Back to Page 1

Promiscuous wireless

Although not addressed by Symantec's holiday survey, many smartphones will no doubt be accessing email, websites, calendars, etc, using a multitude of wireless networks, from mobile broadband to public hotspot to family-owned Wi-Fi. Holiday usage tends to throw a kink into established best practices, as users struggle to get on-line wherever they might be, using the most convenient (and often unknown) form of Internet access. Here, the best defense is a good offense – such as using a VPN to protect all wireless activity. However, users still need to exercise common sense and a modicum of caution to avoid Evil Twin APs that can prey upon careless wireless devices. For more advice on avoiding Evil Twins, see our October top ten column.

Texting strangers

SMS has grown increasingly popular on phones of all kinds, including smartphones with easier-to-use virtual keyboards. In Symantec's survey, 48 and 74 percent of users expected to text for work and play over the holidays. The bad news? 68 percent said they were at least somewhat likely to open a text message sent by a stranger. 29 percent even said very likely – double the number very likely to open email from strangers. Ironically, 41 percent also identified SMS text phishing ("SMSshing") as a top two most worrisome smartphone attack. According to Nguyen, "People are relatively new to smartphone threats – until recently, most only used them for email and calendaring. They aren't yet educated about the risks related to SMS and phishing URLs that might be presented to them, both in texts and when browsing." In addition to user education, SMS spam and sender filtering can help. These measures can be device-resident or cloud-based and prevent relay or display of SMS messages from unknown (or known-offensive) senders.

Downloading apps

Forty-four percent of respondents said they were likely to download mobile apps while taking time off over the holiday. Unfortunately, just 18 percent said they paid close attention to license agreements to understand what data and services those apps would be permitted to access on their smartphone. Another 35 percent admitted they did not read license agreements at all. This trend should raise loud alarm bells for employers – particularly for mixed use phones running apps downloaded from the free-wheeling Android Market. According to the App Genome Project, 29-33 percent of iPhone and Android apps can access a user's location; 8-14 percent can access contacts. But why do so few users care? "Based on their experience with PC downloads, many people have learned to tune out license legal-eeze," said Nguyen. "But with smartphones, licenses are different – apps must publish the capabilities and privileges to inform user before installation. We're seeing a high percentage of apps that require access to information they don't really need." Reviewing and understanding licenses during app download should become a smartphone best practice. Companies that deploy security software can also use whitelists to control app installation. Someday soon, smartphones may be virtualized to better segregate personal and business apps and their environments.

Social networking

Finally, 68 percent of respondents expected to use social networks (e.g., Twitter, Facebook, LinkedIn) during the holiday. This comes as no surprise, since social network usage is rising fast and all smartphones now run a plethora of apps designed to make these sites more usable on small screens.

According to Nguyen, social networking threats on smartphones are expected to parallel those now being experienced on PCs. "Threats are moving from the OS level to the application level, with social engineering attacks being used to trick users into clicking on links that cause malicious behavior," he said. "Social networking apps on smartphones will encourage hackers to customize attacks for mobile devices."

Mobile malware has ramped up rather slowly on smartphones. But in Symantec's survey, a surprisingly high percentage of users cited malware as a top three concern. Enterprises may not be nearly as concerned – yet. But when mobile malware emerges in full-force, it's likely to penetrate the enterprise through an unprotected back-door like social networking. Here, forewarned is forearmed.

Symantec's survey focused on holiday season smartphone use, but it provides useful insight into habits, end user attitudes, and emerging trends that could apply all year long. Clearly, employers need to start taking smartphone security threats seriously – and that includes employee-liable consumer smartphones. So don't let the Grinch steal Christmas (or Hanukah or Kwanza or your own December holiday). Safeguard those iPhones and Androids and tablets to mitigate these mobile risks.

Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. A 28-year industry veteran, Lisa enjoys helping companies large and small to assess, mitigate, and prevent Internet security threats through sound policies, effective technologies, best practices, and user education.

Follow eSecurityPlanet on Twitter.