Mobile Security Best Practices with Armadillo Phone’s Kelaghn Noy

Mobile Security Best Practices with Armadillo Phone's Kelaghn NoyKelaghn Noy is the CEO and founder of secure mobile device provider, Armadillo Phone. In an age where cyber attacks are steadily growing in complexity and sophistication, protecting your mobile devices is a necessity. With over four years of experience in his role at Armadillo Phone, Noy was able to provide insight into trends in mobile security, best practices, and where he believes the space will go in the future.

What are the biggest threats to mobile security?

This depends on the user. For consumers, probably attacks against the developers of the apps they use. For businesses, it’s probably the cross-contamination of personal and business data. International Mobile Subscriber Identity (IMSI) catchers have no real current defense right now so their abuse is also very popular.

Are there any growing trends in the field of mobile security?

Yes, almost all of them worrying. The most important would probably be the complete disconnect between experts and politicians on mobile security. Traditional power structures feel threatened after seeing events like the Arab Spring and are using creative legislative solutions to try and crack down on mobile security. For example, mandating users give up their passwords or companies will build backdoors into their products. This will lead to tension between governments and their people as smartphones become a symbol of repression.

I think it’s also important to note what’s becoming increasingly irrelevant… mobile forensics. Now that all new smartphones have storage encryption enabled by default, mobile forensics is increasingly relying on weak alternatives like attacking backups or trying to guess the user’s passwords.

How can enterprises combat the increasing complexity of cyber attacks, proactively or otherwise?

Do not allow BYOD under any circumstances. This invites malware and vulnerable devices into your LAN.

Assume your servers will be breached. Store as little user data as possible. Keep phones updated and accounted for.  

Physical security is the most overlooked area of mobile security and can play a role in many other types of attacks. Enterprise should look into geofencing their fleet or using secure environments where wireless signals can’t pass through for meetings or high-security work.

What are some best practices users can implement in order to protect their mobile data?

The best way to protect your data is to use “zero-trust” end-to-end encryption. Basically, this means the server cannot read your data, so even if it gets compromised you’re still safe. Armadillo Phone offers zero-trust email, instant messaging, video calling and file transfer. However, zero-trust encryption alone doesn’t protect your metadata. Another good practice is to use decentralized, self-hosted solutions whenever possible. With increasingly draconian data privacy regulations being passed, more businesses (especially non-American) will need to store their own data instead of handing it off to a third-party. There is a fine line to balance here because if you start hosting your own server but are unable to secure it, you end up making yourself a much easier target for hackers.

For IT managers: keep phones updated and don’t allow vulnerable devices on your network. BYOD is a four-letter word.

Where do you see mobile security going in the future?

The complexity required to make exploits for iOS and Android will continue to rise, as new anti-hacking protection is being added to both at an accelerating rate. This is going to make the availability and cost of mobile zero-day much more restrictive. This isn’t to say mobile exploits won’t exist in the wild, they’ll just be less devastating. This will lead to an increase in social engineering and side channel attacks against users, as well as attacks against applications. The backend servers these applications store their data on will become the easiest targets for hackers. Physical attacks that target an area such as rogue WiFi or cellular networks, will be increasingly lucrative for attackers. Side channel attacks based on electromagnetic radiation and other techniques will grow in sophistication, allowing attackers to more reliably steal your encryption keys from across the room. I covered some examples of physical attacks like this here.

Attacks that defeat virtualization, (such as Meltdown, Spectre, various sandbox escapes for VMware player and Virtualbox) or leak data across containers will demonstrate the futility of “security by virtualization”. Competent IT managers will realize that MDM solutions in the form of apps on BYOD phones can’t be trusted. Dedicated work phones and company-issued devices will become more common, especially for any business that needs a high degree of security.

Tess Hanna

Tess Hanna is an editor and writer at Solutions Review covering Backup and Disaster Recovery. She has a degree in English and Textual Studies from Syracuse University. You can contact her at thanna@solutionsreview.com