experts like Joshua Corman of Akamai have argued that we need an empirical basis for understanding the challenge of security - not merely exploit public fears to sell more security “widgets.” All that is true. But individual personalities and market-based correctives will only go so far. As in so many other contexts these days, the security space screams for strong leadership from policymakers. Complicated issues like mobile device security and data privacy require a strong, guiding hand from governments, standards bodies and industry groups. Only when there are strong, flexible and comprehensive laws protecting user privacy, and intelligible guidelines for adhering to those laws will we see the kinds of systemic changes that might spare mobile device owners the kinds of security headaches that have become all too common in the last decade.