It is now safe to state the digital age is well and truly established. Everyone seems to offer online shopping. Many banks offer online banking and many governments are joining the digital revolution. Never before has it been so easy to conduct our lives from our larger electronic devices (e.g. PCs, laptops and tablets). In fact, many of us now cannot live without our smart phones and the plethora of apps we download to enable us to perform all the internet activities we want, when we want, wherever we are.
In our frenzy to Facebook our friends and figure out our financials, probably on free Wi-Fi while consuming our favourite flavour of coffee, how many of us stop to consider how safe and secure is the combination of the internet and our smart phones?
This short essay collects together information from a number of different online, mobile usage and security reports to help highlight the growing trend for smart phone and app usage. It also reveals many security weaknesses of the technology and possibly the lack of concern we take as a whole towards protecting our (and others’) sensitive data.
First I want to highlight the scale of world-wide smart phone usage.
In December 2014 eMarketer1 predicted there would be more than 2 billion smart phone users in 2016. That figure proved to be wholly conservative. By the end of 2014 Statista2 reported the following percentage of users had purchased an online product via a mobile device
At the end of 2015 Ericsson3 identified there were 7.3 billion mobile subscriptions in Quarter three 2015 of which nearly 75% were smart phone subscriptions. That equates to over five billion smart phones across the globe. In the same period Ericsson also reported there were 3.4 billion mobile broadband subscriptions. That’s equivalent to almost half the world’s population browsing the internet on mobile phones, not counting Wi-Fi usage.
The Ericsson statistics show how conservative was eMarketer’s 2016 prediction and provides some indication at the speed of mobile growth. These figures, even if we allow for a large margin of error in their reported statistics, provide a staggering indication of how much we depend on these small devices.
Do we look after these devices and do we value these devices?
In the UK, crime data collected by the Metropolitan Police4 between August 2012 and January 2014 identified that on average 2,000 mobile phones were reported stolen every day. The typical victim is a young woman aged between 14 and 24 who is pickpocketed or leaves her phone unguarded in a cafe or bar (probably also been using the unsecured local Wi-Fi too).
In May 2014 Lookout5 published a survey identifying one in ten smartphone owners in America were victims of phone theft. One in Eleven of these thefts resulted in identity theft and one in ten thefts included the loss of confidential company data (and will become more relevant with the growing trend of BYOD – Bring Your Own Device). Amazingly 44% of these thefts were due to the owner leaving the phone unguarded in a public place. The survey went on to add that half of phone theft victims would probably be willing to pay $500 to retrieve the data, music, photos, etc. from their stolen phone.
In 2014 a third of USA smart phone users didn’t bother with any type of phone security, not even a 4-digit PIN6.
Based on the statistics quoted above, it seems we do recognize the importance of the information on our phones and the difficulty we face if the phone is stolen, but we are still almost equally careless with these devices. Perhaps Governments and media are not sufficiently raising the profile of mobile theft and the associated consequences of such thefts. But, ultimately it is down to the individual to take more care of their possessions and they need to be more aware of the difficulty to replace what is on their phone. There are actions they can do such as backing up the information on their phone. Perhaps there is an opportunity here for an app to calculate and show the replacement value of the physical phone and the value of all the photos, music and other paid-for downloads on the phone. If such an app could be developed, its use could be one approach to help encourage people to properly value their phone.
However, the loss of a phone is not the focus of this text. If phones were super secure, their loss would be more of an inconvenience rather than a major financial and identity risk. Why is it then that 9% of the America smart phone thefts resulted in identity theft for the phone’s former owner?
There must be something more fundamental involved than the phone theft itself. What about the apps we download and use?
I’m going to take you back to a study completed in 2011 by viaForensics7 (now called NowSecure), who reported some quite worrying findings at the time. viaForensics tested 100 popular consumer apps for the iPhone and Android. The app types covered the following categories: Social Networking, Finance, Productivity and Retail.
Thirty two financial apps were tested. Only 44% were rated as a pass for following security practices. A quarter of all the financial apps were found to store in clear text the app’s user password and/or sensitive information. The Social networking apps fared far worse with nearly three quarters of apps tested storing password and sensitive data in clear text. Not a single social app was deemed suitably secure. No retail apps were deemed secure with 14% of those apps containing serious security risks.
But the above information is five years old and surely things have improved since then? At the time of writing, NowSecure have advised me they are in the process of releasing a more up to date and current report, which I’m looking forward to reading. Meanwhile, in January 2016 Arxan8 published a report on the state of the mobile application. They found of the 126 most popular health and finance apps across US, UK, Germany, and Japan, 90% were found to contain at least two of the OWASP (The Open Web Application Security Project) mobile top ten risks. More on OWASP later. 83% had insufficient transport layer protection (risk of data mining when using unsecured Wi-Fi) and 58% still contained unintended data leakage. On the bright side only 2% were reported to have unsecure data storage, so there have been some improvements over the last five years. However, these weaknesses still provide the potential for the apps to be tampered with and/or their code to be reverse-engineered, allowing the sensitive health and financial information to be extracted by unscrupulous third parties. In fact, Arxan reports 50% of organizations developing mobile apps have zero budget allocated for mobile app security.
