At a “How to implement security for mobile devices” presentation, I was given the following steps:
- Need remote wipe
- Need to set password policy
- Need to determine if access to file shares is permitted
That’s true, but there’s more.
There are three challenges peculiar to securing mobile devices:
- physical security issues,
- location disclosure (tracking) issues, and
- unmanaged gateway (“tethering”) issues.
Mobile devices have attack surfaces which should be addressed, such as:
- Bluetooth connections (see Bluetooth Hacking: A Case Study by Dennis Browning)
- Removable media
- Unencrypted communications
Like all computing devices, physical access allows logical controls to be bypassed. Mobile devices are not easily tethered to a location or person and are therefore easily lost or stolen. This is the distinguishing characteristic of mobile device security: the ease with which a device is misplaced. When the mobile device is lost or stolen, what information will be lost or stolen? What is the value of that information? In your valuation, be sure to include the information available on other systems, if the mobile device makes those systems available. What are you willing to pay to avoid the loss of that information, or the corruption of that information, or the exposure of that information?
The “how do we support mobile devices” question should begin with the data. What information do employees need access to? How do we make that information available, while preserving its confidentiality, maintaining its integrity, and ensuring its authenticity?
The employee desire for real-time access to critical business information (extending its availability) through mobile devices needs to be weighed against the ability to keep the critical business information confidential, to preserve the integrity of critical business information, and authenticate access to critical business information.
Sybase The iPhone Is Here To Stay What’s An Enterprise To Do About It? boldy states that
Endusers, including many executives, love the iPhone, and ultimately – like it or not – that’s what matters.
That is simply and blatantly untrue. Decisions based upon the convenience of others do not sway executives. Decisions based upon their own convenience should not sway executives. They recognize that convenience is not the only relevant characteristic.
Sybase Why Managing Mobility Matters [pdf].
The Unofficial Guide To The iPhone [pdf].
Smartphone security implications of Microsoft Exchange Activesync by Gregg Braunton
Shmoocon 2011: Your Android’s Dirty Little Secret and other articles at CSO Online
Lost or stolen phone mitigation measures
- Remote phone lock
- Remote phone wipe
- Kaspersky Mobile Security
- Kaspersky Mobile Security Lite
- Lookout Mobile Security (formerly Flexillis) anti-virus, backup, remote locate and wipe.
- Mocana’s Mobile App Protection (MAP) offers Data Loss Prevention (DLP) and Virtual Private Network (VPN) features.
- PKWARE has released SecureZIP Reader for iOS, an application that secures enterprise and government data on phones and tablets. SecureZIP Reader for Android and Kindle Fire will be available in the second quarter of 2012. The SecureZIP solution secures corporate information that end-users send to the Cloud via file-sharing applications, like DropBox, Box.net or email, to access on their mobile devices.
- droidSecurity anti-virus, SPAM SMS blocker, application reputation for Android
- If a BlackBerry is configured with the “Remote Wipe Reset to Factory Defaults” rule, BlackBerry Enterprise Server (BES) can delete applications and data.
- A Smartphone connecting through Exchange ActiveSync (such as Windows Mobile, iPhone 2.0+, or Nokia Series S60 3rd edition) can be wiped by administrators (via Exchange Server 2003/2007) or end users (via Outlook Web Access 2007).
- Google Apps, Educational or higher edition, provides a mechanism to remote wipe a phone registered to their service.
- Absolute Software’s Computrace Mobile
- F-Secure Mobile Security
- An Apple iPhone can be wiped if you are using either of the following:
- Apple MobileMe
- Exchange Server client using Outlook Web Access (OWA)
- Palm Pre online Profile services
- Microsoft My Phone
- Other agent-based remote wipe vendors: Trust Digital, Good Technology Inc. and Zenprise Inc.
- Other remote lock and wipe vendors: 123Together, ExchangeMyMail, Link2Exchange, Mistral and some wireless carriers.
- Mobile Active Defense (MAD)
- Removable storage device endpoint security and control by Lisa Phifer (April 2010 Information Security magazine [pdf]).
- Carnegie Mellon University CyLab researchers have developed the smartphone app SafeSlinger.SafeSlinger is used to securely exchange data among a group of users. You may select any fields from your personal contact, photo, and/or developer-designed keys for exchange. Each user will enter a pair of short numbers and confirm a 3-word list matches that displayed by other users’ phones communicating via SSL.”With SafeSlinger, users can gain control over their exchanged information through end-to-end encryption, preventing intermediate servers or service providers from reading their messages or other sensitive stored data in their smartphones,” said Adrian Perrig, technical director of Carnegie Mellon CyLab and a professor of electrical and computer engineering at CMU.”We increasingly lose control over our data. But SafeSlinger’s user-centric security design includes an advanced protocol, which incorporates elements of several cryptographic schemes and factors in the prevention of numerous types of attacks,” said Perrig. SafeSlinger is available in the App Store and on Google play.
- Find remote mobile device wipe solutions on a budget
- Three steps to achieve security for smartphones within a budget
- How to choose full disk encryption for laptop security, compliance
- Remote phone lock and GPS tracking counter smartphone security risks
See also: Do Cell Phones Get Viruses?
April 8, 2009: iPhone OS 4 will allow encrypting data with the user’s phone lock pin code. If the phone is lost or stolen and data encryption has been enabled, that’s another bump before the data is available. The API will make data encryption available to application developers.
iPhone users can back up the content of their device (including contacts, pictures, call logs, email, accounts and passwords, text messages, calendars, appointments, organizer information and Web browsing history including URLs of recently visited sites) to their local computer or to cloud storage maintained by Apple (iCloud). Various sources quote the service has as many as 125 million users as of April 2012.
