From "riskware" to malicious mobile apps that circumvent app store controls by leveraging enterprise application distribution capabilities in iOS and Android, mobile security threats are on the rise. So it's no wonder mobile security is top of mind for information security professionals.
We asked several security experts for their insights on mobile security for 2016. Here are six of their most interesting insights.
Mobile Security's Impact on the Password
Password reuse attacks will begin to decline, thanks in large part to the smartphone, said Zscaler CISO Michael Sutton. "Smartphones can be many things but they make for a handy, secure, always with you, data repository. As such, people are starting to adopt password managers such as 1Password and LastPass and other user friendly smartphone apps that present a convenient option for always having sensitive data such as passwords within easy reach," he said.
Advancements in biometrics will also play a role as consumer-grade fingerprint scanners are now becoming a standard feature on smartphones, Sutton said. "This not only makes accessing that password repository quicker and more user friendly, but also finally makes it an option to do away with passwords altogether."
Android Gets Its Act Together
Android accounts for the overwhelming majority of mobile malware, and Google will become much more aggressive in its efforts to boost Android security in 2016. Among the steps Google will take, predicts Sutton:
- Crack down on third-party app stores
- Restrict the permissions available to apps not vetted through the Google Play submission process
- Eliminate side-loaded apps requesting Administrator permissions
- Mandate acceptable timeframes for patches and firmware upgrades from Android licensees
"Some developers and partners will push back, but Google will have little choice if they want to get malware under control," he said. "These steps won't eliminate Android malware, especially with Android's slow O/S upgrade cycle, but they will raise the bar for third-party app stores, just as Bouncer did for Google Play."
Mobile Security in CISA
If the Cybersecurity Information and Sharing Act (CISA) becomes law, it will contain some interesting provisions that specifically address mobile security, predicts Domingo Guerra, president and co-founder of mobile security company Appthority. "The truth is that there's a convergence of forces putting both the private and the public sector at greater risk. More and more employees are relying on mobile devices as their primary computing device and they're doing more complex tasks on them, he said. "It's no longer theoretical that mobile cyber threats will increase. CISA calls for recommendations on addressing these threats based on best practices which should include managing mobile app risk."
Mobile Security Catches up in Compliance
Industries like the financial services sector have long employed advanced compliance policies to ensure personally identifiable information (PII) and other sensitive financial data remains secure in a desktop environment, Guerra noted. "It seems that some regulators forget that mobile devices are actually computers too, and should be covered under most of the data security compliance practices of the past," he said. "In the year to come, the U.S. will catch up with what's already happening in regions like Hong Kong and Canada: applying regulatory and compliance policies to mobile devices."
Jailbroken iOS Devices a Target
Android malware authors and hackers will turn their focus to iOS in 2016, predicts Sanjay Katkar, founder and CTO of security company Quick Heal Technologies. "As the number of iPhone owners rises across the world, iOS will become a top target for cyber criminals," he said. "The discovery of the 'XcodeGhost' malware on the App Store this year was just the beginning. Quick Heal predicts that Android malware will soon be altered to affect iOS users as well, and jailbroken iOS devices will be the first wave of targets for these attacks."
Ransomware Goes Mobile
Ransomware will remain a key challenge for IT security professionals in 2016, Katkar said. "These attacks are capable of causing significant system downtime, loss of critical data, intellectual property theft, and more. In several industries, a ransomware attack is now considered on par with a significant data breach," he said. "Quick Heal foresees the growing threat of ransomware attacks on mobile devices in 2016 and beyond."
For more interesting insights on what is ahead for enterprise security in 2016, check out our 10 cloud security predictions.