Is It Your Smartphone That's Addictive — Or Your Apps?

The recent spate of articles on the topic of smartphone addiction reflects growing concerns about our reduced cognitive capacity, increasing loneliness and depression, and our diminishing ability to control where our attention is focused—all attributed to the increasing amount of smartphone screen time in our daily lives.

Our daily smartphone use in the U.S. has grown to over 4 hours per day, according to eMarketer. And in the details we see that the vast majority of that time is due to our use of mobile apps. It's not the smartphone that's addictive, but the apps—which are specifically designed to keep us engaged, and by that they mean using their apps for longer so that the stalker economy can profit from our attention.

Make no mistake: Apps such as Facebook, Snapchat, Instagram, WhatsApp, and Twitter employ an economic model that's tied to keeping your attention on their app (despite what their marketing departments say about connecting people). That's for two reasons: first, to serve us more ads; second, to surveil us for longer so that companies such as Acxiom, Epsilon, Datalogix, RapLeaf, Reed Elsevier, BlueKai, Spokeo, and Flurry can collect more data about us.  These companies are players in the $156 billion per year data surveillance industry— an industry that exists so that marketing companies can serve us the best ads, depending on dozens of factors including where we are at any given time. Usage patterns, what other apps we use, and how we use them allow marketers to determine our gender, profession, marital status, sexual orientation, income level, age, health conditions, and other personal characteristics. Flurry, for example, identifies app users based on their persona such as Business Travelers, Pet Owners, and New Moms, among many others.

Enterprises in the U.S. don't worry all that much about protecting employees' privacy. But they are concerned about employee productivity, and ensuring that—unlike Homer Simpson in the cartoon above—their employees focus their attention on the job at hand. That's why Facebook is one of the most common apps for enterprises to blacklist. Other approaches to eliminate employee loss of attention include adoption of container strategies such as Android Enterprise and Samsung Knox so that employees can only use work-related apps while they're at work.

But employees resist corporate attempts to control what apps are on their devices, and containers' adoption is slowed by ease of use and other concerns. What other options exist for enterprise mobile security?

As we outlined in a prior post, any mobile security approach for enterprises that requires users to delete apps from their devices will be subject to resistance from app-addicted employees. That's one reason why Mobile Threat Defense (MTD) solutions face deployment headwinds. And unless app policies are developed in a strong partnership with the HR department, and employees agree to such measures as a condition of employment, enterprises will find it very challenging to enforce any but the most egregious security concerns regarding employee-owned devices.

Instead, enterprises should investigate a lightweight approach to mobile security that's transparent to employees but which has the ability to prevent operation of enterprise-selected personal apps while the employee is at work. But every day when they leave the workplace, their apps are re-enabled and will work normally while the employee is on personal time and away from the office. That's the security model that has served enterprise laptops for the past decade, and it's a logical separation between work and personal use of mobile devices.

______________________________________________________________________

Note: Many of the ideas explored in this post were stimulated by two books: Future Crimes: Inside the Digital Underground and the Battle for Our Connected World, by Marc Goodman, and The Attention Merchants: The Epic Scramble to Get Inside Our Heads, by Tim Wu. I am indebted to them both.

Mobile Cyber-Espionage at a Global Scale

One of the key issues that has stymied the growth of the Mobile Threat Defense (MTD) market is that the mobile threat landscape that MTD protects against doesn't really scare enterprises.

That might be about to change. Enter Dark Caracal, characterized by Lookout and Electronic Frontier Foundation, as "cyber-espionage at a global scale."

Again, like other serious threats. this is attributed to a state actor: the Lebanese General Security Directorate in Beirut. To quote further from the report:

Dark Caracal has been conducting a multi-platform, APT-level surveillance operation targeting individuals and institutions globally.

Although Dark Caracal uses tools across mobile and desktop platforms, including Windows, OSX and Linux, it uses mobile (Android) as its primary attack platform. Of the 81 GB of data exfiltrated, 59% is from Android campaigns. The report outlines the devastating surveillance functionality of a compromised device:

The breadth and quantity of exfiltrated data is significant, and includes:

Compromised devices have been discovered worldwide.

The problem with MTD is that it competes for security budget funds with advanced persistent threat (APT) solutions, largely regarded at the top enterprise threat and the type of attack that breached Sony, OPM, Target, Home Depot and others. It's easy to imagine that enterprises will re-evaluate the priority of an MTD solution as they digest the new threat landscape that includes Dark Caracal.