Anyone who develops websites should recognize OWASP, which publishes the top ten website threats. These threats form part of regular security testing many companies perform on their websites. OWASP also provides a comprehensive mobile app checklist that focuses on security checks of mobile apps, which is essential guidance for any app developer (or app pen tester) covering 75 client side checks and 16 server side checks. A download of the latest set of checks can be found within the OWASP mobile security project page https://www.owasp.org/index.php/Mobile.
OWASP mainly focus on the application layer and they expect even the average developer can follow these checks and make an improved difference to the created app. There is also focus on the integration between the app, the authentication services and the cloud platform-specific features. The list, recently extended from 64 to 91 checks, seems lengthy and helps demonstrate the level of effort required to ensure a mobile app stands a chance of being secure in one of its required objectives, which is to protect the user’s data.
If there is guidance available for app developers, then why has there been an apparently minimal improvement in app security? To help shed light on this question we move to a report published in February 2015 by Ponemon9 where they identify that the huge customer demand for mobile apps effectively forces developers to prematurely release apps to the marketplace. Ponemon say 65% of respondents reported the security of their mobile apps is sometimes put at risk due to the customer demand for the app to be made available. Only 40% of 640 respondents in the study actually checked the OWASP top 10 mobile app security risks.
Additionally, a reported 55% of respondents say the apps are only tested in development or post-development and never actually in production.
The above statement may seem counter-intuitive. Why would you test something after it has been released into production? The sentence first touches on the accepted approach of developing and testing prior to release, which is logical. To understand of the concept of testing in production we need to explore our understanding of testing prior to release to production.
Testing, whether test driven development or waterfall tends to be performed in a well-defined environment with known input data and expected output data. The environments are sterile, with test data frequently refreshed. It’s extremely rare for free testing to occur where testers can attempt crazy what-if scenarios and see what happens. When I’ve performed testing roles I could regularly break an application by doing completely unexpected things to the user interface. It’s also not uncommon for the business representatives to not understand their customer demographic and/or behaviour. I’ve witnessed first-hand in projects where the business experts have categorically stated something will never happen in a live environment only for it to occur on day one of the release to the public.
With the modern approach of APIs (Application Programming Interfaces) being part of the new Cloud culture (e.g. Facebook and Twitter APIs), the chances of unexpected behaviour are amplified significantly. As a simple start, how many people actually bother to read instructions when using something for the first time? This is further compounded by potentially unusual combinations of data, multiple platform types and multiple events occurring in the wrong order. The potential combinations are endless.
There are testing-in-production terms most of us are probably familiar with: alpha and beta testing. It’s quite common now for an online game to be in beta testing before being fully launched. Minecraft was one worldwide phenomenon that sold many copies while still in a beta phase. The developers can react to feedback and fix reported bugs and/or modify the user interface. People are getting used to using beta releases and immediately have an idea that things could go wrong, so their expectations are set early on to be careful. So long as the released beta product is fairly robust, the supplier can obtain an effective type of crowd-sourcing test feedback to help improve the product. This may not apply to all applications, e.g. financial apps, but a shift in thinking by app developers to use Production Testing will help put quality back into the released products.
When a mobile phone is stolen and falls into the hands of professional criminals, the unencrypted information is extracted from the phone and sold onto fraudsters and the phone is shipped to other countries where phone blocking can be bypassed. If your phone is stolen, at the very least you have probably lost the cost of its replacement and the cost of calls before you are able to block the account. At the worst extreme, the victim’s identity is stolen, which can take many stressful months to recover.
We enjoy using our smart phones because they seemingly make our lives easier. Adding security controls to anything makes systems, processes, devices (our smart phones?), etc. more difficult to use, but makes them safer. The question for us is how much ease-of-use are we willing to compromise on for additional security?
We also enjoy the ease with which we can download new apps. The smart phone industry is still in its infancy where civilization as a whole is still getting to grips with the impact of the smart phone and how to handle the changes it brings. Hundreds of apps are added to the app stores on a weekly basis. The app stores do implement a voting/rating system to help promote the better apps (however, they define better), but as the quality statistics reveal, the top apps are not necessarily secure. The demand for the newest and latest app fuels the need for developers to deliver apps to market in short time scales.
Perhaps a more transparent, quality assurance body is required for apps to sign up to, in order to provide an incentive to app developers to spend more time and money on the required security testing to make apps safer, which in turn would deter phone theft. More developers need to treat the security aspects of any app more seriously and take advantage of the available guidance material.
It is not uncommon in local industries for government intervention to occur in order to increase quality measures. This is already starting in some countries where changes are being enforced to help reduce phone theft.
Finally, the smart phone is a valuable asset and should be treated as such by each phone’s owner. Merely adding secure password/phrase/diagram protection, being careful about what we download and not leaving the phone where others can casually walk off with it will reduce the opportunity for loss.
References
1: http://www.emarketer.com/Article/2-Billion-Consumers-Worldwide-Smartphones-by-2016/1011694
2: http://www.statista.com/statistics/418393/mcommerce-penetration-worldwide-region/
3: http://www.ericsson.com/res/docs/2015/mobility-report/ericsson-mobility-report-nov-2015.pdf
5: https://www.lookout.com/resources/reports/phone-theft-in-america
8: https://www.arxan.com/2016-state-of-application-security-infographic-consolidated-edition/