Elcomsoft Phone Password Breaker enables (forensic) access to password-protected backups for smartphones and portable devices based on RIM BlackBerry and Apple iOS platforms. The password recovery tool supports all Blackberry smartphones as well as Apple devices running iOS including iPhone, iPad and iPod Touch devices of all generations released to date, including the iPhone 4S and iOS 5.
ElcomSoft updated its Phone Password Breaker with the ability to retrieve user data from iCloud. No lengthy attacks and no physical access to an iPhone device are required: the data is downloaded directly onto the investigators’ computers from Apple remote storage facilities in plain, unencrypted form. Backups to multiple devices registered with the same Apple ID can be effortlessly retrieved. Investigators need to know the user’s original Apple ID and password (or guess the password) in order to gain access to online backups.
There is a longer, better version of the information at Infosecurity magazine “How safe is your iCloud data?” (15-May-2012).
If you’re not using them, switch off the GPS features.
iPhone: Settings app, General, Location Services off
Android: Settings, Location & compass, clear all checkboxes under My Location
Windows Mobile: add GPS Toggle as quick way to turn GPS off and on
Like many other digital cameras, mobile phones add location information to pictures. See Exchangeable Image File Format (EXIF). When sharing pictures, be aware of this information leakage. For example, an abused spouse in hiding sending pictures back home inadvertently reports where they are.
April 22, 2010: Researchers demonstrate cell phone vulnerabilities to track user movements Don Bailey and Nick DePetrillo at SOURCE, Boston 2010. Access Home Location Register (ALR) to enable mapping of Caller ID to mobile provider; exploit implementation vulnerabilities in SS7 to use mobile provider’s network to track phone (Locating Mobile Phones using Signalling (sic) System #7 [pdf] by Tobias Engel). Other vulnerabilities: hacking voicemail (listen to messages, create spoofed messages).
April 20, 2011: Your iPhone keeps an unencrypted record of your movements Alasdair Allan and Pete Warden investigate the “consolidated.db” file, which is copied when the device is synchronized to a computer, includes unencrypted location information. This enables a person learn where the phone has been.
February 21, 2012: Location Leaks on the GSM Air Interface, hackers can find you by tracking your cellphone. By initiating PCCH paging requests for the targeted device by sending out a text message or initiating a call, they were able to listen in on the broadcast GSM PCCH paging channel and extract information needed to track down the device. It is also possible to do so without the user being alerted of the received SMS or incoming phone call. According to Physorg.com, the researchers have presented their results during the 19th Annual Network & Distributed System Security Symposium recently held in San Diego, California, and are currently working with AT&T and Nokia on low-cost solutions for the problem.
Much like the modems of old, a cell phone or other Internet-enabled mobile device can be connected to devices on your corporate network, creating an alternate path (a gateway) into your network. A formal policy regarding connecting devices to the corporate network may need clarification. Detective and preventative controls may be required.
Bluelog is a Linux Bluetooth scanner written to do a single task, log devices that are in discoverable mode. It is intended to be used as a site survey tool, determining how many discoverable Bluetooth devices there are in the area. It has also proven to be very well suited to Bluetooth traffic monitoring applications.
- Always maintain physical control over your smartphone to prevent outright theft, unauthorized usage or the installation of malware (apps with malicious code) by seemingly mild-mannered co-workers or by ruthless digital predators; treat a smartphone like a wallet, never leave it unattended in public spaces.
- Enable the smartphone’s password/passcode protection setting; a recent study reveals that only 38% of smartphone users enable this basic security feature.
- Install operating system updates whenever they become available to reduce the number of system vulnerabilities; a 2011 report indicated that 90% of Android users were running outdated operating system versions with serious security vulnerabilities.
- Install an anti-malware protection app (if available for the device) to thwart infection from malicious apps and websites; all major platforms have been hacked and are susceptible.
- When using the smartphone’s web browser, avoid suspicious/questionable websites that can be the source of malicious code.
- Be selective when buying or installing apps; wait for app reviews, download only from trusted sources (known app stores) and be cautious/suspicious of free apps, because they are free for a reason (the reason could be access to your data).
- Understand and control each downloaded apps “access” to smartphone data and personal information; game apps do not need access to phonebook contacts, photos, e-mails, location, browsing history, texting history and other phone features (avoid allowing automatic app updates).
- Do not save passwords, PINs or other account information as Contacts or in Notes.
- Avoid using open WIFIs, especially for shopping and banking activities; WIFI sniffing is a common occurrence that can have significant consequences like lost credit card numbers.
- Avoid opening suspicious e-mail or SMS text messages, especially from unknown sources; unwary readers may be unwillingly tricked into phishing by entering sensitive information from online prompts.
- Turn the Bluetooth access feature off when not needed and avoid Bluetooth use in busy public areas.
- Utilize a PIN to access voice-mail and avoid using the carrier’s default PIN setting.
- Insure that smartphone e-mail account access is through either a SSL or HTTPS connection so that transmitted data is encrypted.
Santoku Linux is crafted specifically for Mobile Forensics, Mobile Malware Analysis, and Mobile Security Testing.
ZScaler Application Profiler (ZAP) provides an overview of a mobile application’s risks before you install it.