the second half of mobile security

[fields12]

in my limited experience with mobile phones ("m.p."), it appears that m.p. security generally consists of two parts:

a. the front end or physical access to the device; and

b. the back end or electronic, remote access to the device.


* * * *

"a" appears reasonably protected at present by encryption software.

"b" however, appears subject to a variety of vulnerabilities not the least of which includes something now called "data leakage" or "privacy invasiveness."

a recent report, link below, by the m.p., enterprise security firm, Appthority reports this current problem as extensive across the m.p., environment.

https://www.appthority.com/enterpri...ws-high-risk-to-enterprises-from-mobile-apps/

apparently, data leakage (contact lists, etc.) are harvested by mainstream legitimate applications; and then the information is used against the m.p. owners.

appthority is not a disinterested party since it engages in the business of protecting enterprise organizations against such risks.

i would hence appreciate comments here from disinterested m.p., users as to whether they consider this risk significantly greater in quality and quantity than the risk of data leakage and privacy invasiveness currently affecting personal computers? thanks.

 

[Slug]

a recent report, link below, by the m.p., enterprise security firm, Appthority reports this current problem as extensive across the m.p., environment.

Actually it refers to "the enterprise environment" specifically, which is significant.

i would hence appreciate comments here from disinterested m.p., users as to whether they consider this risk significantly greater in quality and quantity than the risk of data leakage and privacy invasiveness currently affecting personal computers? thanks.

The risk is always greater in devices that connect to public networks, whether they be mobile phones or laptop computers.

The greatest risk however is from users themselves, whether it is installing app from dubious sites, not doing due diligence with requested permissions, or simply not bothering to look in an app's Settings for available privacy options.

I'd also like to see the list referred to by

Of the 150 most common apps on enterprise devices, 100% of the Android apps were found to have data leakage and privacy invasive behaviors

as well as their definition of "data leakage" and "privacy invasive features". I'd also be interested in how critical the author is of enterprises who deployed such apparently-dangerous devices in the first place.

Unfortunately I can't because to do so you have to provide name, work email and company name to "download" it. That I find almost too ironic for words.

 

[fields12]

your points are well taken ....

 

[RazzMaTazz]

It worries me that so many seemingly legitimate apps demand a broad range of permissions, including the ability to access my contacts. For example, my Sprint Samsung Galaxy S5 came pre-installed with the Peel Smart Remote (IR remote control) app, which requires permission to access my contacts. That app legitimately would need to access my contacts if I chose to use its feature enabling me to send a TV-show-link to a friend. But if the makers of Peel were evil, I guess they could just upload all of my contacts. No? Maybe they already have. It's scary.

I'm looking forward to Android 6.0, where (if I understand correctly) we'll have the option to deny specific permissions that apps may request. Denying specific permissions may cause the app not to work correctly. But in the Peel example, I would definitely deny permission to access my contacts because I would never want to send a TV-show-link to a friend.

Appthority sells security software & services so they have a conflict-of-interest in exaggerating the pervasiveness of the threat, but there is a real threat. There are several enterprise security software vendors (like Skyhigh Networks) that sell network monitoring software to help enterprises eliminate vulnerabilities from employee-smartphone-apps, laptop PC programs, etc.

 

[fields12]

thanks for your informative comments.

i agree.

here is a specific example of what i am talking about.

http://www.securityweek.com/super-bowl-fans-warned-about-vulnerable-nfl-mobile-app

it would be nice, and even worth paying a price, to have a reputable security company examine, identify and recommend, on an ongoing and updated basis, the top 50? the top 10 apps? by u.s.a., or world wide downloads? that contain no; or little and specific; data leakage.

many mobile phone users would ignore such list because their preferred apps., are excluded; but likewise many mobile phone users prefer security over convenience and entertainment; and would follow and adopt such list.

one other point; i am a little bit surprised (and perhaps just ignorant) that large organizations who issue mobile phones to its employees, do not have those devices programmed to disallow all user downloads and installation of mobile apps., other than the apps., pre-installed and vetted by the information security branch of the enterprise itself (and before delivery to the employee).

