Enterprise Mobile Device Security Components: Antiphishing

By Rich Campagna, Subbu Iyer, Ashwin Krishnan, Mark Bauhaus

An essential component of mobile device security is Antiphishing. Antiphishing is software which prevents phishing, the illegal acquisition of sensitive information. Phishing attacks on mobile devices are likely to be far greater than they are on your standard laptops and desktops. The reasons for that, as follows, are fascinating to consider.

  • Unsecured wireless networks: Users are more likely to connect to unsecured wireless networks because of their nomadic nature and the ubiquity of wireless connectivity. This affords a very rich target for phishing-based attacks using a variety of attack vectors, such as browser-based, spurious proxies (rogue intermediaries that purportedly provide a legitimate function like a web proxy, but in fact are designed to steal information), SMS, and the like.

  • Typing errors: Because of the limited real estate on the keyboard, users are prone to errors while typing URLs and therefore could be landing on spyware-infested websites that could launch phishing attacks.

  • Small-screen display: The small screen size demands that the browser rendering of pages be optimized, and important information might be abbreviated or missing.

    • Lack of security alerts and warnings: On a small screen, detailed security alerts and warnings may never be rendered. Check your device right now and try to verify the appearance of a website and its content.

    • Lack of e-mail source headers: E-mail clients often obfuscate the source headers of the e-mails for better rendering of the message. This kind of interface is ripe for phishing attacks because the headers are usually a dead giveaway for forged e-mails, and if this key indicator is missing, your users will be easily fooled.

    • Lack of complete URLs: URL obfuscation that happens in portrait mode in an iPhone versus landscape mode, which happens to display the entire URL in this case. Even your most alert users are easy prey to a phishing attack when they browse in portrait mode because the URL isn’t fully visible.

      An iPhone in landscape mode with no URL obfuscation.

      An iPhone in landscape mode with no URL obfuscation.
      An iPhone in portrait mode with URL obfuscation.

      An iPhone in portrait mode with URL obfuscation.

With this level of exposure to potential phishing attacks, it’s critical that you have an antiphishing solution available. Antiphishing solutions for mobile devices can have a similar approach as the antivirus solution: All of it can be localized on the device itself, or you could take a hybrid approach by leveraging the hosted server in addition to installing a lightweight agent on the device.

A variant of the hybrid approach is the cloud-based approach where the antiphishing arsenal, e-mail, messaging and URL filtering, is entirely cloud-based. While this approach has a lot of appeal, without a smart agent running on the device, an exclusive cloud-based approach falls short of the mark because of all the different interfaces it must maintain, which means that it has many different attack vectors.

For instance, even if the 3G interface is well-cleaned by the cloud approach, a local Wi-Fi or Bluetooth connection that is open can be used to compromise and delude your users to a phishing attack. Therefore, having a good on-device agent is key to providing that first line of defense against antiphishing attacks.