Black Friday and Cyber Monday are less than a week away. With holiday shopping revving up, I expect IUll join the 54 percent of shoppers Google says will use smartphones for online purchases. Who wouldnUt want to save time by getting some shopping done during their commute and avoid a long line or two? IUve always felt a little uneasy using my iPhone to order and pay for pizza delivery (or books or gifts or anything). But fantasizing about cradling a hot pizza in my arms at the end of my evening commute quickly alleviates my discomfort. Lately, mobile convenience usurps my security misgivings. I donUt expect that to change as I work to make my holiday shopping as hassle-free as possible.
Shopping Season: Primetime for Cybercrime
While IUve only just begun to think about my holiday shopping, criminals have likely spent months planning for the payments surge. You might remember that two years ago, thieves stole approximately 40 million credit and debit card numbers from Target between November 27 and December 15 P a good chunk of the 2013 holiday shopping season. And just this week, cyberthreat intelligence company iSight Partners released details about Rthe most sophisticated point-of-sale (POS) malware we have seen to date.S Cybercriminals know they can profit from more people using mobile devices for shopping. In May, Starbucks acknowledged a scheme whereby thieves broke into usersU Starbucks mobile app accounts and siphoned funds from linked bank, payment card and PayPal accounts. More recently, NowSecure CEO Andrew Hoog told ABC 7 Chicago News, RShopping apps tend to be the leakiest apps, or most insecure apps that we see.S He went on to explain that the rush to release mobile apps can leave security in the dust. One reason I love working at NowSecure is because part of what we do is make mobile app security testing easier. IUm convinced that more companies will test more apps if security testing is more efficient. More testing will eliminate more mobile app weaknesses and make mobile commerce more secure for consumers like me. However, secure apps alone do not make mobile more secure. As we explain in our Secure Mobile App Development Best Practices, mobile security considerations must include a deviceUs operating system, configurations, installed apps and network communications (as well as any connected back-end systems).
Security Steps I Can Take
ThatUs a lot of attack surface to defend, but we can take some steps to protect ourselves (including but not limited to the following):
- Update to the most recent operating system available (more on that in a second)
- Make good configuration decisions (e.g., enable a passcode)
- Choose your apps wisely (e.g., only download apps from official marketplaces)
- Connect to the Internet securely (e.g., avoid untrusted Wi-Fi)
Unfortunately most of us are beholden to the manufacturer of our device, and some of us even to our wireless carriers, for operating system updates. As an iPhone user, I sometimes feel warm and safe swaddled in what NowSecure Security Researcher Ryan Welton tells me is a false sense of security. Ryan doesnUt think Apple has proven to be any better or worse at patching vulnerabilities than Google has with their Nexus line. I just take it for granted that a security flaw identified in iOS will soon be followed by an update I can install to protect myself. Android users that donUt use a Google Nexus device, though, arenUt so lucky. The open-source nature of Android can be beneficial. For one, open-source software (OSS) lets people see the source code so they can identify flaws and notify the developer, which will ideally lead to a patch. A closed system such as iOS could include as many or more flaws but fewer people can examine the code and make Apple aware of vulnerabilities. The following chart, which aggregates user data from our NowSecure Protect app during November 2015, shows us that people use a lot of different versions of Android. People using outdated versions of Android have limited choices available to them. They could purchase a new device with a longer support period (e.g., Google Nexus devices), but thatUs not always viable. Another option is swapping out their official vendor-distributed operating system, but that may require some technical skill that not everyone possesses. If youUre interested in a swap, reference RyanUs My Device Is VulnerableINow What? post on the NowSecure blog. Regardless, itUs not exactly easy for the majority of Android users to update their operating system because the manufacturer hasnUt released a patched version for their particular device. That gives me the willies.
Security Action Items for Android Users
I am by no means making an argument that iOS is more secure than Android or vice versa. I do, though, want to make Android users aware of a free NowSecure resource that lets them assess the security of their device for themselves. A few weeks ago, the NowSecure research team released an app on the Google Play Store called VTS for Android. VTS stands for Vulnerability Testing Suite and allows people to check their device for a number of Android vulnerabilities, including Stagefright. If you use Android and are thinking about your holiday shopping this week, I encourage you to download NowSecure VTS for Android. Then use it to assess your deviceUs vulnerability and plan accordingly. In the meantime, IUll be thankful for the relative ease with which I can update my iPhone. But IUll also remain cautious as I shop knowing that even a fully up-to-date Apple device is still susceptible to attack.