1. Download our Official Android App: Forums for Android!

the second half of mobile security

Discussion in 'Android Apps & Games' started by fields12, Feb 23, 2016.

  1. fields12

    fields12 Newbie
    Thread Starter
    Rank:
    None
    Points:
    38
    Posts:
    32
    Joined:
    Feb 20, 2016

    Feb 20, 2016
    32
    15
    38
    Male
    in my limited experience with mobile phones ("m.p."), it appears that m.p. security generally consists of two parts:

    a. the front end or physical access to the device; and


    b. the back end or electronic, remote access to the device.


    * * * *

    "a" appears reasonably protected at present by encryption software.

    "b" however, appears subject to a variety of vulnerabilities not the least of which includes something now called "data leakage" or "privacy invasiveness."

    a recent report, link below, by the m.p., enterprise security firm, Appthority reports this current problem as extensive across the m.p., environment.

    https://www.appthority.com/enterpri...ws-high-risk-to-enterprises-from-mobile-apps/

    apparently, data leakage (contact lists, etc.) are harvested by mainstream legitimate applications; and then the information is used against the m.p. owners.

    appthority is not a disinterested party since it engages in the business of protecting enterprise organizations against such risks.

    i would hence appreciate comments here from disinterested m.p., users as to whether they consider this risk significantly greater in quality and quantity than the risk of data leakage and privacy invasiveness currently affecting personal computers? thanks.
     

    Advertisement

    CoNGo7 likes this.
  2. Slug

    Slug Check six!
    VIP Member
    Rank:
    None
    Points:
    2,043
    Posts:
    20,541
    Joined:
    Aug 1, 2009

    Aug 1, 2009
    20,541
    17,001
    2,043
    Male
    Mobile phone retail
    Inverness, UK

    Actually it refers to "the enterprise environment" specifically, which is significant.


    The risk is always greater in devices that connect to public networks, whether they be mobile phones or laptop computers.

    The greatest risk however is from users themselves, whether it is installing app from dubious sites, not doing due diligence with requested permissions, or simply not bothering to look in an app's Settings for available privacy options.

    I'd also like to see the list referred to by

    as well as their definition of "data leakage" and "privacy invasive features". I'd also be interested in how critical the author is of enterprises who deployed such apparently-dangerous devices in the first place.

    Unfortunately I can't because to do so you have to provide name, work email and company name to "download" it. That I find almost too ironic for words. ;)
     
  3. fields12

    fields12 Newbie
    Thread Starter
    Rank:
    None
    Points:
    38
    Posts:
    32
    Joined:
    Feb 20, 2016

    Feb 20, 2016
    32
    15
    38
    Male
    your points are well taken ....
     
  4. RazzMaTazz

    RazzMaTazz Android Expert
    Rank:
    None
    Points:
    173
    Posts:
    1,392
    Joined:
    Jan 28, 2011

    Jan 28, 2011
    1,392
    498
    173
    It worries me that so many seemingly legitimate apps demand a broad range of permissions, including the ability to access my contacts. For example, my Sprint Samsung Galaxy S5 came pre-installed with the Peel Smart Remote (IR remote control) app, which requires permission to access my contacts. That app legitimately would need to access my contacts if I chose to use its feature enabling me to send a TV-show-link to a friend. But if the makers of Peel were evil, I guess they could just upload all of my contacts. No? Maybe they already have. It's scary.

    I'm looking forward to Android 6.0, where (if I understand correctly) we'll have the option to deny specific permissions that apps may request. Denying specific permissions may cause the app not to work correctly. But in the Peel example, I would definitely deny permission to access my contacts because I would never want to send a TV-show-link to a friend.

    Appthority sells security software & services so they have a conflict-of-interest in exaggerating the pervasiveness of the threat, but there is a real threat. There are several enterprise security software vendors (like Skyhigh Networks) that sell network monitoring software to help enterprises eliminate vulnerabilities from employee-smartphone-apps, laptop PC programs, etc.
     
