Threat Category: Mobile OS & Vendor Infrastructure
ID: ECO-2
Threat Description: If an attacker is able to compromise cloud backups, they could gain unauthorized access to private and potentially sensitive data.
Threat Origin
Mobile Security: Threats and Countermeasures 1
Exploit Examples
Q4 Mobile Security and Risk Review 2
CVE Examples
Not Applicable
Possible Countermeasures
To prevent sensitive app data from unknowingly being backed-up to unauthorized or unsecure cloud services, analyze app data storage practices as part of the app vetting process prior to authorizing apps for use.
To protect the confidentiality of app data backed-up to a cloud service, prefer the use of FedRAMP-certified cloud service providers to gain assurance that app data backed-up to the cloud is strongly encrypted.
To prevent an attacker from gaining access to app data backups via the cloud service account, enable two-factor or other strong authentication mechanisms.
To protect the confidentiality of app data backed-up to a cloud service, deploy MAM or MDM solutions in combinations with devices that successfully enforce a policy to strongly encrypt app data backed-up or synchronized to authorized cloud services.
To prevent sensitive app data from being backed-up to an untrusted cloud service, deploy MAM or MDM solutions in combination with devices that successfully enforce a policy that prohibits app data from being synchronized or backed-up to any cloud services.
Mobile Device UserTo prevent an attacker from gaining access to app data backups via the cloud service account, enable two-factor or other strong authentication mechanisms.
References
Mobile Security: Threats and Countermeasures, white paper, MobileIron; www.mobileiron.com/sites/default/files/security/Mobile-Security-Threats-and-Countermeasures-WP-MKT-6361-V1.pdf [accessed 8/25/2016] ↩
Q4 Mobile Security and Risk Review, white paper, MobileIron; https://www.mobileiron.com/sites/default/files/qsreports/files/security-report-Q415-v1.2-EN.pdf [accessed 8/25/2016] ↩