 

[fields12]

Report Highlights
iOS Malware is now mainstream
• 4 major breaches in as many months showed the App Store is not
immune to mobile malware
• Every iOS device running OS older than 8.4.1 has a critical sandbox
vulnerability that makes enterprise managed apps’ credentials easily
accessible to bad actors
Across the board, Android apps are more risky
• A higher percentage of Android than iOS apps showed risky behaviors
across three critical risk categories - High Risk, Data Leakage, and
Privacy Invasive
• Of the 150 most common apps on enterprise devices, 100% of the Android
apps were found to have data leakage and privacy invasive behaviors
Mobile malware is not the only concern to enterprise mobility
• A far larger percentage of apps on both iOS and Android exhibit risky
behaviors related to data leakage and privacy invasiveness
• Mobile app behaviors that send private user information are a gateway
to private enterprise breaches through spear phishing or other attacks
• The most common apps in the enterprise pose a high and very direct risk
to enterprise security and data privacy
• Dead apps that are not updated to address known malware and
vulnerabilities continue to pose a cumulative and ongoing threat
to enterprises

Android Agent com.airwatch.androidagent
Android Air NZ mobile app nz.co.airnz.mpass
Android Amazon Kindle com.amazon.kindle
Android Amazon Music with Prime Music com.amazon.mp3
Android Chrome Browser - Google com.android.chrome
Android Citrix ShareFile for Tablets com.sharefile.mobile.tablet
Android Dropbox com.dropbox.android
Android EAPworks au.com.entegy.eapworks
Android Evernote com.evernote
Android Facebook com.facebook.katana
Android Fitbit com.fitbit.FitbitMobile
Android Flipboard: Your News Magazine flipboard.app
Android Gmail com.google.android.gm
Android Google com.google.android.googlequicksearchbox
Android Google Play Books com.google.android.apps.books
Android Google Play Movies & TV com.google.android.videos
Android Google Play Music com.google.android.music
Android Google Play Newsstand com.google.android.apps.magazines
Android Google+ com.google.android.apps.plus
Android GoToMeeting com.citrixonline.android.gotomeeting
Android Hangouts com.google.android.talk
Android HP Print Service Plugin com.hp.android.printservice
Android IMDb Movies & TV com.imdb.mobile
Android My Verizon Mobile com.vzw.hss.myverizon
Android OneNote com.microsoft.office.onenote
Android S Health com.sec.android.app.shealth
Android Salesforce1 com.salesforce.chatter
Android Samsung Push Service com.sec.spp.push
Android Support & Protection com.asurion.android.verizon.vms
Android Verizon Messages com.verizon.messaging.vzmsgs
Android VZ Navigator com.vznavigator.Generic
Android WhatsApp com.whatsapp
Android YouTube com.google.android.youtube
iOS Adobe Acrobat Reader com.adobe.Adobe-Reader
iOS Adobe Connect Mobile com.adobe.connect.mobile
iOS Airbnb com.airbnb.app
iOS Amazon App com.amazon.Amazon
iOS Amazon Music with Prime Music com.amazon.mp3.AmazonCloudPlayer
iOS Amazon Video com.amazon.aiv.AIVApp
iOS American Airlines com.aa.AmericanAirlines
iOS AroundMe com.tweakersoft.AroundMe
iOS Audiobooks from Audible com.audible.iphone
iOS Bank of America - Mobile Banking com.bankofamerica.BofA
iOS BBC News uk.co.bbc.news
iOS Bible tv.lifechurch.bible
iOS Calculator for iPad Free com.itwcalculator.calculatorforipadfree
iOS Candy Crush Saga com.midasplayer.apps.candycrushsaga
iOS Capital One Mobile com.capitalone.enterprisemobilebanking
iOS Chase Mobile com.chase
iOS Chrome - web browser by Google com.google.chrome.ios
iOS Chromecast com.google.Chromecast
iOS Cisco AnyConnect com.cisco.anyconnect.gui
iOS Cisco WebEx Meetings com.webex.meeting
iOS Citrix Receiver com.citrix.ReceiveriPad
iOS Citrix ShareFile Mobile: Send Files com.sharefile.mobile
iOS Clash of Clans com.supercell.magic
iOS CNN App for iPhone com.cnn.iphone
iOS Concur com.concur.concurmobile
