According to a new report from the Office of National Statistics, 26 percent of smartphone users do not use smartphone security. In response to the news, please see below comments from security experts at Imperva, Synopsys, Outpost24, Cybereason and ESET:
Terry Ray, CTO at Imperva:
“Technically, just having a password on your phone could be construed as smartphone security. There are smartphone users that consider a password, thumbprint or facial recognition security enough, and then there are those who would look for additional software controls that monitor the phone’s internal activity as evidence of smartphone security.
The threat to a phone is similar to that of your computer, in that you may enter banking details, social media credentials, or anything else useful or fun to use, or sell by attackers.
The percentage of users that fail to have preventative software installed would be significantly higher than 24%. This isn’t overly critical yet, as there are only a small number of attack tools at the moment, and Application Stores are currently taking ownership of preventing user threats to these. For example, Apple has been very selective on what they will allow iPhone users to download and install from their App Store and they have had very few incidents. Some of the other phone vendors open their stores up such that users have more freedom to download and install far more software with arguably less oversite. That open policy provides more flexibility to install whatever a user wants, but also introduces an opportunity for attackers and greater need for individual security controls on your phone.”
John Kozyrakis, Staff Research Engineer at Synopsys:
“The ONS report is a bit misleading as it confuses ‘smartphone security’ with ‘security apps’. These are not the same.
The ONS question was “Do you have smartphone security software (e.g. Firewall, antispam)”.
The possible answers were:
- Automatically installed/provided with operating system
- Installed/subscribed
- Do not have smartphone security
- Don’t know
Of these, “Do not have smartphone security” was 26%.
My intuition says this is because people are generally unware of the state of security in mobile operating systems. These systems are inherently different to, for example, Microsoft Windows. Both Android and Apple iOS automatically install several security software components on user devices to combat malware and viruses. Users are typically unaware of these actions, as the relevant security components are ‘under the hood’ of the operating systems.
Users on recent versions of Android and iOS that install applications via the official marketplaces do not need to install additional security software on their devices. Security software on mobile devices, especially in the UK market, is almost universally unnecessary as the operating systems do typically a much better job in tackling malware themselves. Due to the way these operating systems are designed, third party security software can never be as effective as the operating system.
In summary I attribute the 26% figure to the public being unaware of how much effort goes into securing and protecting against malware by Google and Apple. On an up-to-date, recent device released within the last 3 years, which has not been “jailbroken” intentionally, and does not get applications from places other than the official marketplaces (Google Play and Apple Store), there is absolutely no need to install any third party security software.”
Martin Jartelius, CSO at Outpost24:
“These are not surprising statistics – mobile devices are not easily defended by anti-malware solutions, and the use of automated and frequent updates is generally a much more adopted and functional resolution.
Anti-malware for mobile devices is a nice to have, but patching out the vulnerabilities and maintaining healthy devices is a way cheaper, more efficient and foundational defense. This is a universal truth, both for mobile and traditional devices.”
Ross Rustici, Senior Director of intelligence at Cybereason:
“Smartphone security, as an industry, still lags behind other IT security sectors. Part of the reason is there is a general expectation that the phone manufacturers themselves are baking in security into the OS. The larger problem for vendors selling security products in this space, is the wide variety of hardware and software configurations. No two smartphones are alike when it comes to these configurations, and apps in general are poorly coded and interact with the handset in odd but not necessarily malicious ways.
Overall the industry is improving, and the major phone/OS manufacturers are implementing positive changes, but the smartphone industry is roughly where the PC industry was in the mid to late 90s. Widescale adoption of defensive technology just hasn’t hit the saturation point yet.”
Dima Bekerman, Application Security Research Manager at Imperva:
“These stats do not surprise me. Most smartphone users like the “smart” functionality that device provides, they are not aware of the security issues or how their privacy is protected.
Additionally, a lot of users “jail-brake” their smartphone using 3rd party tools to unlock them, so they can remove mobile operator limits or install unsupported applications.
However, these tools not only remove security protection layers, they also provide root access to the operating system of the phone, which could provide attackers with full control of the device.”
Jake Moore, Security Specialist at ESET:
“Sadly, this latest statistic doesn’t surprise me. Education is at the heart of cyber security prevention but unless people have actually lost their data via a hacking or having their phone stolen, then I find that most people tend not to think about it or at the most have it on their ‘to do list’. Installing software that will reduce that gut wrenching feeling of losing your data could be the saving grace if the worst ever happened. Simply backing up your data regularly can give you peace of mind yet further levels of security such as installing mobile anti virus software are suggested to increase personal mobile security. I have dealt with countless people who have lost personal data such as their holiday photos or their contacts or worst still, had their private photos extorted because of a lack of awareness around the current threats out there today. There is a sense of “it won’t happen to me” attitude with some people these days which could have extremely damaging effects should the worst happen.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.