Smartphone Security

Smartphone risks

Today's smartphones come with advanced features such as the ability to connect to the Internet, download applications, store pictures and videos, use wireless connectivity, and perform on-line banking. While smartphones increase productivity, they also come with risks.

Smartphones can be used to access corporate information systems. By exploiting smartphone and browser vulnerabilities, hackers have access to your applications and data.

Application based attacks are a big threat and can target your logon credentials, memorized passwords, financial data, etc. The software is typically installed by the phone user when visiting an infected web site, downloading and installing applications, or clicking on links in messages. However, it can also be installed by someone else who has physical access to your phone. All it takes is a few minutes to install the software and then it runs behind the scenes without your knowledge.

Not just restricted to PCs, phone spyware that can:

• Listen in on your phone calls
• Record your text and e-mail messages
• View your photographs
• Access your files

When your phone is not in use, spyware can turn on the microphone and listen in on conversations in your vicinity. Spyware can even track your location through the Global Positioning System (GPS) feature on your phone. Some spyware can automatically forward text messages to a designated phone number.

Establish standard

According to industry statistics, two thirds of fresh and critical business data is not stored on corporate servers. Smartphones and other intelligent devices frequently hold the most current customer contacts, communications with suppliers, vendors, and other service providers.

Many phone users adopt new technology before they are fully aware of the risks involved. Securing smartphones is the responsibility of both the phone user as well as the organization. Successful firms use a multi-layered approach to protecting smartphones and related "information assets".

The IT Department should establish standards for smartphones, phone protection software, etc. This reduces IT administration costs and offers better protection for the enterprise. IT must identify controls that address infrequent smartphone software patch updates compared with daily or weekly updates provided for servers and desktops. IT should have a firm policy that identifies devices that are allowed to connect to the network.

Encryption

Where possible, smartphone operating systems should support encryption. Many smartphones include a system encryption feature that encrypts all data, applications, and files. When a user powers on the phone they enter a password or PIN to gain access to the information on the device. The smartphone then uses the password or PIN to decrypt the data and make it readable.

Phone security configuration

Where possible, smartphone users should minimize their attack surface by disabling:

• Global Positioning System (GPS) - announces your location.
• Bluetooth - default configurations may allow vulnerable to pairing to unauthorized devices.
• Wi-Fi - smartphones using Wi-Fi are vulnerable to the same risks faced by laptops. Access using a provider's 3G or 4G service tends to be more secure.

The phone should have a very strong password and a short screen timeout. This helps prevent an unauthorized person from accessing sensitive data or downloading and installing unwanted applications. Take advantage of smartphones that allow stronger passwords:

• Passwords longer than four digits
• Create a security code by tracing a pattern with a finger
• Biometric security features

Like a traditional computer, smartphones have the ability to remember website logon usernames and passwords. This can present a security risk if the phone is lost or stolen. Configure the smartphones to disable the browser's auto-fill feature.

Security can be cumbersome when users must remember a different password for each application or website. Applications such as PasswordWallet, 1Password, LastPass, and SplashID help users manage multiple logon credentials.

Protection software

Phone protection software should be installed on all devices that access the Internet and especially phones that access corporate information systems. Smartphone security and device management software typically provides the following services:

• Access - notifies user when applications attempt to access sensitive data
• Alerts - when user visits a suspicious website
• Backup - contacts, calendars, text messages, etc., browser access to service to restore files
• Blocking - block spam, unwanted text messages, phone calls
• Locate - helps you find a missing phone by locating the phone on a map, sounds an audible alarm
• Malware - scans applications for viruses and other forms of malicious software
• Parental control - view messaging and photo activity
• Remote - remotely trace and lock phone, remove contents on device if lost or stolen (wipe)
• Device management - mobile device management (MDM) software helps IT departments manage data boundaries so IT can wipe organization information from the device without erasing the user's personal data

Not all smartphone security software products include the features listed above. In addition, some features such as backing up call log files, photos, etc. may be an additional charge or may only protect the information on the phone and not on SD cards. Popular security software includes:

• BullGuard Mobile Security
• F-Secure Mobile Security
• Lookout Mobile Security
• McAfee WaveSecure
• Norton Mobile Security
• Trend Micro Mobile Security

Security education

Staff security education and awareness training should be provided on a regular basis.

Smartphones are portable and easily misplaced or stolen. Ensure staff follow physical security best practices that include locking the device when it is not in use.

Staff should only download and install applications from trusted sources. Before installing software staff should read the application reviews and only install apps from trusted sources. Staff should read and understand the Permissions used by the application.

Staff should not click on message links from unknown senders or visit unknown web sites that can download and install malware to a smartphone. Once installed, the malware can launch attacks against your internal network.

When using the phone for personal activities such as banking, shopping, etc., the user should use a dedicated application provided by the retailer instead of using the smartphone's browser. Staff should periodically clear the browser history to prevent someone from retracing the user's activities.

Staff should be made aware that text messages are sent in unencrypted, clear text that can be read by others. In addition, most messaging applications do not offer security protection.

Summary

With immediate access to corporate systems, data, e-mail, and the Internet, smartphones offer enhanced productivity. Smartphones also present a variety of risks that must be managed using a proactive approach to security.

Network security audits and mobile security audits help organizations identify, manage, and reduce their risks related to smartphones.  Formal and documented policies ensure a top down approach to managing smartphone related risks.