iOS Dropbox com.getdropbox.Dropbox
iOS Duolingo - Learn Languages for Free com.duolingo.DuolingoMobile
iOS eBay com.ebay.iphone
iOS Egencia TripNavigator com.egencia.app
iOS Epocrates com.Epocrates.Rx
iOS ESPN com.espn.ScoreCenter
iOS ESPN Fantasy Football com.espn.fantasyFootball
iOS ESPN Radio com.espn.espnradio
iOS Evernote com.evernote.iPhone.Evernote
iOS Expedia com.expedia.booking
iOS Facebook com.facebook.Facebook
iOS Fandango Movies – Times & Tickets com.fandango.fandango
iOS Fly Delta com.delta.iphone.ver1
iOS GarageBand com.apple.mobilegarageband
iOS GasBuddy - Find Cheap Gas Prices com.gasbuddymobile.gasbuddy
iOS Gmail - email from Google com.google.Gmail
iOS Google com.google.GoogleMobile
iOS Google Docs com.google.Docs
iOS Google Drive - free online storage from Google com.google.Drive
iOS Google Maps com.google.Maps
iOS Google Sheets com.google.Sheets
iOS Groupon com.groupon.grouponapp
iOS Hangouts com.google.hangouts
iOS HBO GO com.hbo.hbogo
iOS Hulu com.hulu.plus
iOS iHeartRadio - Free Music & Radio com.clearchannel.iheartradio
iOS IMDb Movies & TV com.imdb.imdb
iOS Instagram com.burbn.instagram
iOS iTunes U com.apple.itunesu
iOS KAYAK Flights com.kayak.travel
iOS Keynote com.apple.Keynote
iOS Kindle com.amazon.Lassen
iOS LinkedIn com.linkedin.LinkedIn
iOS Marriott International com.marriott.iphoneprod
iOS Medscape com.medscape.mobile
iOS Messenger com.facebook.Messenger
iOS Microsoft Excel com.microsoft.Office.Excel
iOS Microsoft PowerPoint com.microsoft.Office.Powerpoint
iOS Microsoft Word com.microsoft.Office.Word
iOS MLB.com At Bat com.mlb.AtBatUniversal
iOS Movies by Flixster - with Rotten Tomatoes com.jeffreygrossman.moviesapp
iOS myAT&T com.att.osd.myWireless
iOS MyRadar Weather Radar com.fboweb.MyRadar
iOS NBC Sports Live Extra com.nbcuni.com.nbcsports.liveextra
iOS Numbers com.apple.Numbers
iOS NYTimes – Breaking Local com.nytimes.NYTimes
iOS OneDrive - Cloud storage for files & photos com.microsoft.skydrive
iOS OpenTable com.contextoptional.OpenTable
iOS Pages com.apple.Pages
iOS Pandora Radio com.pandora
iOS PayPal com.yourcompany.PPClient
iOS Pinterest pinterest
iOS QR Reader for iPhone com.TapMediaLtd.QRReader
iOS Real Estate by Zillow – Search Homes & Apartments for Sale or Rent com.zillow.ZillowMap
iOS Realtor.com Real Estate - Homes for Sale and Apartments for Rent com.move.Realtor
iOS SafeNet MobilePASS com.safenetinc.mpbasic
iOS Scotiabank com.scotiabank.locator
iOS Scotiabank for iPad® com.scotiabank.mobilebanking.tablet
iOS Shazam com.shazam.Shazam
iOS SiriusXM com.siriusxm.siriusxmonline
iOS Skype for Business (formerly Lync 2013) com.microsoft.lync2013.iphone
iOS Skype for iPhone com.skype.skype
iOS SmartDriver com.tower.smartdriver
iOS Snapchat com.toyopagroup.picaboo
iOS Solitaire com.mobilityware.SolitaireFree
iOS Sonos Controller com.sonos.SonosController
iOS Southwest Airlines com.southwest.iphoneprod
iOS Speedtest.net Mobile Speed Test com.ookla.speedtest
iOS Spotify Music com.spotify.client
iOS Starbucks com.starbucks.mystarbucks
iOS StubHub com.stubhub.stubhub
iOS The Weather Channel com.weather.TWC
iOS TripAdvisor Hotels Flights Restaurants com.tripadvisor.LocalPicks
iOS TripCase com.sabre.tripcase.prod
iOS TuneIn Radio - Stream Live Radio com.tunein.TuneInRadio
iOS Twitter com.atebits.Tweetie2
iOS Uber com.ubercab.UberClient
iOS United Airlines com.united.UnitedCustomerFacingIPhone
iOS Viber com.viber
iOS WATCH ABC com.abcdigital.abc.videoplayer
iOS WatchESPN com.espn.WatchESPN
iOS Waze - GPS com.waze.iphone
iOS WeChat com.tencent.xin
iOS WhatsApp Messenger net.whatsapp.WhatsApp
iOS Words With Friends com.newtoyinc.NewWordsWithFriendsFree
iOS Workday com.workday.workdayapp
iOS XFINITY TV Go com.comcast.cim.xplay
iOS Yahoo Fantasy Sports com.yahoo.ffootball2009
iOS Yahoo Mail – Free Email App com.yahoo.Aerogram
iOS Yahoo Weather com.yahoo.weather
iOS Yelp com.yelp.yelpiphone
iOS YouTube com.google.ios.youtube

