While listing the top issues plaguing smartphones, reports from Zimperium and Cyble both indicate that no amount of built-in security is enough to prevent attackers from compromising a device if the owner doesn’t take steps to secure it. “The main challenge, I find, is that users fail to make a personal connection of these security best practices to their own personal lives,” Avishai Avivi, CISO at SafeBreach, told Lifewire over email. “Without understanding that they have a personal stake in making their devices secure, this will continue to be an issue.”

Mobile Threats

Nasser Fattah, North America Steering Committee Chair at Shared Assessments, told Lifewire over email that attackers go after smartphones because they provide a very big attack surface and offer unique attack vectors, including SMS phishing, or smishing. Furthermore, regular device owners are targeted because they are easy to manipulate. To compromise software, there needs to be an unidentified or unresolved flaw in code, but click-and-bait social engineering tactics are evergreen, Chris Goettl, VP of Product Management at Ivanti, told Lifewire via email. The Zimperium report notes that less than half (42%) of the people applied high-priority fixes within two days from their release, 28% required up to a week, while 20% take as much as two weeks to patch their smartphones.  “End users, in general, do not like updates. They often disrupt their work (or play) activities, can change behavior on their device, and could even cause issues that can be a longer inconvenience,” opined Goettl. The Cyble report mentioned a new mobile trojan that steals two-factor authentication (2FA) codes and is spread through a fake McAfee app. The researchers fathom the malicious app is distributed via sources other than the Google Play Store, which is something people should never use, and asks for too many permissions, which should never be granted.  Pete Chestna, CISO of North America at Checkmarx, believes that it’s us who will always be the weakest link in security. He believes that devices and apps need to protect and heal themselves or be otherwise resilient to harm since most people can’t be bothered. In his experience, people are aware of the security best practices for things like passwords but choose to ignore them. “Users don’t buy based on security. They don’t use [it] based on security. They certainly don’t ever think about security until bad things have happened to them personally. Even after a negative event, their memories are short,” observed Chestna.

Device Owners Can Be Allies

Atul Payapilly, Founder of Verifiably, looks at it from a different point of view. Reading the reports reminds him of the often reported AWS security incidents, he told Lifewire over email. In these instances, AWS was working as designed, and the breaches were actually the result of bad permissions set by the folks using the platform. Eventually, AWS changed the experience of the configuration to help people define the correct permissions. This resonates with Rajiv Pimplaskar, CEO of Dispersive Networks. “Users are focused on choice, convenience, and productivity, and it is the cybersecurity industry’s responsibility to educate, as well as create an environment of absolute security, without compromising user experience.” The industry should understand that most of us aren’t security people, and we can’t be expected to understand the theoretical risks and implications of failing to install an update, believes Erez Yalon, VP of Security Research at Checkmarx. “If users can submit a very simple password, they will do that. If software can be used although it was not updated, it will be used,” Yalon shared with Lifewire over email. Goettl builds on this and believes that an effective strategy could be to restrict access from non-compliant devices. For instance, a jailbroken device, or one that has a known bad application, or is running a version of the OS that is known to be exposed, can all be used as triggers to restrict access until the owner corrects the security faux pas. Avivi believes that while device vendors and software developers can do a lot to help minimize what the user will ultimately be exposed to, there would never be a silver bullet or a technology that can truly replace wetware. “The person that may click on the malicious link that made it past all the automated security controls is the same one that can report it and avoid getting impacted by a zero-day or a technology blind spot,” said Avivi.