How to Better Secure Your Mobile Device: Highlights from My Conversation with Kevin McNamee of Nokia

For the past several years, Nokia’s annual?Threat Intelligence Reports have highlighted the most pressing cybersecurity risks to internet-enabled devices. According to the 2020 and 2021 reports, malware infections on both computers and mobile devices are on the rise—specifically through downloadable software that poses as something helpful or fun for users. Yet antitrust proposals in Congress would weaken mobile device protections at this critical time by forcing all hardware manufacturers to accept unvetted software applications (apps) in their digital marketplaces—a practice known as “sideloading” that has been called out by the Department of Homeland Security.

On the latest episode of “Explain to Shane,” I sat down with?Kevin McNamee, head of Nokia’s Threat Intelligence Lab, to address the technical challenges sideloading brings into the process of keeping a secure mobile ecosystem, along with how users of internet-enabled devices can better protect their financial and other personal data.

?Below is an edited and abridged transcript of our talk. You can listen to this and other episodes of “Explain to Shane” on?AEI.org and subscribe via your?preferred listening platform. You can also read the full transcript of our discussion?here. If you enjoyed this episode, leave us a review, and tell your friends and colleagues to tune in.

?Shane Tews: Kevin, talk to us about Nokia’s latest Threat Intelligence Report.

?Kevin McNamee: Nokia has a product that we deploy in carrier networks around the world that's designed to monitor network traffic and look for evidence of malware infections. That's where the data for these reports come from. Certain customers will share aggregated anonymized data and feed it back in. We cover mobile networks along with some fixed broadband networks, so that gives us a good scope for figuring out what's going on. We've been producing the reports for the past couple of years and they're usually quite well received. The key thing is: It's real data from live networks.

Over the past few years, we’ve seen malware infections shifting from traditional laptops and personal computers to smartphones, because that's now the primary device most people use to access the network for communications, email, banking, etc. Typically, malware will follow the money and the platform people are using for their network connectivity.

We've also noticed Internet of Things (IoT) is a big area that's starting to expand. Particularly with 5G networks coming along, there's an anticipated great expansion of the number of IoT devices deployed out there. So that's an area we've been looking at fairly closely and expect to see more malicious activity going forward.

Is there anything you recommend consumers think about when buying these IoT devices? I realize a lot of them are probably used by enterprises, but our focus is more on people buying things for their houses and daily lives.

?There's a great variety of IoT devices. I think ones consumers would be concerned about are mostly devices they would deploy inside their homes. Things like your smart fridge, thermostat, and door-opening stuff are relatively well-protected from what we've been looking at lately, which is IoT botnets. These tend to attack devices that are visible from the internet. And there's a lot of activity going on there because as soon as these botnets infect a device with malware, it starts scanning and looking for other devices. When it finds one, it compromises and adds them. So the botnet sort of grows with time, which has been an issue.

But as I said, for the general consumer, it's not so much a problem because the attackers aren't really trying to break into residential homes and infect smart fridges. They're mostly interested in internet-enabled, internet-visible devices. Still, some people have discovered that their video surveillance cameras they've deployed outside their homes have been hacked and now anyone on the internet can view what's going on in their driveway. So, I'm not saying it doesn't happen, but it's not as big as the IoT botnets that are used in these massive distributed denial of service attacks and things you’re more likely to see from professional cybercriminals.

Pivoting to mobile, why does Apple have a better reputation than Google’s Android when it comes to device security?

?It's due to a couple of factors. I think first of all, both companies have actually done a pretty good job of securing the device itself. If you compare it, for example, to some legacy personal computer platforms, those were completely wide open with very little control over who was allowed to write apps for them. You could get apps from anywhere. You could do whatever you wanted, and they had a fairly substantial malware issue.

Apple and Google have secured these devices by making the apps that run on them part of a sandbox environment in which they only basically impact themselves. They can't see other apps on the device. They can't get access to the disc storage devices or the memory that's used by other apps. So they're fairly isolated. And even if they go rogue, the damage they can do is fairly limited.

I think Apple has had more success in creating a secure environment because they've basically secured the app supply chain. If you want to get an app for an iPhone, the App Store is the only source. Anyone can write an app for the iPhone; you just have to meet the criteria that Apple sets. You have to go out and get a developer's license. They give you a certificate that you can use to sign your app. You submit your app to Apple, they check it out, make sure it matches their policy, make sure there's no malware in it, then they make it available in the store.

Google has also taken steps in recent years to do that, but they've taken a slightly different approach. They've come out with Google Play Protect, which is built into the Android. When you install an app, whether it comes from a third party or from Google Play, it will verify that the app is suitable for installation and that it does not contain malware. That's a slightly different approach, but those are the two main things: a secure environment and a secure app supply chain.

What are the security challenges posed by sideloading? Currently, that’s something you can do on an Android device, but not on an Apple one (unless this legislation in Congress passes).

?The reason we are even talking about apps in a security context is because the phones themselves are pretty much secure. Phones have been hacked using network-based attacks and a bunch of different vulnerabilities, but that's not the common way. The most common way to get malware onto a smartphone is by sticking it on an app and getting someone to download it. That means it's the supply chain for the apps that people are trying to attack.

Apple is completely locked down. By default, most Androids will have smart sideloading turned off when you buy them, so you have to go to Google Play to get the apps. But I think it's valid that the user can choose what they want to put on their device. It’s their device after all. So they can turn on sideloading if they so choose in Google’s ecosystem. ?

A lot of app stores are very good and safe and that's fine, but some are not. There's also the possibility that I could send you, for example, a web link that you click on and it’ll install an app on your phone. That leads to this type of activity where people are sending phishing attacks, emails, and text messages with links saying “click here to get the app.” People do that, then they get into trouble with malware on their devices.

You recently had a news release about banking and malware threats being on the rise. What’s going on there?

?There are different types of malware. I think the malware that goes in and steals your money or your identity is certainly the highest threat level, so you have to take extra care. A banking Trojan can literally empty your bank account in a matter of minutes if it manages to compromise you. There's other types of identity theft too. If people get in and take things like your Social Security number and other personal information, they can use that to open up accounts and do other things. So there's more than just the banking Trojan. Anything that gets at your identity can be a major problem for you.

There's also ransomware. For a smartphone or laptop owner, ransomware is not such a big issue because all you really have to do is make sure you've got a backup. If your phone just falls out of your pocket and gets run over by a bus, it's gone. If you get ransomware in your phone, and it encrypts all your data, it's equally gone. If you have a backup, it's pretty straightforward to fix that. But with the banking Trojan, once the money is gone, it’s going to be difficult to replace.

If I were to accidentally download malware or a Trojan app, how could I remove it once I realized I made a mistake??

For the most part, it’s actually quite simple because most phones have an “uninstall” feature for apps. Just doing that will get rid of, like, 90 percent of the malware you'd potentially get on your phone. But apps can also disguise and protect themselves from being uninstalled. They can sort of bury themselves deep within the operating system and out of sight. With those, you can always do a simple factory reset on the device, which sets it back to the way it was when you bought it. That will clean off any additional apps that were installed after you purchased the device. Then—and here's the dangerous part—if you want to restore an app from whatever cloud you store your stuff in, you don't want to go back and reinstall the malware. You want to think carefully about the things you put back on your device.

If all else fails, you can also do a hard reset on the device. You can take it in and have it reflashed, which is where you take it back to where you purchased it and they do a hard reset. That's another option when all else fails.