Can We Really Secure Mobile Devices?
Security: a Key Value for Business Software
Cyberattacks on mobile devices is a persistent problem across the globe, since the very early days of smartphones in 2013 with Very Angry Birds, a malware that cloned the popular game just to take full control of our devices. Mobile devices play an integral role in people’s day-to-day lives so it is of paramount importance that proper security measures are in place to protect them. At SAP, we are mindful of the security needs for all of our products and services, and mobile devices are no exception.
What kinds of attacks are being implemented on mobile devices and can we do anything to stop them? What are best-in-breed companies like SAP doing to bring security to mobile devices?
Pegasus, the Latest Mobile Threat
“Pegasus is a malware that infects iPhones and Android devices to enable operators of the tool to extract messages, photos and emails, record calls and secretly activate microphones” (from the Guardian). During the summer of 2021, a team of journalists, together with Amnesty International, announced that a cyber-surveillance tool, Pegasus, was used to “target human rights activists, journalists and lawyers across the world by authoritarian governments using hacking software sold by the Israeli surveillance company NSO Group” (again from the Guardian). Just what is this cyber-surveillance software?
If you have an interest in security, you may have discovered that Pegasus infects mobile phones by crafting attacks that exploit vulnerabilities in commonly used apps (as reported by Amnesty International), with the objective of taking control of the device itself, all its data and sensors like GPS and microphone. Sometimes, this could have been achieved with “zero-click” attacks, that is, attacks that did not even require the target to click on a link or to perform any specific actions.
How is this possible? Aren’t our mobile devices meant to be secure?, Didn’t we hear something along the same lines when ransomware started to be an issue? Ransomware works by encrypting pictures, videos but also professional data, on our own devices or cloud accounts, with an encryption key unknown to us, so that data can be recovered after paying the attacker (if you are lucky!). These attacks cause losses of data to uncountable users and organizations, as well as data leaks. How can malware like Pegasus or any ransomware just take control of our devices, and our lives, so easily?
So, let’s see how these attacks can exist, and what we can do to counter them.
A Complex System and Many Hidden Vulnerabilities
Our mobile devices are complex systems: hardware, operating systems (Android and iOS), apps that are all in constant evolution to deliver new functionalities and an appealing user experience. Securing such systems is therefore a moving target.
If we think about our pictures, they are saved on the device storage and used by the authorized apps, although managed by the operating system (OS). An attacker can try to get physical access to a device, or exploit vulnerabilities in apps or even worse, in the OS.
So, we can identify multiple attack paths to reach our pictures. Security components (“controls”) are deployed at each stage (device, OS, apps) but then, how can spyware, ransomware and malware still be such a scary menace?
There are vulnerabilities at all levels of the stack. Some of them are critical and mostly unknown, kept as far as possible especially from the providers of our devices/OSs/apps, so that they cannot fix them. These are called “zero-day” vulnerabilities: who discovers them can create attacks that exploit these weaknesses to bypass one or more security controls. Why are they called “zero-day”? The security professionals who can fix them has zero days to do so, as attacks are already in the wild and damages are already being caused.
The problem is so serious that, for example, Google created a dedicated team to hunt for zero-days and Apple fixed 15+ zero-days in iOS only in 2021, some of them so critical that they could be used to create attacks that don’t require any user intervention to be successful (the mentioned “zero-clicks”). Once the OS is compromised, attackers can bypass OS security controls and apps relying only on the OS are completely vulnerable.
Although the situation looks dire, there is hope.
Securing Mobile Devices
Both as mobile app developers and users, we can do our part to make our devices significantly more secure. Although protecting against zero-days is hard, there are specific actions we can do. We need to adopt a security posture that reduces the attack surface and considers even unknown threats. This comes with an effort that is justifiable for critical data, such as those processed by SAP systems.
App developers can reduce their attack surface by adding security controls to their architecture and by adopting techniques such as architecture security reviews and threat modeling. What this means is that one can include additional components, deployed locally on a device or on the cloud, to perform critical operations or to store confidential data. SAP is committed to improving security in mobile apps. It does so with its Mobile Services, on top of simplifying and easing mobile app development and integration with SAP products. For example, a library for Android (the BTP SDK) is provided as part of Mobile Services. It offers an encrypted datastore that can be used to save confidential data on a device. App developers can use an encryption key that is secret so only the user knows and it is never on the device. So, even if the OS is compromised, the attacker will only get encrypted information, almost impossible to decrypt. How can developers decide the needed additional controls? With methodologies like S.T.R.I.D.E., that allow app developers to analyze an architecture and derive the applicable threats for each asset, it is possible to secure apps using the most effective security controls. Considering zero-days here means to include additional controls that will make up for those that could more easily fail, like for example, those brought per default by the OSs. The SAP Secure Development Lifecycle adopts and extends threat modeling principles as part of a holistic approach covering all phases of software development,
As mobile device users, we need to become our own and most effective security control.Only installing apps from official stores, updating OS and apps to latest versions protect us from known vulnerabilities. Making good backups for our information, be it personal or professional, almost nullifies the effects of ransomware, as data can be easily recovered from backups. But, to avoid becoming easy prey, never disclose personal information in emails, unsolicited phone call or any other possible social phishing channel, and never click on suspicious links or attachments.
Doing so will make us so unattractive to attackers that they will need to look for another target!
For more information on SAP security please visit the SAP Trust Center.