Back

Between a brick and a good place: making mobile security usable for humans

Feb 14, 2024

|

iVerify Team

Mobile security has come a long way in the last decade, as the security industry innovates to keep pace with the rapid evolution in product features that turned mobile phones into powerful computers in the palm of our hands. 

‍At the same time, awareness of the security risks associated with mobile devices that contain our most sensitive data has also increased. In 2023, Deloitte found that 67% of smartphone users worry about data security and privacy on their phones, a 13% increase from 2022. Yet, other research also shows they often don’t do what’s necessary to protect their devices from an increasing array of mobile threats. Why?  

‍The 2023 Verizon mobile security index report cites security fatigue and complacency as potential reasons, adding that “In the 2022 edition of the Mobile Security Index, we reported that nearly two-thirds (66%) of respondents said that they’d come under pressure to sacrifice mobile device security ‘to get the job done.’ Of those, 79% (or 52% of all respondents) had succumbed to that pressure.”

‍In other words, if mobile security solutions aren’t easy to use and allow users to continue to get the most out of their mobile devices, adoption will continue to be a barrier - and risks to the enterprise will continue to grow.

The challenge for device manufacturers 

Apple and Android OEMs face a scaling issue. When they make a security update available to users, they can’t distribute it immediately to all users. This delay between an update being available and an individual user getting notified that the update is available can range from hours to days. 

‍During this period, attackers have access to a list of security vulnerabilities affecting prior versions along with the fixes available in the updated software. They can devise attacks specifically targeted to users who haven't yet installed the update.

‍Part of our strategy at iVerify is reducing the notification time for each user, immediately sending a notification when a security update is available. With a glance at their home screen, users with the iVerify app immediately know if they have the latest version of iOS, and in the near future, we will help users manage operating system risks in the complex Android ecosystem, too. 

‍Another core challenge OEMs face is balancing security with users’ favorite product features. Lockdown Mode was introduced by Apple to address the growing use of mercenary spyware to hack the phones of high-profile targets, such as journalists, politicians, CEOs, and NGOs. And Lockdown Mode does exactly what its name implies - it locks the user out of most of the features and tools that are frequently exploited, including some messages and attachments, web browsing, Siri, airdrop, Bluetooth, and more, and it can limit the functionality of some apps. 

‍Apple is very transparent about this and who the intended user is, stating: “Lockdown Mode is optional and should be used only if you believe you might be targeted by a highly sophisticated cyberattack, such as by a private company developing state-sponsored mercenary spyware.” However, even security professionals report turning off Lockdown Mode the moment it impedes their favorite device features and new research suggests that even Lockdown Mode can be spoofed on a compromised device. So while it is a step in the right direction, it’s not a silver bullet.

‍Ok - so how do you know you’re being targeted by mercenary spyware? By the time you realize you are being attacked, it might be too late.  

Does a practical approach exist?

The larger issue here is that Lockdown Mode represents the uber challenge with a lot of mobile security solutions today: they are either only relevant to a small audience and can render your device to the point of uselessness, or they are too complex to use in any real-world business setting. That’s the case with another recent solution designed to protect iOS devices from some of the most dangerous spyware out there, including Pegasus and Predator.  

‍Created by Kaspersky and dubbed iShutdown, the “self-check tool” uses 3 Python scripts to check the shutdown.log file for advanced threats.  This is great - if you have a personal dedicated assistant who knows Python and is on call to regularly run the tool on your phone. How many CEOs, journalists, or enterprise business leaders are in that position?

‍To be clear, we believe that both Lockdown Mode and iShutdown are valuable additions to the arsenal required to battle mercenary spyware. However, to truly protect the world’s mobile-first workforce at scale, a solution that individual users will, well, use is required.

‍We built human-friendly solutions like iVerify Threat Hunter and iVerify Enterprise to defend against sophisticated attacks while reducing the friction between mobile users and security. We know that human nature means users will want the path of least resistance when it comes to protecting their phones. Our enterprise solution provides real-time threat detection and device integrity checks (no waiting for the update notification from the device manufacturer, thereby closing that vulnerability time-based gap). Additionally, its mobile telemetry respects user privacy, which has long been a concern to users about existing mobile security options.

‍Threat Hunter is our new mobile forensics solution for identifying unknown threats before they spiral into full-scale security incidents. And because high-profile individuals are often the busiest and most resistant to using complex security software on their devices, Threat Hunter includes user-friendly Security Guides, Reboot Reminders and Notifications, and iVerify’s Secure Mobile Browsing extension to make it as easy as possible to stay safe by making security an easy path. 

‍We are on a mission to root out sophisticated mobile malware. And to do that, we know our solutions must be both easy to use and provide powerful protection. Because you invest a lot in your mobile device - financially, and yes, emotionally. You should be able to use it all the time, everywhere you go. We’re here to help with that. To learn more about any of our solutions, reach out to us here.