Can mobile devices be more secure than PCs?

Mobile devices continue to fight an inaccurate perception that they’re not as secure as traditional PCs. Entrust believes that mobile devices, when properly managed and protected, can be a highly secure platform for digital identities and online transactions.

“Users who live, work and play with multiple devices are demanding that banks, governments, retailers and other organizations embrace mobility,” said Entrust President and CEO Bill Conner. “Particularly in the enterprise, employees, managers and staff are adamant that mobile devices are essential work resources and urge their companies to realize the full potential of mobile computing.”

Supporting this stance, a recent Forrester report, “Mobile Authentication: Is This My App? Is This My User?” suggests more than half of users (52 percent) now rely on three or more devices. In fact, 60 percent of the devices are used for both personal and business use.

To gain an even better understanding of how mobile perception is changing for IT decision-makers in the enterprise, Entrust commissioned Forrester Consulting to publish a new report, “Mobility Helps Enterprises Enter a New Age.”

“While the security of mobile devices continues to fight an inaccurate perception, the reality is quite clear: mobile is more secure than PCs,” said Conner.

Despite the growing reliance on mobility, IT decision-makers still incorrectly believe traditional PCs are more secure than mobile devices. Of those who responded, some 71 percent either somewhat or strongly agreed that desktops/laptops are secure, as opposed to 43 percent that said mobile devices are secure.

“While mobile devices are technologically more secure than traditional PCs, decision-makers view mobile devices as insecure because of media reports and the small size and personal nature of the devices,” stated the January 2013 study.

Understanding media reports

Consumers and enterprises alike can be swayed by misguided media reports. Some educated concern about mobile security is rational, but mobile-based attacks to date are only gaining access to photographs, contacts, calendar items and SMS capabilities, the latter being the most concerning.

For example, SMS-based malware Zitmo, and its variants, demonstrates how SMS redirection can exploit Android-based mobile devices for illegal financial gain. Another example, known as premium-rate fraud, leverages SMS-based malware to actively make money for the attacker by having the target Android device automatically text a SMS pay service.

Because of end-user comfort and trust in text messages, SMS-based malware should not be underestimated. It’s strongly advised that organizations only deploy mobile security solutions that do not rely on SMS-based security controls, including SMS OTPs, for sensitive or high-risk transactions.

Despite media reports on mobile devices being unsecure, mobile OS architectures offer a level of security that is above desktop operating systems. Desktop malware — performing malicious app-to-app process migration, native keyboard key-logging and Zeus-style memory-hooking — is not being found in mobile malware samples. Plus, specific mobile vulnerabilities usually have a short lifespan.

As for Android, malware usually only targets specific hardware, firmware and OS versions, which greatly reduces the viability and lucrativeness of large-scale infections.

Why are mobile devices more secure?

It’s based on a multilayered approach that’s core to development of mobile operating systems. Applications installed on mobile devices are digitally signed or thoroughly vetted. Legitimate applications also are sandboxed, meaning they can’t share or gain access to each other’s information — an important trait that helps defend against advanced mobile malware.

The strength of mobile platforms is further augmented by third-party security capabilities. Solutions that offer digital certificates, embed seamless OTPs, or provide application-specific PIN unlock options further bolster device security.

Mobile perception changing in the enterprise

The innovation in mobile security solutions could be the catalyst for the changing perception in the enterprise. According to the Forrester study, enterprises are investing more in mobile, and are making mobile security a high or critical priority in 2013.

This is an important shift as the true power of mobility isn’t yet being realized. The use of mobile capabilities that actually increase security or streamline business — mobile commerce (10 percent), partner/supplier applications (12 percent) and customer-specific applications (14 percent), for example — is decidedly lower amongst responders. Once mobile devices are properly secured, leveraged and managed, more and more enterprises will embrace mobility as a standard business component.

“It’s promising to see enterprises beginning to appreciate how mobile devices, and related applications, streamline business, increase security and defend against targeted attacks,” said Conner. “This shift is made possible by an important convergence of consumer technology, business enablement and identity-based security.”

The commissioned study found that 60 percent of firms, in 2012, indicated that creating a comprehensive mobile and tablet strategy for their employees was at least a moderate priority. Even better, 54 percent of enterprise IT decision-makers are increasing their mobile investment in 2013. Responders cited improved flexibility over tradition authentication (68 percent) and the ability to adapt to threats (64 percent) as primary reasons behind their new mobile policies.

In contrast, the study found that 50 percent of enterprises have implemented, but are not expanding, very basic access to email and calendars from mobile devices. Of those same responders, access to network systems (42 percent) and supporting collaboration (36 percent) marked other accepted use cases. Those findings dip when enterprises that haven’t implemented those capabilities were asked if they planned to do so in the next 12 months.