When it comes to mobile security, we’ve been fortunate—tightly controlled ecosystems mean that most of us have never had a serious incident in a decade of using iOS and Android.
But one threat that is becoming troubling on mobile devices is phishing. The mobile threat defense (MTD) industry has responded, though there are still some challenges with BYOD devices.
Phishing on mobile
We can throw all sorts of anti-spam, URL filtering, and phishing prevention tools at our corporate PCs and email accounts. But as Melanie Seekins mentioned a few weeks back, there are reasons why we should be worried about mobile devices.
They’re chock full of social media and messaging apps, which our email filters can’t touch. Any of these could be used to social engineer a user into clicking on a malicious link, leading to a phishing page or malware installation.
Mobile browsers (which if you think about it, users have dozens of them embedded in all their apps) often don’t show the full web page address, so you can’t look for phishing URLs. Plus, you can’t really hover over a link to reveal its full URL without clicking on it.
How to approach mobile phishing
One approach to mobile phishing is to use a proxy or VPN to capture all traffic from a device, perform URL filtering, and then white/blacklist URLs based on data from a threat intelligence feed. But this is challenging for a few reasons.
First, it’s hard to smoothly implement proxies or VPNs on BYOD devices, because mobile OSes are generally designed to either require explicit user interaction (i.e., turn on a VPN and show a notification that it’s running) or require that devices be enrolled in restrictive management modes (i.e., supervised mode for iOS or device owner mode for Android).
Second, it’s cumbersome to backhaul all the traffic from a mobile device to a service (even if it’s a distributed cloud service).
Third, you need to have up-to-date threat data, so you know what to filter.
Developments in mobile OSes and mobile threat defense
Recently, there have been a few developments. (Also, this is the point where I’ll make the obligatory mention of defense-in-depth concepts, and how we should also be using better authentication, keeping our devices patched, staying away from apps from unknown sources, and so on.)
As I mentioned, there are still inherent limitations to proxies and VPNs. (In BYOD scenarios, you could use policies to encourage (read: nag) the user into turning on a VPN.) However, some of the APIs have evolved:
iOS has long had HTTP proxy and VPN capabilities; but iOS 9 introduced an on-device URL filtering API. (Vendors told me that it didn’t really work until some improvements came along with iOS 11, hence the rush to use it now.) This API requires devices to be supervised.
Android filtering used to rely on accessibility APIs, though Google has been been moving away from this. Now Android Enterprise has some always-on VPN functionality, but again, there are limitations around BYOD use cases.
More recently, mobile threat defense vendors have also moved towards doing the filtering directly on the device (without backhauling to another point).
When it comes to the threat intelligence itself, there has been a lot of work in this space. In particular, Ars Technica recently profiled the efforts of Lookout Security, one of the top mobile threat defense vendors. (Seriously, go read it.) Also note that they’re not just looking for phishing sites, but also malware command and control servers. SwiftOnSecurity also has a bunch of resources at GotPhish.com.
Mobile threat defense vendors address phishing
The first mobile phishing-specific features that came to my attention were from Lookout, who launched their product in April.
The details vary, but these are all mostly using some type of on-device URL filtering. (Anybody up for a MTD product comparison matrix?)
Future improvements and threats
With the limitations around BYOD, clearly there’s space for a bit of improvement. Given the privacy and permissions model in mobile, I think further changes will likely have to come from the OSes themselves.
Today, both Chrome on Android and Safari on iOS use the Google Safe Browsing API, which blocks known bad URLs. What if this was expanded to all traffic on the device? Well, one issue is that Google Safe Browsing has to be very conservative, so it doesn’t go around accidentally breaking stuff.
And today we’re talking about iOS and Android, but that Ars Technica article also brought up to prospect of phishing via digital assistants like Amazon Alexa, so, yeah, that’ll be fun to deal with...
Will this drive the mobile threat defense market?
One interesting thing about mobile phishing is that it seems more urgent than other issues traditionally addressed by MTD technology.
For example, malware is a practically negligible issue if you stay in official app stores, but anyone can get socially engineered into clicking on a bad link. (This is how the high-profile Pegasus attacks worked.) Or, compare phishing to Wi-Fi-based attacks, which require close physical range and are being limited by HTTPS and certificate pinning.
By the way, I guess it’s mobile security week here at BrianMadden.com, since my last article was about the potential ramifications if Fortnite normalizes installing apps from unknown sources on Android. The timing was just a coincidence, but either way, both phishing and Fortnite are good reasons to think about mobile security.
The mobile threat defense market has been maturing and expanding, but it’s still generally limited to fairly advanced and security-conscious organizations. I could see the more widespread threat of phishing raising its profile.