Mobile Security…Off the Device and Into The Cloud

In a recent post, 5 Ways Hackers Get Your Mobile Device, I told you that every malicious attack method used on PCs is being re-written by the hacking community to attack mobile devices. It makes sense, then, that mobile security solutions mirror those used for the PC—mainly, the running of detection services on the device. The problem is that running detection software on a mobile device can be complex and resource intensive, so does it really make sense?

There is another method where the mobile anti-virus functions are moved to a network cloud service. The thinking is that this will conserve mobile resources and improve detection of threats. The cloud method enhances mobile security and reduces the need for complex software on the device. The main idea is to expand bandwidth to reduce device CPU and memory resources; consequently, saving power. The idea has merit as a starting point, and I actually like the basic concept.

The benefits are:

  • Off-loading the detection function to the cloud allows more resources to be dedicated to evaluating each suspicious file.
  • Transferring files to a cloud service for analysis reduces CPU use, memory use, and power on the device.
  • Pushing complex detection software into the cloud minimizes the need for complex software on the device.

The architecture, which could be deployed by a mobile service provider or third-party vendor, consists of two primary components:

  • A lightweight host agent that runs on mobile devices, acquires files, and sends them into the cloud for analysis.
  • A cloud service that receives files from the agent and identifies malicious or unwanted content.

Unfortunately, this method also has some obstacles:

  • The agent that sends files for analysis must be difficult (because impossible isn’t achievable) to bypass. If the malware can somehow attack the agent before it gets analyzed, we’ve already lost.  This means everything coming in via SMS/MMS, web, email, whatever the next service is that I haven’t thought of yet, must be analyzed before the user can actually execute or view it.
  • The analysis process must be fast enough that it doesn’t significantly impact the user experience (and this is a huge part of the problem).
  • What do we do about 0-day attacks for which we don’t have a signature/heuristic at the time the file is first analyzed?  With detection on the device, a later scheduled scan could pick it up, but if detection is in the cloud will we be rescanning every file on the device at regular intervals?

Ultimately, I don’t see mobile security as an either-or thing. I think the parts that can be successfully done off the device and in the cloud should be, but there will still be a need for some detection/anti-virus capabilities to run on the device itself.  Just as we attempt to employ defense-in-depth with intrusion detection and firewalls and anti-virus on our PCs, we will need multiple layers of defense on our mobile devices, too.

What do you think? How should mobile security be handled…on the device or in the cloud? Share your thoughts.
Jim Clausing Technical Staff Principal Member AT&T About Jim