1. Mobile devices often do not have some security criteria enabled. These devices usually don’t use passwords to authenticate users and control access to data stored on the devices. Many devices offer the technical ability for supporting passwords including personal identification numbers (PIN), or pattern screen locks for authentication. Besides, some mobile devices include a biometric reader to scan a fingerprint for authentication. However, anecdotal information shows that consumers seldom use these mechanisms. Additionally, a password or PIN that is used by the users (of course, if they use) can often be readily determined or bypassed, such as 1234 or 0000. Without passwords or PINs to lock the device, the risk of accessing lost or stolen device’s sensitive information or abuse of it by unauthorized users will be higher.
2. Mobile Two-factor authentication is not always used when running sensitive transactions on mobile devices. According to studies, static passwords are used by customers most of the time, when conducting online sensitive transactions while using mobile devices, instead of two-factor authentication. Some security drawbacks in using static passwords for authentication are: passwords can be guessed, forgotten, written down and stolen, or eavesdropped. Two-factor authentication offers a higher level of security compared to traditional approaches like passwords and PINs. This enhanced protection may be necessary for sensitive transactions. In a two-factor authentication system, users are required to authenticate using at least two different "factors" before being granted access. These factors can be something they know, something they have or something they are. The second factor in some two-factor authentication schemes can be mobile devices. The mobile device can generate passcodes, or receive the codes via a text message. Without using two-factor authentication, the risk of unauthorized access to sensitive information and misuse of mobile devices will be higher.
3. Wireless transmissions are not always encrypted. Information like e-mails sent by a mobile device is usually not encrypted while in transit. On the other hand, most applications don’t encrypt the data when transmitting over the network, so it will easier to intercept data. For example, if an application is sending data over an insecure Wi-Fi network using HTTP (rather than HTTPS), the data can be easily intercepted. When a wireless transmission is not encrypted, data can be easily intercepted.
4. Mobile devices may contain malware or customers may download applications that contain malware. Customers download malware unintentionally because it can be disguised as a game, security patch, utility, or other useful application. Users can hardly tell the difference between a legitimate application and the one which contains malware. For instance, a consumer could inadvertently download an application which contains malware onto a mobile device. Therefore the data can be easily intercepted by a hacker. When a wireless transmission is not encrypted, data can be easily intercepted by hackers, who may gain unauthorized access to confidential information.
5. Mobile devices mostly don’t use a security application. Most mobile devices don’t have a security software out of the box to protect against malicious codes and attacks. Besides, users rarely install a security software on their devices. Although such software can decrease performance and reduce battery life on some mobile devices, without it, the risk of successfully inject malware like viruses, Trojans, spyware, and spam by an attacker to deceive, will be higher. Such malware can trick users into revealing passwords or other sensitive information.
6. Operating systems may be out-of-date. Users usually do not install Security patches or fixes for mobile devices' operating systems on their mobile devices on time. Applying security patches on users’ device can take weeks or even months. Based on the nature of the vulnerability, the patching process may be complicated and involve many parties.
Also, we may not receive security updates for mobile devices that are older than two years because manufacturers may no longer support these mobile devices. Most manufacturers only support their mobile devices for 12 to 18 months after their release. Such devices will suffer increased risk if manufacturers don’t release patches for newly discovered vulnerabilities.
7. Software on mobile devices may be outdated. Security fixes for third-party applications are not always got ready and distributed regularly. Also, some mobile applications such as web browsers, don’t always inform users when updates are released. Unlike conventional web browsers, mobile browsers rarely get updates. Using outdated software increases the risk of taking advantage of vulnerabilities associated with such devices, by an attacker.
8. Mobile devices mostly don't limit Internet connections. Most mobile devices don’t use firewalls to manage connections. When the device connects to a WAN (Wide Area Network), communications ports are used for connecting to the internet or other devices. A hacker can access the mobile devices through an insecure port. Here we can use a firewall to secure these ports and allow the user to choose what connections he may allow into the mobile device. Without setting up a firewall, the mobile device can be open to attacks through an unsecured communications port, and a hacker may be able to have access to sensitive information on the device and misuse it.
9. Mobile devices can be the subject of unauthorized manipulation. The process of improving a mobile device to remove its limitations so users can add features to their devices alters its, security management and could increase security risks. These means that are known as "Jailbreaking" or "Rooting," let users access the device operating system so that permit the installation or change of unauthorized software functions and applications or to remove the limitation to a particular mobile network.
10. The GAO report suggests that connecting to an unencrypted Wi-Fi network can let an attacker access personal information from a device, increasing the risk of data and identity theft.