Late last year, depositors from banks all over the country began downloading 99-cent apps from Google's Android Market to access accounts on their Android phones. The only problem was the banks hadn't put them there.
"One of the banks received a support call from a customer asking for help with its Android app when it didn't have an Android app," says Chris Wysopal, CTO of Veracode, a software security testing company that tests apps for vulnerabilities. "The app purported to be the bank's official app, and had the bank's logo. And it accepted customers' usernames and passwords." Come to find out, a single developer had uploaded similar Android apps for more than 50 banks, all of which Google removed this past January. The intent of the scam was either to bilk thousands of unsuspecting customers out of 99 cents each when they downloaded the app, or -- more ominously -- to obtain their username and password information.
Either way, one thing is clear: Smartphones have the potential to pose a real security threat. At the same time their use is spreading. "Smartphones are essentially replacing laptops and even desktop PCs, and are now the primary way many people access the Web," Wysopal says. "If you think about all the risks we all understand you have on a PC when you receive email, install software, or click on a link, that's exactly how we have to start thinking about smartphones."
The problem is that most users don't. They download apps and send payments without worry for two reasons. First, because most users download smartphone apps from the "walled garden" of an app store, they assume they have been vetted and pose no threat. The second reason is that smartphone security breaches are not yet widespread. "Typically people take care of security issues when they've had direct experience with a problem, either their device was compromised or a friend or family member's was," Wysopal says. "Since that hasn't to most people yet, they don't use that much caution."
Just about every security expert agrees that it's only a matter of time until that changes, so the time to protect employees' smartphones is now. Here's how to keep smartphones safe:
Make passwords mandatory. "The most important thing to do with any smartphone is to use the password locking mechanism, so that if the phone is lost or stolen—or even if you leave it unattended -- no one can access the data on there," Wysopal says.
Educate users to be wary of unknown links. "Don't click on everything you see. Think about it first," says Fred Touchette, senior security analyst at AppRiver, a messaging security company. He notes that a recent piece of malware appeared on smartphones as a message that appeared to come directly from the Facebook app. "If you clicked on it it would take you directly to a site that would download malicious software."
Don't let users download "back alley" apps. "Make sure users are only downloading approved software from the regular marketplace," says Jon Harmer, director of product management for Cbeyond, which provides VoIP and mobile phone services to small businesses. "Beyond that, do a little homework on the developer so you can make sure you're not getting a banking app that doesn't come from your bank."
Know the signs of smartphone malware. "One of the common attacks is to have a smartphone send premium SMS messages that cost $5 or $10 each," Wysopal says. "So whoever is handling the mobile phone bills should scrutinize them, looking for any charges from strange premium services. The other way you can tell if something has gone wrong is if battery usage starts to change dramatically. If a malicious app is spying on you or stealing your personal information, that may cause increased battery usage." If this happens, he recommends restoring the phone to its original state.
Install security software on smartphones. This turned out to be the right solution for Active Interest Media, which publishes niche and specialty magazines. "Our creative teams all use Macs, so we had people coming in with their iPhones, asking if we could set them up with our contact and calendaring software," reports Nelson Saenz, director of IT. "People spend a lot of their time using smartphones to consume information and keep track of things and we wanted to maintain that kind of continuity and at the same time have it be secure and give us some kind of management control over it." The solution was mobile security software from Good Technology that gives the IT team needed controls.
Good security software should give you the ability to not only block malware, but also remotely wipe a phone if it's lost or stolen, and use its GPS to locate the phone for recovery. In addition, Saenz appreciates management tools that will let him limit which apps users download, if he ever finds it necessary.
Experts agree that security threats to smartphones are bound to grow, and that users will routinely deploy security software on their smartphones, just as they do today on their personal computers. "Putting security on these devices now is getting ahead of the curve," Harmer says. "It's much better than waiting until after you've had a problem."