 

[AZgl1500]

that is a very extensive list.... and I have a major problem with one of those on the list:

Android Evernote com.evernote

I use this app a lot, and the version that I am using is 'Free' on my phone and my PC...
on the PC, it is a good thing that I always store everything in c:\INSTALLS\EVERNOTE in this particular case.

I had been blissfully accepting all Evernote updates thru the years w/o even reading what they do.... they are security people, right? and they are looking out for my Best Interest, right???

well, one day, the upgrade ended my FREE license, and "without telling me".... ah ha, ole son, you just got bit because you did NOT read all of the EULA.....

All of a sudden, I am hit with a very expensive Yearly License Fee.... and being retired on a very limited budget, that just can't be allowed to happen. when I questioned them, they refused to allow me to back up to the old version:

So, I uninstalled the new update, went back to my old version, reinstalled it, and all is good again.

Now, on my Android phone? I can't allow that to update either, for the same exact reason.

So, I have to keep my phone, in my hands only.... and I have to restrict where on the internet I choose to go.

 

[fields12]

thanks for your comments.

i am not conversant with the particulars of evernote.

i would however, offer the following two comments.

1. reverting back to and using old software may create a new set of problems, i.e., security vulnerabilities that updated software patches; and

2. the new annual fee imposed on your upgraded version of the app., may represent the "tip of the iceberg," in terms of cost to you. in other words, evernote as well as the other 149 apps., listed above, appear to have much access to, and hence, to a not insignificant extent "own" and "use" your personal data that you insert in the application.

 

[RazzMaTazz]

I think the federal government pretty much puts it's employees' Blackberries in a sandbox where they can't intall apps or can only install approved apps.

Other security-minded companies simply give their employees Windows Phones, because there are no apps available to download.

 

[fields12]

thanks for your instructive comments.

android is a wonderful platform .... seriously.

i am impressed by something new and beneficial every day ....

android devices are wonderful ...

android satellite software, in its countless iterations .... is great ...; a testament to the ingenuity and cleverness of countless software programmers and coders.

* * *

but ... different strokes for different folks ....; and you have hit the nail on the head in terms of my comfort zone .... with mobile phones, i.e.,:

a. the "sand box" with the feds; or

b. the "windows (locked) phone" with the private sector.

too bad i am not a member of the fed family; or private sector enterprise that uses windows locked phones.

* * *

so, i am not sure of the future ....; but right now i am still in the "wild west" of century 21, aka the android electronic universe.

perhaps, windows phone may be available for me, but i wonder whether the windows mobile phone apps., leak or retain the same security level as windows for p.c.'s ... whatever that is.

* * *

of course much of my comments apply to android's competitor, but since this is an android forum, i will not speak to ios.

 

[zuben el genub]

None of the above except Adobe reader on phone( denied all permissions) - I use computer behind firewall, NoScript MBAM, etc.

What is troubling is that it seems to be the games that are targeted. This showed up today,
http://www.welivesecurity.com/2016/...Feed:+eset/blog+(ESET+Blog:+We+Live+Security)
and Slashdot has it, too.
http://yro.slashdot.org/story/16/02...m_campaign=Feed:+Slashdot/slashdot+(Slashdot)

I know there are a lot of people looking for hacks to avoid paying for something, but the real annoyance is for those who just want a trial and would buy after looking at the game. This hurts everyone.

