Thirty years into the personal computer revolution, most consumers are savvy enough about Internet security to know that they shouldn’t be surfing the Internet without some sort of protection. But those same consumers, not to mention the corporations for which many of them work, think nothing of using their smartphones to conduct all manner of potentially sensitive communication. Not surprisingly, developers of malware are paying attention.
According to Beth Jordan, vp of communications for security software developer AVG, recent research that the company conducted in conjunction with the Ponemon Institute revealed a disturbing lack of consumer awareness regarding the vulnerability of information on a smartphone.
For the research, 734 U.S. smartphone users aged 18 or older were polled. Among the findings: Thirteen percent of surveyed smartphone users said location data had been unknowingly embedded on their handset, enabling others to track their location. Only 21 percent of respondents were aware this could happen. Six percent of respondents said that mobile applications had transmitted confidential payment information such as credit card details without the users’ knowledge or consent. Only 11 percent of respondents were aware this was possible. And 8 percent said their handsets had been infected by a sort of malware called dialerware that enables criminals to make use of premium services that are then charged to the cell phone owner. Only 10 percent of respondents were aware of this risk.
Jordan says that the researchers asked about 11 of the most common ways in which consumers are taken advantage of in the mobile space. Of the 11, only two had a consumer awareness of more than 50 percent. Additionally, she points out, the “awareness” numbers and the “impacted by” numbers are, in most cases, very close, meaning that, very often, consumers are aware of a potential security problem involving their cell phones because they have already experienced the problem.
According to Chris Wysopal, chief technical officer for Veracode, which has developed a cloud-based mobile app security verification service aimed at big enterprise customers in the healthcare and financial industries, malware embedded in mobile apps and particularly in information downloaded from the mobile web is becoming more and more pervasive. “The same type of phishing attacks that happened to PC users are now happening to mobile users,” he says. “The browser is smaller; there is less information in the URL. You have to be more careful.”
The problem is especially acute for large companies because of the way in which people use their mobile devices to interact with their workplaces. By attacking a smartphone, malware developers can, conceivably, gain access to sensitive information stored on the phone itself or, using the smartphone to connect to a company’s central databases, do even more damage.
Wysopal thinks that most consumers don’t understand how little security checking is done before an app is uploaded to an app store. “Google doesn’t really do any validation of apps that are uploaded,” he says. “The iTunes store has a policy where they review the app, but it’s unclear what level of security screening they do. I would suspect very little, if any.”
“I think we’re just at the beginning of understanding the risks of the mobile platform,” says Wysopal.
More in Media
AI Briefing: How political startups are helping small political campaigns scale content and ads with AI
With about 100 days until Election Day, politically focused startups see AI as a way to help national and local candidates quickly react to unexpected change.
Media Briefing: Publishers reassess Privacy Sandbox plans following Google’s cookie deprecation reversal
Google’s announcement on Monday to reverse its plans to fully deprecate third-party cookies from its Chrome browser seems to have, in turn, reversed some publishers’ stances on the Privacy Sandbox.
Why Google’s cookie deprecation reversal isn’t actually a reprieve for publishers
Publishers are keeping a “business as usual” approach to testing cookieless alternatives despite Google’s announcement that it won’t be fully deprecating third-party cookies after all.