Stagefright vulnerability was by poor practice by patchers, claims expert

Tom Lysemose Hansen, founder and CTO of Promon, warns more care needs to be taken with mobile security

The Stagefright security vulnerability in Google's Android mobile operating system has exposed how the way apps are developed and maintained is insufficent to cope with real-world threats.

That's according to Tom Lysemose Hansen, founder and CTO of Norwegian security specialist Promon, who warns how many had failed to plan how they'd react to a vulnerability on the scale of Stagefright. The vulnerability left almost a billion Android devices susceptible to hacking and was described as "worse than heartbleed".

According to Hansen, the very nature of mobile devices means that they're often vulnerable to cyber attacks, especially those running Android.

"Those surprised by the outbreak of the Stagefright app should remember the many functions a mobile device performs. Receiving network connections from different locations, accessing different platforms and downloading apps from different developers means mobile devices - and Android devices in particular - are porous, and may be accessible to third parties."

Android has long had a poor reputation for security and recent Computing research revealed that that IT departments believe Android is the most problematic OS for enterprise deployment, with security cited as a key concern.

Hansen also warned that the frequency of patches issued by phone manufacturers is not sufficient. Often such patches are released on a monthly basis, providing too large a window of opportuinity for criminals.

"In almost all cases, vulnerabilities are developed to differ from their predecessor, so any attempt to patch them will be a reaction, rather than a proactive step to protect the device," he explained.

"While the patches may secure Android devices from Stagefright, future threats remain unaccounted for. Dealing with these threats in real time is all too often the crux of maintaining adequate security for your mobile device," Hansen said.

The answer, he suggested, is for security experts to be properly prepared for vulnerabilities, so rather than developing patches in hindsight, security should be ingrained at the level of the application from the outset.

"App security should be perennial. Only when manufacturers and software developers acknowledge it is not possible for the mobile device to provide a complete environment secured against unknown future vulnerabilities, will they employ more effective approaches for the assessment and mitigation of risk," he said.

"The onus should instead be placed on developers to adequately defend their individual applications against the many more strains of malicious software expected in the wake of these most recent examples," Hansen continued.

"Adequate protection is only offered when these threats are dealt with as and when they appear, at the application level," he concluded.

Computing's Enterprise Security & Risk Management Summit takes place on 26 November 2015 and is free to attend for qualified end users. Register here.