Warning: The Mobile Endpoint In Your Pocket May Be Just As Vulnerable As Your Desktop
Microsoft Windows is the dominant desktop operating system globally, which is a primary reason why hackers target Windows continually, because even with a very low success rate due to Windows’ extensive protections, hackers know that their chances of conquest are better than on MacOS or other operating systems. This isn’t to knock Windows or praise Mac but to set the stage for a larger issue.
Less common is the knowledge that Android is the markedly dominant mobile operating system, and partly because of that “honor,” malicious actors attack Android more frequently, leading to attacks like this, where malware gets loaded into the Google Play store and is installed on over 8 million devices.
The problem that Windows and Android share, besides their global pervasiveness, is that both are designed with an ability for extensive customization. While each OS has core common functions, both are installed on a vast array of physical devices that neither Microsoft nor Google build, though both sell their own devices, too. This enormous flexibility can allow minor code changes to come through from the device platforms, such as device-specific drivers, that can then become new avenues for attack. MacOS and Linux have their own extensive list of vulnerabilities as well, but with around a 15% and 4% market share, respectively, hackers still prefer to target the larger-installed-base OSes.
Android’s other issue, and one it shares with iOS, is that users work on mobile devices differently than Windows PCs. Smartphones have become very personal to the user, and the way applications are delivered, predominantly through the public app stores, is very different from how apps are delivered to business and even personal desktops. While Microsoft and Apple have app stores for Windows and Mac, usage of these within enterprises remains low. Even for fully managed business mobile devices, applications are usually delivered to Android devices through the Google Play store, just as iOS devices use the Apple App Store. This means you’re relying on the security operations of that third party to ensure that everything delivered to your smartphone (or tablet) meets high security standards.
When enterprises introduce bring-your-own-device (BYOD) policies, new cyber risks emerge as users install and remove different apps to find the apps best suited to their personal tastes while the IT or security operations analyst is simultaneously trying to deliver the correct set of productivity apps approved for use by your employees. How do you ensure that those apps are safe and not compromised? And this is not an Android-only issue; iOS has its own headaches in the realm of apps and vulnerabilities. Bear in mind that while this latest issue for Android relates to apps delivered through the Google Play Store, both Android and iOS allow for the sideloading of applications (with iOS sideloading being limited to the EU and with some restrictions), so security and risk professionals need to understand the complete scope of the challenge before allowing BYO devices into the enterprise.
What can you do about it? First, you should come see me at the Forrester Security & Risk Summit in Baltimore next week for my session, “Enhance Mobile Security With AI And Zero Trust.” The most important point, however, is to stop treating smartphones like they’re powerful phones and treat them like enterprise endpoints. Even in the world of BYOD, if a mobile device is accessing corporate information, you must apply Zero Trust principles and protect your business resources appropriately. If you wouldn’t let a random Windows laptop access your primary business apps without checking its security posture, then you should do the same with any Android or iOS device. If you can’t join me in Baltimore, please read The Forrester Wave™: Mobile Threat Defense Solutions, Q3 2024, to understand how mobile endpoint security vendors are providing solutions that help protect this valuable enterprise endpoint.