  5. fields12

    fields12 Newbie
    Thread Starter
    Rank:
    None
    Points:
    38
    Posts:
    32
    Joined:
    Feb 20, 2016

    Feb 20, 2016
    32
    15
    38
    Male
    thanks for your informative comments.

    i agree.

    here is a specific example of what i am talking about.

    http://www.securityweek.com/super-bowl-fans-warned-about-vulnerable-nfl-mobile-app

    it would be nice, and even worth paying a price, to have a reputable security company examine, identify and recommend, on an ongoing and updated basis, the top 50? the top 10 apps? by u.s.a., or world wide downloads? that contain no; or little and specific; data leakage.

    many mobile phone users would ignore such list because their preferred apps., are excluded; but likewise many mobile phone users prefer security over convenience and entertainment; and would follow and adopt such list.


    one other point; i am a little bit surprised (and perhaps just ignorant) that large organizations who issue mobile phones to its employees, do not have those devices programmed to disallow all user downloads and installation of mobile apps., other than the apps., pre-installed and vetted by the information security branch of the enterprise itself (and before delivery to the employee).
     
    #5 fields12, Feb 26, 2016
    Last edited: Feb 26, 2016
  6. fields12

    fields12 Newbie
    Thread Starter
    Rank:
    None
    Points:
    38
    Posts:
    32
    Joined:
    Feb 20, 2016

    Feb 20, 2016
    32
    15
    38
    Male
    Report Highlights
    iOS Malware is now mainstream
    • 4 major breaches in as many months showed the App Store is not
    immune to mobile malware
    • Every iOS device running OS older than 8.4.1 has a critical sandbox
    vulnerability that makes enterprise managed apps’ credentials easily
    accessible to bad actors
    Across the board, Android apps are more risky
    • A higher percentage of Android than iOS apps showed risky behaviors
    across three critical risk categories - High Risk, Data Leakage, and
    Privacy Invasive
    • Of the 150 most common apps on enterprise devices, 100% of the Android
    apps were found to have data leakage and privacy invasive behaviors
    Mobile malware is not the only concern to enterprise mobility
    • A far larger percentage of apps on both iOS and Android exhibit risky
    behaviors related to data leakage and privacy invasiveness
    • Mobile app behaviors that send private user information are a gateway
    to private enterprise breaches through spear phishing or other attacks
    • The most common apps in the enterprise pose a high and very direct risk
    to enterprise security and data privacy
    • Dead apps that are not updated to address known malware and
    vulnerabilities continue to pose a cumulative and ongoing threat
    to enterprises