Self-protecting software, application shielding, and RASP

Many of my recent posts have provided insights regarding the Mobile Threat Defense (MTD) space; in this post I wanted to explore other mobile security segments as they relate to enterprises.

Mobile Threat Defense (MTD)
First, for background, here's how MTD is defined by Gartner:

The MTD solutions market is made up of products that protect organizations from threats on mobile platforms, including iOS, Android and Windows 10 Mobile. MTD solutions provide security at one or more of these four levels: Device behavioral anomalies, Vulnerability assessments, Network security, or App scans.

MTD solutions are designed to protect enterprises from mobile threats. The primary threat landscape that MTD addresses is mobile malware, and data leakage of enterprise data. Skycure/Symantec, Lookout, Zimperium and Appthority are vendors in this space.

Application Security Testing (AST)
As mentioned above, other mobile solutions exist besides those that fall into the MTD category. The most mature mobile security segment is part of the Application Security Testing (AST) market, which broadly applies to both web-based and mobile applications. Sometimes referred to as SAST (static application security testing) and DAST (dynamic application security testing), these solutions are applied against internally developed apps deployed for internal use for employees and contractors. There are often called private apps or custom apps. Veracode, HPE and IBM are leaders in this segment.

Application Shielding 
Another mobile security market segment, and the focus of this post, is emerging as of early 2018 and doesn't have a consensus segment name. It's referred to by participating vendors as "Protecting Apps in Untrusted Environments," "Autonomous Application Protection," and "Self Protecting Software." Gartner refers to it as Application Shielding, and names over 20 vendors with relevant solutions. The underlying technology is called Runtime Application Self-Protection (RASP). What's this all about?

Enterprises often must deploy mobile apps in support of their core business. Think of public apps from banks, retailers, gaming companies, and any app-based business. These are generally B2C apps, or consumer mobile apps, and are deployed in environments outside of the developers' control. The app could be reversed engineered for intellectual property theft or to determine and exploit whatever vulnerabilities might exist. The app could be installed on rooted or jailbroken devices, which opens it up to a wide array of attacks. The app could be re-packaged with keyloggers, spyware or other forms of malware, which could result in brand damage. Other exploits and misuse of the app are possible. How can app developers protect their app when it's in the wild?

Runtime Application Self-Protection (RASP)
Enter RASP. Gartner defines RASP as a security technology that is built or linked into an application or application runtime environment, and is capable of controlling application execution and detecting and preventing real-time attacks. Secure app development practices (often based on OWASP) and security testing remains a best practice and is not replaced by RASP. In fact, RASP solutions are applied not to the source code but to the binary (executable) app. RASP can usually be integrated into the build process but does not require SDLC changes or app developers' participation.

RASP technology is not unique to application shielding, as is it utilized by some AST vendors. But it has experienced considerable growth of late because of the application shielding requirements of mobile apps. Furthermore, RASP usage is expected to mushroom as it gets applied to IoT-based apps.

What Mobile Security Solution Should An Enterprise Adopt?
So what does all this mean to an enterprise that is developing its mobile security strategy? In short, one size does not fit all. MTD is required to protect the enterprise from attacks against its employees and its data. SAST and DAST are required to secure mobile apps developed for internal use as productivity tools. RASP is required for consumer mobile apps. The rapid adoption of mobile in the workplace and as the primary means of reaching customers requires a broad mobile security strategy with multiple components.

Enterprises seek best of breed solutions for all of their security requirements. But enterprises are not always willing to be their own system integrators, where they must glue various platforms together from a management and operations perspective. It seems likely that at the end of the day enterprises will gravitate towards single-vendor solutions, to the extent they emerge. I believe that the window of opportunity for mobile security startups is still wide open to those with innovative solutions who can execute, but history suggests the ultimate winners will be the established, mega security vendors.

A Lightweight Approach to Mobile Security

In a post last week, I summarized some of the reasons that mobile security is hard for enterprises. The Gartner-defined approach known as Mobile Threat Defense, or MTD, has been widely agreed to as the best practice for mobile security. This approach, while comprehensive, represents heavy lifting for most enterprises. Let's unpack that before exploring what might represent a more reasonable, lightweight approach for getting started with enterprise mobile security.

