Sunday, 2 February 2014

Mobile Phone Security Malware Statistics - Mobile Application Security

Which of the following statements do you believe? 
  1. "Given that there are around 1.5 billion smartphones and tablets in the world, that means probably fewer than 15,000 of them are harbouring mischievous software." -  The Economist -  November 2013
  2. "32.8 Million Android Phones Infected with Malware" - - April 2013 based on information from NQ Mobile
(As a long time "Economist" reader, I probably tend to go with number 1.)

Does it matter?

If you are trying to make informed decisions around mobile phone security for yourself or your organisation, then it does matter. Go with statement number 1, then you will be trying to implement controls to ensure around the risk that the device will be lost or stolen (encryption, backups etc.)

Favour statment number 2, and you will be thinking more about security controls like anti-virus applications etc.

The Economist article goes on to say:
"Gartner, an information-technology consultancy based in Stamford, Connecticut, advises clients not to worry too much about malware penetrating their networks through the devices employees bring to work. It is the users themselves who are the problem. How, for instance, do companies prevent employees from innocently responding to “spear-phishing attacks” in the form of individually targeted, and very official-looking, e-mail or text messages, apparently from trusted colleagues, that request sensitive information? Security measures need to focus more on educating users, says Gartner, rather than on the relatively minor problem of mobile malware. "

Mobile Application Security

What about mobile application security? The OWASP Top 10 Mobile 2014 risk "M2 - Insecure Data Storage" says about the threat agent:
"Threats agents include lost/stolen phones and the possibility of in-the-wild exploit/malware gaining access to the device."
If you believe The Economist, you will give less weight to the malware risk in your application design and more prominence to the lost/stolen phone risk.

If the device itself is properly encrypted, then you will be less concerned about storing sensitive data on the device. Since the risk of malware is low, then it is unlikely that malware will steal the sensitive data.

(Ok - you should still  be careful about what data your application stores on the device.)

Useful Links

Social: DiggIt! Reddit Stumble Google Bookmarks Technorati Slashdot


  1. This comment has been removed by a blog administrator.

  2. This comment has been removed by a blog administrator.

  3. In the mobile threat scene, malware creators keep on concentrating on the Android platform. This ought not come as an astonishment considering that Android holds 79.3% of the aggregate piece of the pie in mobile phones and tablet devices. Out of the 259 new threat families and new variations of existing families uncovered in Q3 2013, 252 were Android threats while the other 7 were Symbian (Figure 1, page 5). No malware has been yet to be recorded in 2013 on alternate platforms (Blackberry, iOS, Windows Phone).