Mobile Security Report 2009


Published on


  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Mobile Security Report 2009

  1. 1. Mobile Security Report 2009
  2. 2. Mobile Security Report 2009 Executive Summary The mobile industry is going through a period of unprecedented consolidation, both at the carrier level and among hardware and software vendors. Attempts to make the mobile ecosystem more user friendly have shown early signs of success. New players in evolving markets have successfully managed to close the gap with more developed markets, both in terms of the breadth of mobile service offerings and the range of devices available to subscribers. Methodology Regardless of international consolidation, however, there have been few innovations anywhere able to McAfee commissioned Informa Telecoms & Media (ITM) generate significant new revenue streams. Despite ongoing efforts to grow the market with new services to conduct an online survey in November and December and functionality, voice and data access remain the main revenue generators—though often with less 2008. ITM canvassed mobile device manufacturers for attractive returns than a few years ago. At the same time, barriers to entry have emerged that prevent their opinions on key aspects of mobile security. the development of new business models. An email invitation, guaranteeing anonymity to the One of these barriers is security. individuals participating in the survey, was sent to mobile handset manufacturers and the software and hardware Attacks on mobile networks and devices have grown in number and sophistication. This has had a component vendors that supply them. More than 30 negative impact on how market participants perceive the reliability of existing mobile security solutions. international mobile device manufacturers responded. This is particularly apparent in the areas of mobile payments and mobile commerce (m-commerce). In addition to completing the survey, participants were Devices, applications, and even networks are not sufficiently secured to allay users’ concerns. given the opportunity to participate in follow-up inter- views carried out by ITM. The purpose of the in-depth, For many respondents to our survey, device manufacturers are seen as being in the frontline when confidential interviews was to complement, verify, it comes to providing security. They are at the forefront of balancing control with innovation, a dynamic and expand on the survey results. that often determines the mobile ecosystem for as long as a complete lifecycle of a given device. This is why the McAfee Mobile Security Report 2009 is taking a closer look at manufacturers’ security This summary incorporates responses from both the experiences, their concerns and priorities, and their approach to the major security challenges that online questionnaire and the interviews. lie ahead of them in the near future. We hope you find the McAfee Mobile Security Report 2009 interesting and valuable. CONTENTS Victor Kouznetsov Senior Vice President , McAfee Mobile Security Executive Summary 1 Reality Check: The Situation Today 2 The Impact of Mobile Security Incidents 4 Focus Areas of Mobile Security Research 5 An Approach to Mobile Security 7 Summary and Outlook 9 McAfee Mobile Security Report 2009 1
  3. 3. Number of Devices Impacted by Security Incident Category < 10,000 10,000–1,000,000 > 1,000,000 60% “The growth of multimedia 50% applications coupled with 40% the opening of mobile 30% operating systems will be 20% the tipping point for mobile security issues.” 10% – Mobile Device Chipset Vendor 0% Voice or text spam attacks Network or service capacity issues Phishing attacks in any form Virus/spyware infections Third party application/content problems Privacy and regulatory issues Loss of user data from devices Denial of service attacks Reality Check: The Situation Today Source: Informa Telecoms & Media ©2009 Informa UK Ltd. Figure 3-2. The number of devices affected in each incident category Within the last 12 months, manufactures over the last 12 months; percentage For mobile device manufacturers and the software and hardware vendors of respondents. have reported increased security issues that supply them, malware and malicious content is only one of many mobile across all threat catagories. security issues that need to be dealt with. New threats, including those that compromise users’ data or privacy, have emerged, targeting widely supported services such as text messaging and even voice. Mobile Security Issues Reported, 2006 – 2008 At the same time, mobile hackers using traditional Development of Incidents More than 40 percent of vendors have experi- coding practices have developed an increased level enced all the types of security incidents listed Within the last 12 months, vendors have reported of sophistication. Throughout 2008, McAfee® in Figure 3-1 except domain name system (DNS) 60% increased security issues with third-party applica- Avert® Labs noticed a dramatic upswing in complex attacks. In addition to general security issues caus- tions and content. During this time, McAfee attacks targeting lower-level device functionality. ing network or service capacity problems on the 50% Avert Labs has seen a strong increase in the sharing Some of these have challenged the entire plat- carrier side, viruses and spyware as well as voice 40% and downloading of user-generated content and form security concept of several vendors. Early or text spam attacks have grown to considerable mobile applications in the developing markets of security threats from independent young hackers levels throughout 2008. 