MTD, as defined, has the following four general requirements:

1. Device behavioral anomalies — MTD tools provide behavioral anomaly detection by tracking expected and acceptable use patterns.
2. Vulnerability assessments — MTD tools inspect devices for configuration weaknesses that will lead to malware execution.
3. Network security — MTD tools monitor network traffic and disable suspicious connections to and from mobile devices.
4. App scans — MTD tools identify "leaky" apps (meaning apps that can put enterprise data at risk) and malicious apps, through reputation scanning and code analysis.

Most vendors propose to address requirements 1, 2, and 3 above with on-device apps, or agents. Item 4, app scans, is generally addressed through an Enterprise Mobility Management (EMM) integration or a proprietary MDM server, either of which must be deployed and managed by the enterprise IT staff (although many enterprises may already have an EMM deployed).

Requirements 1 and 2 are focused on malware detection. As I've outlined in prior posts, while mobile malware represents a real risk to individuals due to the threat of identity theft, financial fraud, ransomware and spyware, it is only a negligible enterprise threat. Requirement 3, network security, has been highlighted by vendors as critical to preventing WiFi-based man-in-the-middle (MiTM) attacks with real-time detections for SSL stripping and rogue access points. But, again, such attacks are far more of a threat to individuals than enterprises. Think about it this way: A MiTM attack against mobile devices is essentially the same as a MiTM attack against laptops, which have been used in coffee shops, hotels, airports and other public spaces for more than a decade prior to the wide adoption of smartphones. How many enterprises were breached due to MiTM laptop attacks against enterprises? None that have been publicly reported. And how many commercial solutions exists to protect laptops against MiTM attacks? None that I can find. The evidence suggests that the need for protection against mobile MiTM attacks is vendor-generated hype rather than a response to real risks to enterprises. And feedback from enterprises attempting to deploy network security approaches suggest that the current generation of products in this space are rife with false positives--a huge burden to IT staff, and something that leads to loss of trust from users.

Because MTD requires enterprises to deploy a mobile app on all users' mobile devices, it imposes challenges from both an operational and employee relations perspective (enterprises routinely receive push-back from employees due to concerns about corporate surveillance as well the many questions they will have regarding the app). Furthermore, MTD solutions remediate risks by requiring employees to delete apps that violate corporate policies their personal devices, even if those apps are not used at work. For example, an employee or contractor might be required to permanently delete a gaming, social network or messaging app that the individual might otherwise use and enjoy often. That's a tough sell, and can lead to employee resentment and dissatisfaction--and creative attempts to circumvent controls.

In summary, MTD is a heavyweight approach to mobile security due to the fact it's orthogonal to the existing security infrastructure, requires a complex integration with EMMs, introduces a new system that requires management and operational responses, and involves convincing all employees, contractors and other users to deploy a mobile app that performs on-device security functions (hopefully with minimal battery drain) and which may require employees to delete beloved apps from their personal device. This is the reason MTD can be characterized as requiring heavy lifting for enterprise mobile security.

An App-Centric, Lightweight Approach to Mobile Security
Are there other approaches to securing mobile devices in the enterprise that don't require mobile apps deployment or EMM integrations? Unfortunately, there are no commercial products that I'm aware of. I therefore believe there's an opportunity for vendors or enterprising startups to fill the solution gap between doing nothing and adopting a heavyweight solution. I'll outline the main characteristics below.

First, I think the issue of mobile security is largely an issue of mobile app security and requires an app-centric approach. The device and network threats, while real, are less of a threat to enterprises than vendors and the trade press would have us believe.

Second, the unfamiliar terrain of mobile security concepts represents a new strain for IT security staff in having to master concepts regarding EMM capabilities and operational aspects of integrations with MTD solutions.

Third, it would be ideal if a mobile security solution leveraged current enterprise security infrastructure rather than having to introduce a new platform. Most enterprise security today is based on identifying threats that come from specific external sites as identified by IP addresses. Threat intelligence, employed by many enterprises, includes a list of IPs that should be blocked, and the ubiquitous firewall is the primary security solution for accomplishing that.

If an enterprising vendor developed a mobile threat intelligence feed, that could be used to provide a reasonable level of protection within the enterprise.