    Android Agent com.airwatch.androidagent
    Android Air NZ mobile app nz.co.airnz.mpass
    Android Amazon Kindle com.amazon.kindle
    Android Amazon Music with Prime Music com.amazon.mp3
    Android Chrome Browser - Google com.android.chrome
    Android Citrix ShareFile for Tablets com.sharefile.mobile.tablet
    Android Dropbox com.dropbox.android
    Android EAPworks au.com.entegy.eapworks
    Android Evernote com.evernote
    Android Facebook com.facebook.katana
    Android Fitbit com.fitbit.FitbitMobile
    Android Flipboard: Your News Magazine flipboard.app
    Android Gmail com.google.android.gm
    Android Google com.google.android.googlequicksearchbox
    Android Google Play Books com.google.android.apps.books
    Android Google Play Movies & TV com.google.android.videos
    Android Google Play Music com.google.android.music
    Android Google Play Newsstand com.google.android.apps.magazines
    Android Google+ com.google.android.apps.plus
    Android GoToMeeting com.citrixonline.android.gotomeeting
    Android Hangouts com.google.android.talk
    Android HP Print Service Plugin com.hp.android.printservice
    Android IMDb Movies & TV com.imdb.mobile
    Android My Verizon Mobile com.vzw.hss.myverizon
    Android OneNote com.microsoft.office.onenote
    Android S Health com.sec.android.app.shealth
    Android Salesforce1 com.salesforce.chatter
    Android Samsung Push Service com.sec.spp.push
    Android Support & Protection com.asurion.android.verizon.vms
    Android Verizon Messages com.verizon.messaging.vzmsgs
    Android VZ Navigator com.vznavigator.Generic
    Android WhatsApp com.whatsapp
    Android YouTube com.google.android.youtube
    iOS Adobe Acrobat Reader com.adobe.Adobe-Reader
    iOS Adobe Connect Mobile com.adobe.connect.mobile
    iOS Airbnb com.airbnb.app
    iOS Amazon App com.amazon.Amazon
    iOS Amazon Music with Prime Music com.amazon.mp3.AmazonCloudPlayer
    iOS Amazon Video com.amazon.aiv.AIVApp
    iOS American Airlines com.aa.AmericanAirlines
    iOS AroundMe com.tweakersoft.AroundMe
    iOS Audiobooks from Audible com.audible.iphone
    iOS Bank of America - Mobile Banking com.bankofamerica.BofA
    iOS BBC News uk.co.bbc.news
    iOS Bible tv.lifechurch.bible
    iOS Calculator for iPad Free com.itwcalculator.calculatorforipadfree
    iOS Candy Crush Saga com.midasplayer.apps.candycrushsaga
    iOS Capital One Mobile com.capitalone.enterprisemobilebanking
    iOS Chase Mobile com.chase
    iOS Chrome - web browser by Google com.google.chrome.ios
    iOS Chromecast com.google.Chromecast
    iOS Cisco AnyConnect com.cisco.anyconnect.gui
    iOS Cisco WebEx Meetings com.webex.meeting
    iOS Citrix Receiver com.citrix.ReceiveriPad
    iOS Citrix ShareFile Mobile: Send Files com.sharefile.mobile
    iOS Clash of Clans com.supercell.magic
    iOS CNN App for iPhone com.cnn.iphone
    iOS Concur com.concur.concurmobile
    iOS Dropbox com.getdropbox.Dropbox
    iOS Duolingo - Learn Languages for Free com.duolingo.DuolingoMobile
    iOS eBay com.ebay.iphone
    iOS Egencia TripNavigator com.egencia.app
    iOS Epocrates com.Epocrates.Rx
    iOS ESPN com.espn.ScoreCenter
    iOS ESPN Fantasy Football com.espn.fantasyFootball
    iOS ESPN Radio com.espn.espnradio
    iOS Evernote com.evernote.iPhone.Evernote
    iOS Expedia com.expedia.booking
    iOS Facebook com.facebook.Facebook
    iOS Fandango Movies – Times & Tickets com.fandango.fandango
    iOS Fly Delta com.delta.iphone.ver1
    iOS GarageBand com.apple.mobilegarageband
    iOS GasBuddy - Find Cheap Gas Prices com.gasbuddymobile.gasbuddy
    iOS Gmail - email from Google com.google.Gmail
    iOS Google com.google.GoogleMobile
    iOS Google Docs com.google.Docs
    iOS Google Drive - free online storage from Google com.google.Drive
    iOS Google Maps com.google.Maps
    iOS Google Sheets com.google.Sheets
    iOS Groupon com.groupon.grouponapp
    iOS Hangouts com.google.hangouts
    iOS HBO GO com.hbo.hbogo
    iOS Hulu com.hulu.plus
    iOS iHeartRadio - Free Music & Radio com.clearchannel.iheartradio
    iOS IMDb Movies & TV com.imdb.imdb
    iOS Instagram com.burbn.instagram
    iOS iTunes U com.apple.itunesu
    iOS KAYAK Flights com.kayak.travel
    iOS Keynote com.apple.Keynote
    iOS Kindle com.amazon.Lassen
    iOS LinkedIn com.linkedin.LinkedIn
    iOS Marriott International com.marriott.iphoneprod
    iOS Medscape com.medscape.mobile
    iOS Messenger com.facebook.Messenger
    iOS Microsoft Excel com.microsoft.Office.Excel
    iOS Microsoft PowerPoint com.microsoft.Office.Powerpoint
    iOS Microsoft Word com.microsoft.Office.Word
    iOS MLB.com At Bat com.mlb.AtBatUniversal
    iOS Movies by Flixster - with Rotten Tomatoes com.jeffreygrossman.moviesapp
    iOS myAT&T com.att.osd.myWireless
    iOS MyRadar Weather Radar com.fboweb.MyRadar
    iOS NBC Sports Live Extra com.nbcuni.com.nbcsports.liveextra
    iOS Numbers com.apple.Numbers
    iOS NYTimes – Breaking Local com.nytimes.NYTimes
    iOS OneDrive - Cloud storage for files & photos com.microsoft.skydrive
    iOS OpenTable com.contextoptional.OpenTable
    iOS Pages com.apple.Pages
    iOS Pandora Radio com.pandora
    iOS PayPal com.yourcompany.PPClient
    iOS Pinterest pinterest
    iOS QR Reader for iPhone com.TapMediaLtd.QRReader
    iOS Real Estate by Zillow – Search Homes & Apartments for Sale or Rent com.zillow.ZillowMap
    iOS Realtor.com Real Estate - Homes for Sale and Apartments for Rent com.move.Realtor
    iOS SafeNet MobilePASS com.safenetinc.mpbasic
    iOS Scotiabank com.scotiabank.locator
    iOS Scotiabank for iPad® com.scotiabank.mobilebanking.tablet
    iOS Shazam com.shazam.Shazam
    iOS SiriusXM com.siriusxm.siriusxmonline
    iOS Skype for Business (formerly Lync 2013) com.microsoft.lync2013.iphone
    iOS Skype for iPhone com.skype.skype
    iOS SmartDriver com.tower.smartdriver
    iOS Snapchat com.toyopagroup.picaboo
    iOS Solitaire com.mobilityware.SolitaireFree
    iOS Sonos Controller com.sonos.SonosController
    iOS Southwest Airlines com.southwest.iphoneprod
    iOS Speedtest.net Mobile Speed Test com.ookla.speedtest
    iOS Spotify Music com.spotify.client
    iOS Starbucks com.starbucks.mystarbucks
    iOS StubHub com.stubhub.stubhub
    iOS The Weather Channel com.weather.TWC
    iOS TripAdvisor Hotels Flights Restaurants com.tripadvisor.LocalPicks
    iOS TripCase com.sabre.tripcase.prod
    iOS TuneIn Radio - Stream Live Radio com.tunein.TuneInRadio
    iOS Twitter com.atebits.Tweetie2
    iOS Uber com.ubercab.UberClient
    iOS United Airlines com.united.UnitedCustomerFacingIPhone
    iOS Viber com.viber
    iOS WATCH ABC com.abcdigital.abc.videoplayer
    iOS WatchESPN com.espn.WatchESPN
    iOS Waze - GPS com.waze.iphone
    iOS WeChat com.tencent.xin
    iOS WhatsApp Messenger net.whatsapp.WhatsApp
    iOS Words With Friends com.newtoyinc.NewWordsWithFriendsFree
    iOS Workday com.workday.workdayapp
    iOS XFINITY TV Go com.comcast.cim.xplay
    iOS Yahoo Fantasy Sports com.yahoo.ffootball2009
    iOS Yahoo Mail – Free Email App com.yahoo.Aerogram
    iOS Yahoo Weather com.yahoo.weather
    iOS Yelp com.yelp.yelpiphone
    iOS YouTube com.google.ios.youtube
     
