During my look into the mobile security landscape, I’ve been examining a variety of public data and speaking with vendors to get a better understanding of how they got their data and how to properly contextualize it.
With Lookout’s security stats, the data was a mixture of both consumer and enterprise customers, which provided one angle. So, I sat down with Michael Covington, vice president of product at Wandera to get another—in this case, their data is from just business customers.
Wandera is a SaaS mobile threat defense vendor that provides mobile security for businesses through their app and mobile gateway products, helping to protect corporate devices and the data within.
Fresh piping hot data for our consumption
I reached out to Wandera at the right time, since they were already in the process of gathering data to send to Verizon. So, all of the data presented here, unless otherwise specified, is from the period of November 2017 to November 2018. Wandera conducted an internal analysis of their global corporate customers, with the majority of the corporate mobile security data coming from U.S. and Europe. Additionally, Michael explained to me that their customers favor corporate device management with policies and MDMs alongside security solutions, resulting in lower statistics.
With that in mind, let’s see what kind of data there is, broken out across the different threat types.
One continuing worry for organizations is the always wonderful man in the middle (MitM) attack. With stores, schools, and even whole cities providing easier internet access, it’s no surprise the number of public Wi-Fi connections that corporate employees come across grows daily. Due to improved security protection, like HTTPS, many organizations are also more willing to allow employees to access public Wi-Fi.
Wi-Fi to cellular usage is now 3:1, which is growth from a few years ago. Over the period of just one week in November 2018, Wandera observed that 70% of transactions from real users were done over unencrypted Wi-Fi (i.e., Wi-Fi connections lacking local encryption like WEP or WPA).
So, given how often employees access unencrypted Wi-Fi and the prevalence of Wi-Fi use now, how often are Wandera’s corporate customers coming across a MitM attack? About 4% of users connect to risky hotspots (Wandera’s term for an actual attack) every week. They filter out non-attacks like content filtering, but also rely on their customers to inform them about whether they do so, which means it’s possible the percentage could be lower.
Malware remains a constant issue for companies. About 2.1% of organizations have experienced a malware incident (i.e., an actual install), with the low number due to Wandera’s customers being more protective than most, preferring corporate management over BYOD and COPE. Additionally, Michael explained that enterprise-level companies face the biggest risk of malware incidents compared to smaller companies due to reduced policy enforcement. They see that larger companies focus more on the visibility of every device over restrictive policies.
Another worry for organizations continues to be sideloaded apps. Interestingly, Wandera’s data shows that 6.8% of iOS devices connect to third-party app stores compared to 3% of Android devices. Michael said that the low percentage for Android is because some people who use sideloaded apps download them to their desktops before adding the app to their device, while iOS users all do it from their device. Additionally, 3.43% of iOS and 1.43% of Android devices have sideloaded apps installed.
Wandera’s data shows that unsurprisingly the larger the organization, the higher percentage that they have at least one device with a sideloaded app. For companies with 1,000 to 4,999 employees, 85% have at least one device compared to 10.82% of small businesses with up to 49 employees.
While there’s more to content-based risks than what I’m showing off here (e.g., insecure apps and inappropriate apps), we’re mostly interested in the mobile phishing and cryptojacking numbers anyway.
Michael described mobile phishing as the latest du jour attack when I asked what he thought of the most worrisome mobile security issue. Every 20 seconds a new, compelling phishing site is registered; Wandera only counts domain registrations that are confirmed to be a malicious site. Corporate employees are 18 times more likely to encounter a phishing link (this means actually clicking on a link) on a mobile device than they likely will encounter malware.
Digging a little deeper this breaks out to 15% of their small to medium-size business customers encountering a mobile phishing incident over the past year, with the numbers jumping to 75% of mid-market organizations and 96% for enterprise-level corporations.
Some mobile phishing attacks now use Punycode to help trick mobile users. Wandera says that 5.16% of mobile phishing attacks now contain Punycode (Unicode that translates non-ASCII characters into ASCII). It can already be difficult to easily identify if a URL is a legitimate one for Apple or some other popular spoofed brand, and Punycode makes that even more difficult since not all browsers show the “xn--“ prefix that designates a Punycode URL.
While mobile phishing might be the largest current worry for most companies, cryptojacking might soon be next. For the moment, cryptojackers are just looking to hijack device resources, but eventually it will start affecting mobile security. The biggest attack vector for cryptojacking is mobile ads (both in browsers and apps), while healthcare and commercial transportation (i.e., airlines) are the two most targeted industries.
Wandera says that 25% of all organizations had at least one mobile device encounter a cryptojacking attack, with 3% of all devices having encountered a cryptyojacking attack.
Here, we examine both the number of jailbroken and rooted devices organizations have and devices that are no longer up to date.
For Wandera customers, only 0.05% of Android devices and 0.04% of iOS devices are rooted or jailbroken. This breaks down to only 2% of organizations having at least one jailbroken iOS device and 1% of organizations having at least one rooted Android. Michael explained that the low numbers here are likely due to two things: many of their customers require that devices used (especially ones with corporate apps installed) maintain a minimum configuration or standard and it’s actually much less of a hassle to sideload an app. One way that employees sideload apps is by installing developer certificates and trusting untrusted apps.
So, there are few jailbroken/rooted devices in stricter corporate environments, how about out of date devices? Michael explained that Wandera reviews the latest common vulnerabilities and exposures (CVE) with a when considering whether a device is updated. They consider a device out of date if it does not have the latest updates protecting it from high severity CVEs. Like elsewhere, the data was spread out by corporation size and ultimately proves to be quite low (good sign from organizations that are supposed to have a more locked down environment).
Wandera’s data shows that iOS devices tend to be more often out of date compared to Android. Take organizations with 1,000, to 4,999 employees: 6.2% of iOS devices are running an out of date OS compared to just 0.78% for Android. The highest out of date iOS devices are in organizations with 250 to 499 employees (13.35%), while companies between 100 and 249 employees have the highest out of date Android devices (3.71%). Surprisingly, the lowest number of out of date devices belongs to enterprise-level organizations with 5,000 employees or more at 4.12% of iOS devices and 0% of Android devices.
Some of the above stats actually surprised me and I asked why Android devices were less likely to be out of date, especially in the enterprise. Michael explained, simply, one main reason is that larger corporations opt for iOS devices over Android. Should Android be used, it is generally Samsung, which keeps their devices up to date better. Also, enterprises often have device refresh programs every 12 to 19 months, making it easier to stay up to date.
Check back soon for even more data
I found this to be all very interesting, even if some of it might be more obvious. We have more security vendor data that we’re reviewing—remember, if you are a security vendor or collect enterprise and corporate mobile security data, please reach out!