According to a new report from the Office of National Statistics, 26 percent of smartphone users do not use smartphone security. In response to the news, please see below comments from security experts at Imperva, Synopsys, Outpost24, Cybereason and ESET:
Terry Ray, CTO at Imperva:
The threat to a phone is similar to that of your computer, in that you may enter banking details, social media credentials, or anything else useful or fun to use, or sell by attackers.
The percentage of users that fail to have preventative software installed would be significantly higher than 24%. This isn’t overly critical yet, as there are only a small number of attack tools at the moment, and Application Stores are currently taking ownership of preventing user threats to these. For example, Apple has been very selective on what they will allow iPhone users to download and install from their App Store and they have had very few incidents. Some of the other phone vendors open their stores up such that users have more freedom to download and install far more software with arguably less oversite. That open policy provides more flexibility to install whatever a user wants, but also introduces an opportunity for attackers and greater need for individual security controls on your phone.”
John Kozyrakis, Staff Research Engineer at Synopsys:
The ONS question was “Do you have smartphone security software (e.g. Firewall, antispam)”.
The possible answers were:
- Automatically installed/provided with operating system
- Installed/subscribed
- Do not have smartphone security
- Don’t know
Of these, “Do not have smartphone security” was 26%.
My intuition says this is because people are generally unware of the state of security in mobile operating systems. These systems are inherently different to, for example, Microsoft Windows. Both Android and Apple iOS automatically install several security software components on user devices to combat malware and viruses. Users are typically unaware of these actions, as the relevant security components are ‘under the hood’ of the operating systems.
Users on recent versions of Android and iOS that install applications via the official marketplaces do not need to install additional security software on their devices. Security software on mobile devices, especially in the UK market, is almost universally unnecessary as the operating systems do typically a much better job in tackling malware themselves. Due to the way these operating systems are designed, third party security software can never be as effective as the operating system.
In summary I attribute the 26% figure to the public being unaware of how much effort goes into securing and protecting against malware by Google and Apple. On an up-to-date, recent device released within the last 3 years, which has not been “jailbroken” intentionally, and does not get applications from places other than the official marketplaces (Google Play and Apple Store), there is absolutely no need to install any third party security software.”
Martin Jartelius, CSO at Outpost24:
Anti-malware for mobile devices is a nice to have, but patching out the vulnerabilities and maintaining healthy devices is a way cheaper, more efficient and foundational defense. This is a universal truth, both for mobile and traditional devices.”
Ross Rustici, Senior Director of intelligence at Cybereason:
Overall the industry is improving, and the major phone/OS manufacturers are implementing positive changes, but the smartphone industry is roughly where the PC industry was in the mid to late 90s. Widescale adoption of defensive technology just hasn’t hit the saturation point yet.”
Dima Bekerman, Application Security Research Manager at Imperva:
Additionally, a lot of users “jail-brake” their smartphone using 3rd party tools to unlock them, so they can remove mobile operator limits or install unsupported applications.
However, these tools not only remove security protection layers, they also provide root access to the operating system of the phone, which could provide attackers with full control of the device.”
Jake Moore, Security Specialist at ESET:
The opinions expressed in this article belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.