  7. AZgl1500

    AZgl1500 Extreme Android User
    Rank:
    None
    Points:
    618
    Posts:
    6,396
    Joined:
    Feb 3, 2011

    Feb 3, 2011
    6,396
    3,141
    618
    Male
    Retired and loving it.
    Oklahoma grasslands
    that is a very extensive list.... and I have a major problem with one of those on the list:

    Android Evernote com.evernote

    I use this app a lot, and the version that I am using is 'Free' on my phone and my PC...
    on the PC, it is a good thing that I always store everything in c:\INSTALLS\EVERNOTE in this particular case.

    I had been blissfully accepting all Evernote updates thru the years w/o even reading what they do.... they are security people, right? and they are looking out for my Best Interest, right???

    well, one day, the upgrade ended my FREE license, and "without telling me".... ah ha, ole son, you just got bit because you did NOT read all of the EULA.....

    All of a sudden, I am hit with a very expensive Yearly License Fee.... and being retired on a very limited budget, that just can't be allowed to happen. when I questioned them, they refused to allow me to back up to the old version:

    So, I uninstalled the new update, went back to my old version, reinstalled it, and all is good again.

    Now, on my Android phone? I can't allow that to update either, for the same exact reason.

    So, I have to keep my phone, in my hands only.... and I have to restrict where on the internet I choose to go.
     
