A study of smartphone users by Internet and Mobile Association of India and Times Internet Limited states that the number of mobile internet users in India had reached 371 million by June 2016, and is on track to cross 500 million users by 2017. Mobile handset security has three prominent aspects: Hardware, Software and User.
Most smartphones in India are made by foreign manufacturers. These manufacturers are often regulated by state agents, who instruct them to embed spywares, rootkits and Trojans. There have been several cases where Chinese manufacturers like Xiaomi is blamed of spying users’ data and sending user data to their servers back in China. Even the Indian Air Force issued a general advisory, advising all their employees and families not to use Xiaomi phones.
Over the last few years, there have been several reports of android phones coming preloaded with spywares having a variety of capabilities like listening in to telephone conversations, accessing the Internet, viewing and copy contacts, installing unwanted apps, Asking for location data, taking and copying images, recording conversations using the microphone, sending and reading SMS/MMS, Disabling Anti-Virus software, listening in to chats via messaging services (Skype, Viber, WhatsApp, Facebook and Google+), reading the browser history.
Last year, G Data, a German security firm disclosed that the Star N9500 Smartphone had the capability to spy on users, thereby comprising their personal data and conversations without any restrictions and users knowledge. Incidentally, Star N9500 is a cheap knock-off of the popular Samsung Galaxy 4. This strategy also plays well for foreign agents: deliver a cheap alternative of a popular phone and siphon sensitive information from it. Many such users turn out to be pivotal informants for various intelligence agencies, family members of political leaders, law enforcement agencies and other critical establishments of the country.
There is urgent need for devising standards for smartphone manufacturing and import, particularly in India. Such devices are undoubtedly a weapon in the hands of the enemy.
Application level or software threats
Next important aspect of handset security is securing the applications installed on the mobile device. Users unknowingly install number of applications which are malicious in nature. Presence of malicious applications is more on android platform rather than iOS. For iOS, there is long and complex verification process carried out before the app appears on iTunes. Any app not present on iTunes cannot be installed on iOS devices unless they are jailbroken. This is not the case with android. Symantec’s latest Internet Security Threat Report revealed that nearly one million Android apps were actually malware in disguise. Veracode estimates that the average global enterprise has approximately 2,400 unsafe mobile applications installed in its mobile environment. Consider your organisation: if 84% of your employees are using the same phone for personal and business use, how long will it be before an infected app is installed by mistake?
Malware is downloaded to corporate networks 971 times every hour, according to Check Point’s latest Security Report, from spam, targeted spear-phishing emails, infected websites and more. This is nine times more malware downloads than the rate 12 months earlier. Given all these facts and that more than 84% of mobile users utilize the same phone for personal and business use, one can understand how long will it take an infected mobile phone to corrupt their entire office network.
It is not just the malicious apps one needs to be wary of. According to a study by Arxan, more than 90% of the healthcare and financial apps are vulnerable with two or more critical security vulnerabilities, as compared against industry standards of cyber security. For the uninitiated, it basically means that these applications can unknowingly leak your sensitive information to dedicated hackers. Despite their best efforts, such applications fail to protect users from identity and data thefts. A major reason of such lax security is the lack of vulnerability assessments conducted by such applications. Most vendors don’t conduct basic security testing of applications which leaves unintended security holes in these applications. Penetration testing services help to determine major security bugs beforehand and reduce the risk of data leaks by almost 99%.
Another aspect of handset security is the unnecessary privileges sought by various legitimate applications. Permissions are basic access rights required by the apps to use various resources of phone such as memory card, contacts, Wi-Fi driver, calendar. Basically, every function offered by your phone is a resource and to access that resource, applications require permissions. For most smartphone users, they do not carry much weightage. But when your average e-commerce app require permission to access the microphone of your device, it raises red flags in the minds of cyber security advocates. There are certain permissions like microphone, location, camera, read-write permissions to memory card which should be carefully managed. Various apps request privileges that they apparently do not have any need of. The best way to mitigate permissions of such apps is to use permission managers which are now available with most mobile manufacturers.
Protect the users too
Lastly, we also have to address the weakest link in any security mechanism: the end users. An unaware and ignorant user, renders the entire security process useless. Users should always keep their radars sharp and look out for malicious apps, signs of malware infections, spam links, drive-by downloads etc. 78% of people claim to be aware of the risks of unknown links in emails. And yet they click anyway. A survey by Friedrich Alexander University states that about one in every two users click on links from unknown sources.
Smartphone users have absolutely no idea of how complex and advanced cyber criminals have now become. They unwittingly disclose their bank account details, OTPs, private information etc to cyber criminals. Recently, a diverse racket of cyber criminals was discovered in Jamtara Village of Jharkhand, where hardly literate but street-smart villagers were outsmarting highly literate but ignorant city folks. Amongst their recorded victims, include several IAS officers, executives, bank employees and working women. This simple example shows the level of cyber illiteracy within our Digital Country.
Where to go?
Given all these facts and figures, it is quite evident that there is an urgent necessity to tackle these hardware, software and user issues head-on. For hardware security, there is a need to extend and improve upon the Common Criterion Certification Scheme as devised by MeitY and other agencies. There is also need to implement strong policy controls to regulate and punish the defaulters. We can also have an indigenous project to create an encapsulating encryption scheme to protect data leakage to state-sponsored hacking by foreign players.
On the software part, the Cyber Swachhta Kendra is a novel initiative by Government of India to provide free and competent antimalware solutions to all users. There is a need to continuously monitor and update the project in the light of new malwares, spywares and other malicious applications. Organisations should focus on outsourced vulnerability assessment solutions rather than patting their own backs.
Everything said and done, the users still remain the weakest link in the security chain. Users should be given a comprehensive awareness of cyber security and the threats they face online. This can be done by large scale training of users based on their requirements. We can have a basic training module for school students, non-tech employees of corporate entities and the general public. We can offer a slightly advanced, practical training on cyber security and Secure SDLC to developers and entry level IT professionals. For the management level guys, we should have a comprehensive risk assessment and vulnerability management training session. Organisations like IAMAI, FICCI and DSCI are entering into strategic partnerships with professional cyber security training bodies to provide scalable, affordable and refined cyber security training to general public and IT professionals alike.
With all these steps, we can be sure to achieve a great degree of protection from data breaches, privacy violations and identity thefts. Cyber security is an evolving field and so are the criminals. To remain a step ahead of them, we have to think ahead. We need to develop a granular and encompassing plan to safeguard the interest of the individual as well as that of the country. There is need of an integrated national strategy with respect to cyber-attacks and cybercrime management. Once we overcome this policy paralysis, India can breathe the sigh of relief.
Authored by Prashant Pandey