The ideal feed would include endpoints and servers associated with malware campaigns which could be blocked by a firewall or other perimeter security solutions (while as noted above this is a negligible threat to enterprises, blocking those connections would be a relatively trivial task so the cost/benefit ratio is positive).

In addition, the mobile threat intelligence feed would identify apps' network connections that leak data contrary to corporate policy. Of course, each enterprise has different criteria for developing such policies, so the feed should include enough meta data so that connections could be selectively blocked based on the nature of the data leakage risk.

The vendor providing such a feed would have to analyze the connections from all apps available from Google Play, the App Store, and any other sanctioned app stores. This is simpler than doing a full behavioral analysis of the apps. A higher level solution would classify connections based on the type of data being leaked. I believe the apps' network connections could be categorized as follows:

• backend: the servers that the app connects to for cloud-based computation, aggregation and persistent storage
• auxiliary:  the third-party servers that provide auxiliary services to the app, such as outside temperature or a map overlay
• marketing frameworks: the third-party servers, such as Flurry,  that provide app use analysis and some forms of surveillance to precisely identify characteristics of the user, usually for input into big data algorithms for ad networks
• ad networks: the third-party servers and related infrastructure for serving ads (and sometimes malvertising) to the mobile device

The mobile threat intelligence feed, with meta data for each IP identifying the source app and which category the connection falls into, would give enterprises enough data to provide lightweight security to their mobile devices, both COPE and BYOD.

Here are some use cases that could be addressed with such a solution:

1. Malware protection: block all connections to/from malicious sites. Note that blocking of such connections would only be performed while the mobile device is on the corporate network; when the employees go home no further protection would be active unless a VPN is used. However, this is exactly the paradigm in place for laptop protection, when employees take their laptops home. When accessing enterprise resources remotely, a VPN is almost always required, and malicious IPs would be blocked.
2. Data leakage: block all connections, based on policy criteria. For example, apps that send address books could be blocked. The enterprise wouldn't know which are the offending apps necessarily (although a mature solution would have the option to query that). Note that the blocking of those connections prevents data leakage without having an on-device agent and without requiring any action on the part of the user. The user experience would simply be that the app would fail to work normally. If it's not a work-based productivity app, the employee really has nothing to complain about except having to wait until they get home to play games or engage their social network. Maybe productivity will improve!
3. Advertising: while employees using apps that receive ads isn't generally considered a threat, does an enterprise really want content from any one of hundreds of as networks sending data into their secure environment? And while ad network malware, known as malvertising, is rare, that would be prevented by blocking all advertising connections.

Note that with such a solution most of the MTD deployment and operational challenges are not present. No EMM integration is required. No mobile apps or agents need to be deployed on all users' devices, and employees are never asked to delete apps from their device. Some personal apps that violate policy may not operate correctly while employees are at work, but that's hardly something they can complain about.

A specialized mobile threat intelligence feed could represent an enterprise's first step into mobile security. Based on how the threat landscape evolves, and how MTD solutions mature over time, there's nothing to preclude adoption of MTD at some future date.

I haven't done an exhaustive search of the many threat intelligence feeds available today. It's possible that one or more are already covering mobile connections to some extent. And I don't know for sure that existing MTD vendors aren't exploring lightweight options similar to what has been described above. Hopefully the enterprises that have opted not to procure MTD due to its cost and operational burden may find a lightweight approach to mobile security in the near future.

Why Mobile Security Is Hard for Enterprises

Most enterprises support the “mobile first” movement, whether enthusiastically or begrudgingly. Many enterprises have developed mobile apps for internal use, and almost all allow employees to use their personal mobile devices to access corporate email, calendars, and other resources. Few companies have strict policies preventing use of BYOD (bring your own devices) for productivity purposes, nor do they prohibit use of social network or messaging apps while at work. Mobile use in companies has become entrenched, and it’s here to stay.

Meanwhile, startups and other high-tech firms have jumped to fill the void in mobile security solutions. In the past few years, a variety of innovative approaches have been introduced to the enterprise market that address threats related to mobile malware and data leakage. This has led industry analysts and other thought leaders to coalesce around common solution definitions to help enterprises navigate their way through the highly diverse solution landscape. The consensus seems to be that a general solution definition, defined by Gartner as Mobile Threat Defense, or MTD, is the universal answer to enterprise mobile security.

