Threats to mobile security were highlighted in a report recently published by McAfee, the provider of digital and online security services and software (see the full report here). In particular, it stressed the growing threat posed by malware targeting mobile platforms, increasingly through apps and services downloaded by the device’s user, in order to gain unauthorised access to personal and sensitive commercial data.
Shocking statistics claim that mobile malware has increased by 167% in one year. The rise of the smartphone and the personal digital assistant (PDA) has meant that users perform an increasing variety of tasks from their mobile device. These common gadgets have become hubs of personal and sensitive commercial data, the protection of which is a pressing concern for businesses as well as individual users. As employees are expected to be ever more accessible outside the office, the risk of a breach of company or customer security via staff mobile devices also continues to rise.
Personal data is defined in section 1(1) of the Data Protection Act 1998 as “data which relate to a living individual who can be identified (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller”. The Courts have treated this definition widely with a recent Court of Appeal judgment holding that even a person’s name on its own is likely to be considered personal data (see our previous blog).
One of the data protection principles under the Act is that “appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data” (Sch 1, Part I, para 7). Any person classified as a “data controller”, which could potentially include the individual user, their employer and the app developer, in relation to the relevant data, has a duty to comply with this principle. Failure to comply could result in criminal prosecution and payment of compensation to any individual who suffered damage as a result.
Historically, mobile malware’s attempts to steal sensitive information have focused on the vulnerabilities of mobile operating system software i.e. the mobile platform itself. However, McAfee reports that recently malware developers have expanded this approach to take advantage of weaknesses in apps and other mobile services. For example, malware disguised as an update for Adobe Flash Player (in addition to other such legitimate apps), sought permission to install the application and gain access to text messages, contacts, information stored on the device’s SD memory card and so on. After installation, the app did not appear on the home screen but was busy in the background searching the device for funds in a digital account to transfer to the malware developer’s server.
Particularly worrying was a study of third party copies of the hugely popular gaming application Flappy Bird. McAfee tested 300 “Flappy Bird clones” and found that 238 contained malware capable of making calls; installing additional apps; monitoring, recording, sending and extracting SMS messages; reading contacts; and extracting GPS information; without any further permission from the user. In the worst cases identified, the malware was able to gain root access, which facilitated uninhibited control of anything on the mobile device, including confidential business information.
Given that this represents such a crucial risk to users, their employers and their customers, it is important to consider what measures can be taken to protect mobile data. Some responsibility lies with developers of legitimate apps who need to be more diligent in protecting their apps and services from malware attacks. Sellers also need to ensure that they are taking all necessary steps to vet applications released into their marketplace. However, a responsible approach by businesses and individuals is also required to reduce the effects of mobile malware at all levels.
Users must be cautious when downloading mobile apps and granting app permission requests: carefully read requests to ensure you are not inadvertently giving away access to or control of personal, sensitive or private data; steer clear of third party apps that have not been subject to the vetting processes of trusted app stores; consider downloading a (reputable!) security app; and delete any apps you do not use.
Employers need to be aware of the risks of mobile malware and the potential for data leaks as a result, which can cause significant harm to their business and reputation. With the onus on consumer caution, businesses should be alert to ensuring that its employees are alive to best practices in mobile security, reviewing PDA policies and taking active steps to properly train staff and raise awareness.