Xavi Pes talks about risks of AI on mobiles


Did you know about possible data leaks from virtual assistants? Siri is not so trustworthy and our account manager, Xavi Pes, explains where the dangers of Artificial Intelligence lie when it comes to mobile phones.

Every day, mobile devices are increasingly present in the corporate world. And apps, full of sensitive corporate data (emails, calendars, documents, oncloud…). However, mobiles are still not considered the main target for cyber attacks and their security is one step behind compared to other professional equipment: They have no anti-viruses or firewalls… And virtual assistants can play tricks on users without them even knowing it.

1.- What are the main reasons mobile environments are fragile?

The report issued by the Government Accountability Office (GAO) highlights three main factors:

  • Data is not encrypted
  • The devices are not subject to corporate monitoring
  • Passwords are weak; Protecting your access to email, calendar, contacts and other sensitive company data with just a 4-digit PIN is complicated.

2.- What should companies do to fill in this gap in mobile cybersecurity?

The first step is to ensure the devices are included within the scope of the company’s cybersecurity policy. At WISE, the first thing we do is identify what devices are connected to our clients’ corporate network and we start our work from there.

There are two treatments:

  • Consultancy stage: advising on how to use the device properly: Not to use public WiFi networks, to encrypt content, to allow remote deletion from the company’s control panel and to use passwords longer than 4 digits.
  • The control stage, where we look at what is installed on the device: It makes no sense to allow installation of apps that may contain malware on a device that’s part of a network, since this makes the corporate information vulnerable.

3.- What are the company’s best practices regarding all of this?

Firstly, as mentioned above, we have to include the mobiles within the scope of the company’s cybersecurity plan. This is rather complicated, since the widespread practice is BYOD (Bring your own device): Companies provide staff with a laptop, but it’s not that common to give them a company mobile or tablet. Therefore, to make things easier, staff just use their own devices for work. If the company does not include all these devices within its scope, it can end up with dodgy devices putting company data at risk.

4.- Artificial Intelligence is gaining ground in the mobile world. Does this make us more vulnerable?

Yes, security is still behind in terms of evolution. We’re more reactive. And this is because all the limits of these developments cannot be tested until a certain amount of time has elapsed. In the early stages of using any development, the devices are always more vulnerable.

5.- Are we talking about Siri, Alexa or Bixby?

Yes, studies show how to filter personal data through commands from other assistants. To enhance your user experience, you need to give it access to your information… So, if it can access these devices laterally, you end up being exposed. For instance, you can send an email from a mobile without the person actually holding it even knowing it.

6.- How is it done?

There are several examples: one is to add an obfuscated area in a YouTube video with an audio that you can’t hear, but your device can; and activate a telephone command that gives the order to send the entire phone book to a specific email.

7.- At WISE, what do we recommend in these cases?

For mobiles used in the corporate environment, we recommend disabling this type of virtual assistant. We also check the security of all third-party apps used on the devices and, based on the security demands, we decide if they are suitable or not.

8.- How can we know if an app is safe?

The apps to be installed on your company’s devices can be audited. At present, there is no quality certification to prove that an app is secure, and apps do not undergo an audit as such before being uploaded to the app store. This is why it’s important to do this work afterwards: Our clients turn to us to verify that the apps they’re using contain all the security parameters their company needs.

9.- Is it not compulsory for apps to be tested by developers?

In theory there is no law that requires them to do so. They do take on the commitment to vouch for the proper use and security of the app, but this is not enforced and there can be major differences from one app to another: There is no comparison between the development quality of Microsoft and that of a game development student doing his end-of-year project. It depends on the skills of the developer whether the app is more or less secure.

10.- How does this affect app developers? What do they have to take into account?

If you’re a developer, you have to take measures to avoid malware getting into your app and know that the data flow processes you are dealing with within the app are sent to the right people. At WISE we specialise in this mobile audit to confirm an app’s security.

11.- Is this audit the same for all apps?

No, the thoroughness depends on the requirements of the company hiring us to carry out the audit (whether they are a developer or a business that needs to audit a third-party app).

The requirements are not the same for a banking app and the app of a clothing shop, since their security levels vary.

12.- What are the apps that create the most vulnerability?

The ones that, due to lack of downloads and use, have not yet been able to detect their strength against attacks. Clearly, the more widely used apps don’t generated problems as much as unknown ones, because the more widely used they, are the more continuous the monitoring. But in unknown apps, the validation process is not immediate and by the time the malware is detected and removed from the app store, it’s too late for many users.

13.- Is this causing alarm?

No. Like everything to do with security, we’re taking it one step at a time. Think about it; desktop operating systems like Windows have been on the market for over 30 years, but it took 15-20 years before the first cybersecurity functions were released. For its part, in the mobile environment, IOS and Apple introduced security functions and these are being dealt with. Thanks to Artificial Intelligence, both companies have algorithms for detecting security faults in the apps uploaded to their stores, and as the algorithms are improved, it will become more and more difficult to download apps with embedded malware.