 

[Slug]

Seeing as the focus of this "report" is 'enterprise environments', I'm surprised to see Airwatch listed as it's specifically designed to enable enterprise-wide deployment and control of Android devices. I know from experience just how restrictive (from an end-user's pov) such devices are... even correcting the local time is impossible as everything is synchronised via central servers.

Imho there's no excuse for "enterprises" to complain about 'data leakage'; the resources should be in place to control each and every device connected to their internal networks, proper UACs should be implemented to restrict access to sensitive data, effective firewalls should be in place to segregate traffic between WAN and LAN, and they most certainly shouldn't be allowing World + Dog to access their systems.

 

[fields12]

google docs and google drive appear as two of the applications on the above list of the top 150 third party apps., used by enterprise organization employees.

i created a list with google docs on my mobile phone. ... google docs automatically (without any control or oversight by me) saved/uploaded the list to the cloud, i.e., google drive. ... the process is professional, smooth, efficient, crisp, etc., from beginning to end.

and perhaps the cloud is secure ... including but not limited to, unencrypted movement of data from the cloud to mobile devices.

i find it a little hard to believe however, that countless employees of enterprise level organizations are currently doing the same thing with sensitive data 365/24/7?

if you type "data breach" into the google search engine for "news" ... the current results are as i expect, but disturbing nonetheless. ... and those results apply primarily to personal computers or servers versus mobile phone data breaches? i assume the latter are more insecure than the former? and while these data breaches appear not to involve the android suite of google applications, i am not sure a distinction on that basis arises.

 

[zuben el genub]

Which is why I don't use it. Someone would have to convert since I run 7Pro and can install the old WordPerfect 9 and save in wpd. I don't use Google anything except Play. I use clones. SRWIron is a clone based on privacy and I see the Vivaldi browser does the same. I prefer Pale Moon over FX. I happen to want my toolbars - all of them.

I also have nothing personal on the phone. I use color notes and the calendar only marks the day the cat needs meds.
Pictures (all exif and info deleted) texts and contacts are the only personal. That's another go-round in Marshmallow. I have no social apps at all. All disabled and all permissions blocked. NFC is disabled, so is Bluetooth. Until my sponsored CC puts out an app, NFC is useless to me. I forget to charge earpieces, and the stupid Lexus prefers my phone to the Vulcan's if my bluetooth is on. It's HIS car - HIS phone and preferences should prevail. (He's got an Alcatel TMO flip.)

Anything else is pure database. They'd get pix of western birds, flowers, weeds, the Messier objects and planets, etc.

Now there's this:
http://betanews.com/2016/02/27/tor-...n=Feed+-+bn+-+Betanews+Full+Content+Feed+-+BN

 

[fields12]

the internet was originally created by the u.s.a., department of defense, defense advanced research projects agency. .... the original purpose of purpose of the internet: a communal vehicle for the free exchange of scientific research by geographically remote, government contractor, scientists.

because:

a. such information could not be readily and generally monetized; and

b. the relatively small nature of the internet at that time,

the internet did not create risks of harm to the users then.

* * * *

today, the internet has become a world wide vehicle for the exchange of all information by billions of people; ... the good, the bad and the ugly ... in one big commune.

the internet continues today to carry relatively few risks for the exchange of scientific research or frivolous social communications ... because such data cannot be generally and readily monetized.

a problem arises today because the internet has become a place for the exchange of information that can be and is readily monetized, and whether it involves personally identifying information or otherwise.

i suspect that some retrenchment from the type of information carried over the internet will occur ... because of chronic, confidential, and mass data breaches.

the mobile phone in particular underscores this vulnerability.

as i see it, opposite reality cannot co-exist at the same time and place, i.e., light and darkness; .... and so for the internet as simultaneously both communal (sharing) and individual (isolation), source of information, at the same time. .... ....

we shall see.

your physical, banker, doctor, employer etc., .... routinely deliver your sensitive personal information to third parties in response to court orders and/or subponas .... and likewise for the electronic counterparts;

http://qz.com/620423/heres-how-ofte...ver-data-when-the-us-government-asked-for-it/

but the $46.00 question is ....; how often is such information released electronically for reasons other than court orders and/or subpoenas?