But MTD is hardly in response to a large and growing adoption of mobile security solutions by enterprises. In fact, the real question is why are the aggregate MTD revenues so low? Why have so few enterprises adopted an MTD solution?

Having seen this apparent contradiction up close, I have a theory as to why the MTD adoption is so low. Because MTD introduces a new paradigm based strictly on mobility threats, and because MTD does not leverage current enterprise security infrastructure, it represents a big challenge to enterprise security teams. MTD is another expense, sure, but the real reason it hasn’t been widely adopted is that it’s hard to deploy.

Consider some of the elements of an MTD enterprise deployment and consider how little alignment exists with current security solutions:

• Mobile app/agent deployment to all employees, and all the challenges associated with the requirement that all users must deploy this security app (help desk, battery drain, “big brother” concerns by employees)
• Remediation policies, including requiring employees to delete offending apps (including related HR policies)
• Enterprise policies regarding rooted/jailbroken devices
• EMM integration
• PII management, especially regarding EMM integration and agent deployment

On top of that, there’s a whole new taxonomy for the enterprise IT staff to master and new concepts that must be operationalized: mobile malware and its many variants (spyware, trojans and fake apps, ad fraud, click fraud, ransomware); man-in-the-middle attacks; targeted attacks, secure transport enforcement; OS vulnerability assessment; and the list goes on.

Finally, BYOD devices are far more personal, and likely to have far more personal data, than legacy desktop or laptop systems. Taking some element of control over such devices in the workplace raises big concerns for employees who have their text messages, chats, pictures, and other personal data on their device. Even the apps that are installed on the device can imply much about a user. Any mobile security deployment that’s not done in conjunction with clear and transparent HR policies will almost certainly encounter personnel issues down the road.

This is the heavy lifting of MTD: A security team has to master new concepts, terms and systems to deploy and manage MTD. Furthermore, the system has to be justified even though it doesn't leverage the current security infrastructure.

So what should an enterprise do?

-->

In upcoming posts, I will be exploring options for enterprise mobile security that leverage existing security infrastructure while providing a more lightweight but effective solution. Stay tuned!

Mobile Security: Focusing On What's Important

Often, it's what we don't know that gets us in the most trouble.

Conventional wisdom regarding mobile security in many enterprises is that it's not an urgent requirement. Many enterprises have convinced themselves that it's sufficient to implement policies to ensure that users don't root or jailbreak their phone, and that they only download apps from an official app store. With such policies in place, the CISO's mental image of their mobile security posture might look like this:

In actuality, their mobile security policy probably looks more like this:

The good news is the gate is closed--and locked! And, per security best practice the policy is publicly posted (Keep Gate Closed). Luckily, due to the security of Android and iOS, the mobile device is probably secure, as is the data on the device--despite the incompleteness of the mobile security controls.

But what about the data that leaves the device? How well is it protected by the locked gate?

Not very well, unfortunately. Most mobile device and their apps send considerable amounts of data into the cloud, and it's not obvious to most enterprises what data leaks from mobile devices into the wild--and how effectively the data is secured in the cloud. App developers have a financial incentive to report location and other personal data to ad networks, marketing frameworks, and apps' back ends when aggregation or persistent storage is required. Personal data might include device identifiers, phone number or email address, calendar and contact info, and app-related usage information. Ad networks are relentless in collecting as much data as possible to support the real-time bidding (RTB) process for mobile ad placements. And while most of this data leakage is privacy related, some can be used to inform an enterprise attack.

Meanwhile, we obsess over whether Face ID is better than Touch ID, and lament that the iOS 11 control center doesn't fully disconnect Bluetooth and WiFi. We breathlessly follow headline after headline making us scared over malware campaigns in Asia that truth be told represent little threat to the enterprise--in the unlikely event an employee's phone is infected (the employee, though, has plenty of reason to worry).

Multiple vendors have developed Mobile Threat Defense (MTD) solutions that address mobile security issues, each with their own unique focus. The MTD market is still in its infancy, and only a small percentage of enterprises have adopted and fully operationalized a solution. MTD solutions don't readily fall into typical enterprise security paradigms, and of course they compete for scarce dollars and security staff resources. As the world shifts to a "mobile first" focus, it will be interesting to see the degree to which MTD emerges as a major factor in enterprise security.