As technology advances, it has become increasingly clear that desktop and laptop computers are becoming a thing of the past for the everyday user. Average consumer needs generally include online shopping, access to social media websites, the use of office programs and email accessibility. All those needs are now covered by smart phones and tablets, making the use of the traditional laptop and desktop almost obsolete – primarily due to the flexibility, power and autonomy of mobile devices.
More and more corporate environments are moving towards mobile devices because of the advantages they offer and the decreasing costs of mobile data usage. Smart phones mean that all employees are always easily accessible, no matter where they are. People can also be productive during times that used to be considered a nuisance, such as commuting on public transport. Of course, an alternative view is that many people consider those times to be a welcome relief from the constant intrusions of email!
When it comes to increased productivity, the reduction in costs sounds great but there is, as always, a catch. Working on the move has increased the risk of confidential data being exposed in a variety of ways, such as being overlooked and devices left on trains or in taxis. Information gleaned in this way, such as user-credentials, sensitive and confidential files and emails, can be used to compromise a user's personal information online and even lead to the compromise of an organisation itself.
In the battle to keep credentials secure on mobile devices, several applications have emerged in app stores that advertise the secure storage of passwords and/or sensitive files of a user. These apps seek to ensure that information will remain secure in a case of loss or theft of the mobile device. Password managers and folder-locking applications are everywhere, claiming that user-data stored within them is completely secure and their passwords cannot be retrieved. Many of the apps reach millions of downloads and are being used by a massive audience to store their information.
But is this actually the case? Is our data really secure? There are quite a few big names in the application market for password managers that have developed a good level of security after years of focusing on the protection of passwords. They usually involve an annual membership or fee to acquire the full functionality of the application. However, the majority of everyday users prefer to use an app that is free if it offers the "same" functionality and level of security.
So how is the security of these mobile apps delivered? The majority of the apps are made by a small team of developers or even a single person, which typically means that the security of the application falls into the "security by obscurity" camp. In summary, if a user can't see it, then it is secure. The majority of free and some paid applications save your confidential data inside the app's preference file or database files as clear text. This means an attacker who manages to steal and unlock a mobile device can just plug it into a computer, browse the files and retrieve its digital secrets at the click of a button.
But what about those apps that are advertised as providing "military grade" encryption? Considering the small amount of apps that actually do encrypt the user's data, a high percentage of them implement insecure key management – storing the encryption key in a plain text file, along with the encrypted data or transmitting it to the application in plaintext over HTTP.
According to OWASP, insecure data storage is the number one plague in mobile applications, strong evidence of the need for us to increase our awareness of the security risks involved when storing personal data on mobile devices.
With the ever-increasing advantages that technology brings and the resulting increase in mobile devices being used in and outside of the work place, the need to have resilient measures in place is gaining ever greater importance. If you have any concerns about your mobile device security, we can help – contact us on HACKsight@paconsulting.com or call 0870 600 1667.