  8. fields12

    fields12 Newbie
    Thread Starter
    Rank:
    None
    Points:
    38
    Posts:
    32
    Joined:
    Feb 20, 2016

    Feb 20, 2016
    32
    15
    38
    Male
    thanks for your comments.

    i am not conversant with the particulars of evernote.

    i would however, offer the following two comments.

    1. reverting back to and using old software may create a new set of problems, i.e., security vulnerabilities that updated software patches; and

    2. the new annual fee imposed on your upgraded version of the app., may represent the "tip of the iceberg," in terms of cost to you. in other words, evernote as well as the other 149 apps., listed above, appear to have much access to, and hence, to a not insignificant extent "own" and "use" your personal data that you insert in the application.
     
  9. RazzMaTazz

    RazzMaTazz Android Expert
    Rank:
    None
    Points:
    173
    Posts:
    1,392
    Joined:
    Jan 28, 2011

    Jan 28, 2011
    1,392
    498
    173
    I think the federal government pretty much puts it's employees' Blackberries in a sandbox where they can't intall apps or can only install approved apps.

    Other security-minded companies simply give their employees Windows Phones, because there are no apps available to download. ;)
     
  10. fields12

    fields12 Newbie
    Thread Starter
    Rank:
    None
    Points:
    38
    Posts:
    32
    Joined:
    Feb 20, 2016

    Feb 20, 2016
    32
    15
    38
    Male
    thanks for your instructive comments.

    android is a wonderful platform .... seriously.

    i am impressed by something new and beneficial every day ....

    android devices are wonderful ...

    android satellite software, in its countless iterations .... is great ...; a testament to the ingenuity and cleverness of countless software programmers and coders.

    * * *

    but ... different strokes for different folks ....; and you have hit the nail on the head in terms of my comfort zone .... with mobile phones, i.e.,:

    a. the "sand box" with the feds; or

    b. the "windows (locked) phone" with the private sector.

    too bad i am not a member of the fed family; or private sector enterprise that uses windows locked phones.

    * * *

    so, i am not sure of the future ....; but right now i am still in the "wild west" of century 21, aka the android electronic universe.

    perhaps, windows phone may be available for me, but i wonder whether the windows mobile phone apps., leak or retain the same security level as windows for p.c.'s ... whatever that is.

    * * *

    of course much of my comments apply to android's competitor, but since this is an android forum, i will not speak to ios.
     
  11. zuben el genub

    zuben el genub Extreme Android User
    Rank:
    None
    Points:
    443
    Posts:
    7,412
    Joined:
    Jan 24, 2011

    Jan 24, 2011
    7,412
    2,660
    443
    None of the above except Adobe reader on phone( denied all permissions) - I use computer behind firewall, NoScript MBAM, etc.

    What is troubling is that it seems to be the games that are targeted. This showed up today,
    http://www.welivesecurity.com/2016/...Feed:+eset/blog+(ESET+Blog:+We+Live+Security)
    and Slashdot has it, too.
    http://yro.slashdot.org/story/16/02...m_campaign=Feed:+Slashdot/slashdot+(Slashdot)

    I know there are a lot of people looking for hacks to avoid paying for something, but the real annoyance is for those who just want a trial and would buy after looking at the game. This hurts everyone.
     
  12. Slug

    Slug Check six!
    VIP Member
    Rank:
    None
    Points:
    2,043
    Posts:
    20,541
    Joined:
    Aug 1, 2009

    Aug 1, 2009
    20,541
    17,001
    2,043
    Male
    Mobile phone retail
    Inverness, UK
    Seeing as the focus of this "report" is 'enterprise environments', I'm surprised to see Airwatch listed as it's specifically designed to enable enterprise-wide deployment and control of Android devices. I know from experience just how restrictive (from an end-user's pov) such devices are... even correcting the local time is impossible as everything is synchronised via central servers.

    Imho there's no excuse for "enterprises" to complain about 'data leakage'; the resources should be in place to control each and every device connected to their internal networks, proper UACs should be implemented to restrict access to sensitive data, effective firewalls should be in place to segregate traffic between WAN and LAN, and they most certainly shouldn't be allowing World + Dog to access their systems.
     
