By: Jeremy Klinzak, Security Engineer, MAD Security | February 7, 2019
 
Mobile device security is an important part of securing IT assets for companies today. These devices are some of the most exposed parts of IT infrastructure, as they go everywhere the employee goes. Common threats to mobile devices include malicious applications, malicious advertisements, sideloading, and rogue access points. Fortunately, Mobile Device Management (MDM) solutions exist and serve as a means to simplify the process of securing and managing employee mobile devices. MDM solutions can assist in preventing mobile device compromise and empowers organizations with the ability to respond to security incidents such as a stolen or infected mobile device. In the sections below I will explain some of the common features of MDMs and the threats they can help mitigate. Before reviewing MDM solutions, let’s first analyze the most common threats to mobile devices and discuss developing a Mobile Device Policy.
 

Common Methods of Infection

 
There are three common methods that malware infects mobile devices. The three common methods are malicious or infected applications, malicious advertisements or phishing, and sideloading. MDMs can assist in preventing all three methods. Let’s explore these to detail how the devices can become infected and how MDMs can assist in protecting them.
 
Malicious or Infected Applications
 
Sometimes attackers manage to upload malicious applications to iOS and Google Play stores posing as harmless software. Attackers can also infect previously safe applications. In 2017 attackers hacked the popular application CCleaner’s distribution servers[i]. This allowed attackers to inject malicious code into the application and infect any device that installed CCleaner after the compromise. Attackers will do this sometimes simply to utilize infected devices as bots. As many as 5.8% of mobile devices worldwide are infected with malware[ii]. The risk from this type of attack can be reduced by restricting the applications users will have access to through the MDM whitelist/blacklist feature. The threat still remains that an approved application could become compromised and in turn infect the device, however the attack surface is considerably reduced when you restrict the available applications.
 
Phishing or Malicious Advertisements
 
The second method, phishing and malicious advertisements, involves an attacker either specifically targeting a user or posting advertisements that will be seen by a large audience. Both mobile application and web content creators generally outsource advertising on their applications and leave it up to the advertising companies to review the content of these advertisements. This can result in developers hosting malicious advertising used to trick users into interacting with malicious content or contain valid code that redirects users to malicious web pages. MDMs can be configured to force a web proxy and block servers that host advertisements and malicious content. This can also help prevent phishing attacks from being successful by blocking known malicious websites even if users click on links, they won’t be able to access the malicious websites. These servers are constantly changing so blocking them all will be impossible, but this can still be implemented to greatly reduce the risk of infection and compromise.
 
Sideloading
 
The third method of infection, sideloading, is the action of installing an application that isn’t available on the mobile application store. This can be done through Bluetooth, WiFi, USB, and the SD card. While sideloading applications isn’t malicious in nature, an attacker can use this method to install malware on the mobile device. This method would require the attacker to trick a user into performing this action or physically stealing the device and installing the malware on the device. MDMs can assist in preventing this method by blocking applications from unknown sources and disabling installing applications through USB.
 

Developing a Mobile Device Policy

 
Before reviewing MDM solutions, an organization must first define their mobile device policy.  This policy should encompass the general rules employees should follow when exercising a bring your own device (BYOD) rule. Best practices implemented in this policy should include keeping the OS and applications updated, requiring users to set a secure pin or password on the device, device backup procedures, device encryption, and a procedure to follow if the device is stolen or lost. While setting these rules for employees is a good start, it relies on employees themselves to enforce the standards set by the company. Choosing and implementing an MDM that enforces the rules set by the company is the next step.
 

Selecting an MDM Solution

 
MDM Features
 
When choosing an MDM, organizations should consider its features as well as its reputation. While the feature set for MDMs can vary, we will cover some of the common features here. The restrictions set by MDMs can range from very restrictive (only allowing the phone to be used for specific business purposes and only allowing installation of specific approved applications) or loose restrictions, to simply allow tracking and remote wiping of a device if it is lost.
 
Device Lock Screen
 
If users aren’t mandated to use a device lock screen by an MDM, they may not even bother using a passcode. If an attacker manages to gain access to a device, they could leverage it to gain access to the internal network. MDM solutions allow the company to set requirements on the type and length of passcode required to use the device. This should give the company time to remotely wipe, lock, or track the device down before it is used for malicious purposes.
 
Jailbreak Detection/Prevention
 
Some MDMs feature detection and prevention of users attempting to “jailbreak” or “root” their device, which can pose a significant security risk to the device. Jailbreaking or rooting a device basically removes security features that run applications in a sandbox with restricted permissions to prevent them from accessing other information on the device. This can lead to the user downloading and installing malware with superuser privileges that can access all the data on the device.
 
Baseline Mass Configuration
 
Most MDMs can be used for mass configuration to set a baseline as devices are distributed. This allows for quick deployment of new devices to be configured with identical settings and installed applications. This also allows the quick reset of devices that were compromised or have become unstable over time. This can be very useful for large companies that have high turnover for devices that are dispatched and returned.
 
Remote Wipe/Tracking
 
One attack vector that must be considered is the user of the device. Employees can have their devices stolen or they may simply lose their device. The most common feature is the ability to track and either lock or remotely wipe a device that has been stolen or lost by an employee. Android and iOS typically have this feature built in through Google and iTunes.
 
App Store Restrictions
 
The ability for MDMs to restrict apps installed on devices is particularly useful. Apps downloaded from “Google Play” or the “App Store” are generally trusted by users, but malware can slip through sometimes. With an MDM, businesses can set a whitelist and blacklist for applications. This allows full control of what applications can be installed on the mobile device. Restricting the installed software to the bare minimum required to meet business requirements significantly reduces the attack surface for the devices.
 
HTTP Proxy
 
Some MDMs support DNS and HTTP proxies which will allow you to monitor or restrict access to any websites the device tries to access. This can be particularly useful for companies that want to restrict their devices to websites only used for business purposes. This can help protect users from malicious websites and phishing attacks.
 

In conclusion…

 
Mobile devices have multiple points of attack just like any other environment. However, due to the fluid nature of mobile devices going everywhere an employee goes, they are possibly the most exposed part of IT infrastructure. Extra care should be taken to secure mobile devices as much as possible. Setting a mobile device policy and enforcing security best practices with a mobile device manager can assist in reducing the overall attack surface for your business. Choosing an MDM with features that best fit a company’s needs is a great step in securing the mobile environment for their business. This could be as simple as enabling the find my phone and remote wipe features built into Android and iOS, or as restrictive as locking down the device so only business specific applications and functions can be accessed. Implementing these technologies can help mitigate risk stemming from the threat of using mobile devices in an enterprise environment.
 
 
[i] https://www.theverge.com/2017/9/18/16325202/ccleaner-hack-malware-security

[ii] https://resources.distilnetworks.com/all-blog-posts/mobile-bots-the-next-evolution-of-bad-bots

 
 

Jeremy Klinzak
Jeremy Klinzak is a Security Engineer with MAD Security. He has performed many technical testing assessments on internal and external infrastructure as well as mobile application environments during his time in the cybersecurity industry. Additionally, he has worked on developing red team versus blue team simulated attack scenarios for DHS and NSA analysts.