Smartphone Security In The Crosshairs: The Increasing Attractiveness Of Mobile Devices As Targets For Cyberattacks

By Samim Ahmadi, umlaut, Vice Chair ETSI Technical Committee CYBER

Life without smartphones is hardly imaginable these days.

According to most recent statistics, the smartphone penetration rate in Europe is around 80%. This means that there are around eight smartphones for every ten European citizens. This is a big step toward digitalization, which also brings a few downsides.

One downside is the higher probability of cyberattacks and that their appearance increases due to the high number of smartphone users. But not only the number of smartphone users is crucial, as the number of features of smartphones results in a high attack surface. In addition, assets processed by smartphones such as sensitive personal data or even financial data result in smartphones being attractive targets for hackers.

The severity of damage after a cyberattack is serious. Latest statistics show that end user devices are at the highest risk of security threats and breaches, where smartphones are the most troublesome and therefore favorite targets of malicious actors right after laptops and desktop computers.

Best Practices For Cybersecurity Implementations In Smartphones

According to the Group Speciale Mobile Association (GSMA), nine in ten consumers are concerned over smartphone data security and privacy. But how to ensure security in smartphones if they are such an attractive target? The answer is security can never be ensured, but we can make life much harder for hackers by following best practices when it comes to securing smartphones. Some best practices are presented as follows:

1. Use suitable encryption: Cryptographic support to realize suitable encryption is essential for protecting assets such as sensitive personal data on smartphones. All sensitive data should be encrypted both at rest and in transit to avoid data exposure.
2. Enable wiping: Smartphones should provide the capability to make user data assets permanently unreadable to prevent unauthorized access.
3. Utilize strong authentication mechanisms: Strong authentication mechanisms, such as multi-factor authentication and biometric authentication, should be used to allow only authorized users to access the device.
4. Implement secure software update mechanisms: Software update mechanisms allow software updates to perform software updates and are to be implemented in a way to ensure that any vulnerabilities are patched promptly. The process of updating software should also be secured to prevent malicious updates, e.g., by chains of trust.
5. Restrict app permissions using a permission policy: Manufacturers should restrict app permissions, such as to the camera or microphone, to only the necessary functions required for the app to work properly.
6. Implement secure network connections: The use of trusted paths/channels to a trusted IT product as well as the use of secure communication protocols using appropriate cipher suites, to ensure secure data transfer and prevent eavesdropping.
7. Resistance to physical attacks: Manufacturers should implement physical security measures, such as tamper-resistant hardware and secure storage, to protect against physical attacks.
8. Implement security management functions: Security management functions include amongst others authentication management the capability to change authenticators such as the password, or the capability to grant/revoke/view permissions related to the used apps on the smartphone. Such functions allow for adaptation to changing security threats.
9. Provide secure boot mechanisms: Secure boot mechanisms ensure booting only authorized and verified firmware and operating system images, thereby preventing unauthorized access and security-related consequences due to tampering.
10. Make use of anti-malware software: It is recommended to include anti-malware software to detect and prevent malware infections.

The previously listed security best practices refer to product-centric security functionalities. The choice is inspired by common security requirements as given in the Consumer Mobile Device Protection Profile (CMD PP) specification ETSI TS 103 732 published by ETSI, which is the first comprehensive international standard for safeguarding smartphones.

Apart from product-centric best practices, there are also process-related security practices that are recommended to be implemented and fall under the secure development life cycle. Resilience against reverse engineering can be implemented to secure assets such as algorithms. It is also recommended to perform regular security assessments to identify and address any security vulnerabilities or weaknesses.

Protecting Your Connected Assets: The Development Of A Comprehensive Cybersecurity Certification Scheme For Smartphones

Security is a dynamic target, and so is the implementation of security measures. To counteract this, smartphone security certification schemes such as those under development in GSMA help to find common ground within smartphone security.

By aligning the certification scheme with current and upcoming regulatory standards, the GSMA strives to prevent fragmentation of security requirements and promote global security harmonization based on a universally endorsed security baseline. This scheme builds upon the ETSI TS 103 732. ETSI established a special task force (STF) that works on the evaluation of an assessment based on ETSI TS 103 732 to contribute to the development of an appropriate certification scheme.

The result of the STF's work is a protection profile for consumer mobile devices, especially smartphones, which is certified by the French National Agency for the Security of Information Systems (ANSSI). Supported by industry partners, such smartphone security certification schemes and protection profiles help to test for security requirements in an objective and reproducible manner, which especially suits security-conscious users and therefore meets the needs of society.

By obtaining a smartphone cybersecurity certification, one can rest assured that the certified device is equipped with the latest security features and meets industry standards for protecting its sensitive information. Finally, future legislation such as given by articles 3(3)(d), (e), and (f) of the Radio Equipment Directive as well as by the essential requirements of the Cyber Resilience Act in Europe will require cybersecurity implementation in smartphones so that a respective certification scheme would even meet the upcoming legislative needs.