30% the Middle East and Asia. The vulnerabilities on have turned into sophisticated, profit-oriented 20% devices or networks created by applications with attacks driven by experienced criminals. There also Number of Devices Affected unintentional malicious code can be as severe continues to be a high level of threat of infections 10% as those deliberately created by mobile malware As voice and text services are supported by from existing malware variants as vulnerable device 2008 2007 2006 2008 2007 2006 2008 2007 2006 2008 2007 2006 2008 2007 2006 2008 2007 2006 2008 2007 2006 2008 2007 2006 0% hackers. Interviewees have repeatedly reported almost all mobile devices, voice or text spam attacks models have entered secondary life cycles. Figures cases of prematurely released applications causing have hit the greatest number of devices. Support- Network or service capacity issues Virus/spyware infections Voice or text spam attacks Third party application/content problems Loss of user data from devices Phishing attacks in any form Privacy and regulatory issues Denial of service attacks 3-1 and 3-2 illustrate manufacturers’ experiences severe network capacity issues, as well as crashed ing findings from Figure 3-1, security issues arising with the most common mobile security threats or locked devices. In some cases, hackers have from third-party applications and content have over a period of three years. been able to get unauthorized network access impacted a considerable number of devices. Phish- at the users’ expense. ing attacks and traditional problems with malware have also affected a surprisingly high number of Source: Informa Telecoms & Media Figure 3-1. The increase in security mobile devices in the past 12 months. ©2009 Informa UK Ltd. issues experienced by mobile device users from 2006 to 2008; percentage of respondents. 2 McAfee Mobile Security Report 2009 McAfee Mobile Security Report 2009 3
  4. 4. The Impact of Mobile Security Incidents Focus Areas of Mobile Security Research If security is not an integral part of mobile device and platform development, Results from interviews with manufacturers and component vendors enquiring security incidents can have dire consequences for vendors’ businesses. about their top mobile security concerns showed close alignment with findings Figure 4-1 shows participants’ experiences with mobile security issues and how from McAfee research conducted among mobile operators at the beginning these issues impacted internal functions and third-party developer relations. of 20071 and mobile consumers in early 2008 2. Problems in PC environments, which are now accessible by mobile devices, are now top-of-mind concerns among mobile device manufacturers, operators, and mobile users. Impact on Manufacturers’ Businesses Surprisingly, participants reported a very weak connection between increase of incidents and While mobile devices and services are still relatively third-party developer activity. In fact, most previous safe, individual incidents have already had a signif- security incidents have prompted device manu- icant impact on manufacturers’ businesses. Almost facturers to introduce platform security and limit half of participating vendors mentioned increased third-party applications to those vendors fulfilling costs for patching and fixing devices. More than stringent technical and liability conditions. This initi- a third suffered from negative public relations or ated a considerable decline in developer activity and other brand damage followed by loss of credibility innovation output, for example, for the Symbian and user satisfaction. Recent experiences with operating systems and other platforms—a trend releasing new mobile handset platforms, such as not reflected in Figure 4-1. Android, have demonstrated how costly, complex, “Testing applications is not and annoying it can be for manufacturers, carriers, and users to distribute security solutions and really our concern and it’s patches for devices out in the field. not our business to deal with those issues.” – Mobile Network Operator Manufacturer’s Business Areas Impacted Areas of Highest Mobile Security Concern Mobile Usage Areas with Highest Security Most Significantly by Mobile Security Incidents Concern for Manufacturers Concern about mobile banking and payments “ Wireless devices make use of security was mentioned most often by mobile de- vice manufacturing companies. Initially introduced precious resources as far as the 60% 90% for the fixed line world, financial transactions have communication infrastructure 50% traditionally been a high attack and concern area. 75% is concerned.” 40% Today, service providers, banks, and PC manu- 60% – Mobile Device Chipset Vendor 30% facturers recommend the installation of personal 45% protection products (often at no cost for the user.) 20% 30% But the situation is different in the mobile space. 10% While mobile banking services are growing rapidly 15% 48% 36% 32% 32% 32% 28% 24% 81% 69% 69% 66% 59% 59% 53% 44% 44% 41% 41% 28% 0% in developing countries, where other payment 0% methods are rare, mobile devices continue to Increased costs for patching/fixing devices Negativity in public relations or for brand Loss of revenues from services or device sales Loss of credibility or user satisfaction Increased customer care calls and enquiries Customer switching to competing manufacturer Reduced developers activity or content availability Payments and banking Installing applications External memory cards WiFi/Bluetooth connections Download of multimedia content Internet browsing Email messaging PC synchronization Geo-localization function Text messaging Voice-over-IP chat Voice and voicemail lack sufficient protection features. Source: Informa Telecoms & Media Figure 4-1. Significance of the per- Source: Informa Telecoms & Media Figure 5-1. The security concern ©2009 Informa UK Ltd. ©2009 Informa UK Ltd. ceived impact of previous security level for various mobile device incidents on manufacturers busi- functions. 1 McAfee Mobile Security Report 2007, Research among 200 mobile nesses; percentage of respondents. operators about their experiences with mobile security incidents. 2 McAfee Mobile Security Report 2008, Research among 2000 consumers in Japan, United Kingdom and United States about their mobile security 4 McAfee Mobile Security Report 2009 concerns on mobile devices and mobile services. McAfee Mobile Security Report 2009 5