  13. fields12

    fields12 Newbie
    Thread Starter
    Rank:
    None
    Points:
    38
    Posts:
    32
    Joined:
    Feb 20, 2016

    Feb 20, 2016
    32
    15
    38
    Male
    google docs and google drive appear as two of the applications on the above list of the top 150 third party apps., used by enterprise organization employees.

    i created a list with google docs on my mobile phone. ... google docs automatically (without any control or oversight by me) saved/uploaded the list to the cloud, i.e., google drive. ... the process is professional, smooth, efficient, crisp, etc., from beginning to end.

    and perhaps the cloud is secure ... including but not limited to, unencrypted movement of data from the cloud to mobile devices.

    i find it a little hard to believe however, that countless employees of enterprise level organizations are currently doing the same thing with sensitive data 365/24/7?

    if you type "data breach" into the google search engine for "news" ... the current results are as i expect, but disturbing nonetheless. ... and those results apply primarily to personal computers or servers versus mobile phone data breaches? i assume the latter are more insecure than the former? and while these data breaches appear not to involve the android suite of google applications, i am not sure a distinction on that basis arises.

     
  14. zuben el genub

    zuben el genub Extreme Android User
    Rank:
    None
    Points:
    443
    Posts:
    7,412
    Joined:
    Jan 24, 2011

    Jan 24, 2011
    7,412
    2,660
    443
    Which is why I don't use it. Someone would have to convert since I run 7Pro and can install the old WordPerfect 9 and save in wpd. I don't use Google anything except Play. I use clones. SRWIron is a clone based on privacy and I see the Vivaldi browser does the same. I prefer Pale Moon over FX. I happen to want my toolbars - all of them.

    I also have nothing personal on the phone. I use color notes and the calendar only marks the day the cat needs meds.
    Pictures (all exif and info deleted) texts and contacts are the only personal. That's another go-round in Marshmallow. I have no social apps at all. All disabled and all permissions blocked. NFC is disabled, so is Bluetooth. Until my sponsored CC puts out an app, NFC is useless to me. I forget to charge earpieces, and the stupid Lexus prefers my phone to the Vulcan's if my bluetooth is on. It's HIS car - HIS phone and preferences should prevail. (He's got an Alcatel TMO flip.)

    Anything else is pure database. They'd get pix of western birds, flowers, weeds, the Messier objects and planets, etc.

    Now there's this:
    http://betanews.com/2016/02/27/tor-...n=Feed+-+bn+-+Betanews+Full+Content+Feed+-+BN
     
  15. fields12

    fields12 Newbie
    Thread Starter
    Rank:
    None
    Points:
    38
    Posts:
    32
    Joined:
    Feb 20, 2016

    Feb 20, 2016
    32
    15
    38
    Male
    the internet was originally created by the u.s.a., department of defense, defense advanced research projects agency. .... the original purpose of purpose of the internet: a communal vehicle for the free exchange of scientific research by geographically remote, government contractor, scientists.

    because:

    a. such information could not be readily and generally monetized; and


    b. the relatively small nature of the internet at that time,

    the internet did not create risks of harm to the users then.

    * * * *

    today, the internet has become a world wide vehicle for the exchange of all information by billions of people; ... the good, the bad and the ugly ... in one big commune.

    the internet continues today to carry relatively few risks for the exchange of scientific research or frivolous social communications ... because such data cannot be generally and readily monetized.

    a problem arises today because the internet has become a place for the exchange of information that can be and is readily monetized, and whether it involves personally identifying information or otherwise.

    i suspect that some retrenchment from the type of information carried over the internet will occur ... because of chronic, confidential, and mass data breaches.

    the mobile phone in particular underscores this vulnerability.

    as i see it, opposite reality cannot co-exist at the same time and place, i.e., light and darkness; .... and so for the internet as simultaneously both communal (sharing) and individual (isolation), source of information, at the same time. .... ....

    we shall see.

    your physical, banker, doctor, employer etc., .... routinely deliver your sensitive personal information to third parties in response to court orders and/or subponas .... and likewise for the electronic counterparts;

    http://qz.com/620423/heres-how-ofte...ver-data-when-the-us-government-asked-for-it/

    but the $46.00 question is ....; how often is such information released electronically for reasons other than court orders and/or subpoenas?
     
    #15 fields12, Feb 28, 2016
    Last edited: Feb 28, 2016

Share This Page

Loading...