On June 4, 2013, the Federal Trade Commission hosted a public forum to examine the state of mobile security. Mobile technologies, such as smartphones and tablets, provide consumers with an always-connected and convenient means of engaging in their daily activities, including email, shopping, banking, and surfing the web. While consumers reap many benefits through these technologies, they may not be aware of, or appreciate, the potential risks. Since the ordinary use of mobile devices involves the collection, transmission, and storage of consumers’ sensitive personal information, mobile threats – such as lost or stolen devices, or malicious or privacy-infringing applications – can place consumers at serious risk of identity theft or financial harm. In light of these issues, the forum convened four panels consisting of security researchers, academics, and industry representatives to engage in a wide-ranging conversation on the mobile threat landscape, industry efforts to secure the mobile ecosystem, and consumers’ mobile security expectations.
The first panel, composed of experts in mobile threat analysis, examined the most common threat vectors in the mobile environment, the likelihood that U.S. consumers will encounter these threats, and the potential evolution of these threats. Panelists agreed that – due to ease-of-distribution and other factors – malicious applications are the most common threat vector today. Although malware infections have been relatively low in the United States, panelists warned that malicious applications are likely to become more sophisticated as their developers use advanced techniques to circumvent the defenses developed by mobile platforms. Building on this discussion, the second panel consisted of representatives from mobile platform providers, which play a critical role in mobile security. The panel debated various approaches to mitigating mobile threats and securing the end-user experience, discussing the benefits and limitations of features such as sandboxing, trusted user interfaces, and application review processes. Although the platforms have taken different approaches in some of these areas, the panelists all agreed that it is important to provide application developers with the resources and incentives to create secure applications.
The third panel considered the role that other members of the mobile ecosystem, such as telecommunication carriers and third-party developers, should play in ensuring end-user security. Given that the current system is complex, dynamic, and includes many players, the panelists agreed that there are unique security challenges the ecosystem faces – such as inefficiencies when rolling out patches and updates – but that security should be a focal point for every player in the mobile ecosystem. Finally, the fourth panel explored consumer behaviors with respect to mobile security. Panelists noted that even though device loss and theft are the most common problems faced by consumers, many consumers do not take advantage of existing options, such as password authentication, to protect mobile devices. The panel discussed potential solutions, such as biometrics, that may be more consumer-friendly and help drive the adoption of better security practices.