Smartphones

Smartphone enterprise security risks and best practices

If your organization allows users to connect their smartphones to the corporate network, read about potential security risks, and learn best practices for your company's smartphone policies.

If your organization allows users to connect their smartphones to the company network, you need to consider the following potential security risks and then develop policies for addressing those issues. I also list 10 security best practices for your company's smartphone policies.

Potential smartphone security risks

Lack of security software

Smartphones can be infected by malware delivered across the Internet connection, or from an infected PC when the phone is connected to the PC over USB to sync data. It's even possible to infect the phone via a Bluetooth connection. It's a good idea to require that those users who connect their smartphones to your network install security software on the devices.

Mobile security software is available for all of the major smartphone platforms. Some of the most popular mobile security suites include Kaspersky Mobile Security, Trend Micro Mobile Security, F-Secure Mobile Security, and Norton's mobile security products.

Security bypass

Some phones make it easy to bypass security mechanisms for the convenience of the user. This makes it a lot easier and less frustrating for those who are trying to set up their phones to connect, but it also defeats the purpose of those security measures.

For example, I was able to easily set up an Android phone (Fascinate) with an Exchange Server account despite the fact that it notified me that there was a problem with the certificate. It simply asked me if I wanted to accept all SSL certificates and set it up anyway. I clicked Yes and was connected to my mail. On a Windows Phone 7 device, that same message gave me no option for bypassing the certificate problem. I had to import the certificate to the device and install it before I could access the mail. This was obviously more trouble, but also more secure.

Web security

Web browsers on smartphones have gotten a lot better and are actually usable. However, the web is a major source of malicious code, and with a small screen, it's more difficult for users to detect that a site is a phishing site. The malware can then be transferred onto the network from the phone. To protect the network, you should use a corporate firewall that does deep packet inspection of the smartphone traffic.

The Wi-Fi threat

Most modern smartphones utilize the wireless carrier's 3G or 4G network, as well as connect to Wi-Fi networks. If users connect their phones to an unsecured Wi-Fi network, they become vulnerable to attack. If company information (such as a network password) is stored on the phone, this creates a real security issue. If the user connects back to the corporate network over a public Wi-Fi network, it could put the entire company network at risk. Users should be required to connect to the company network via an SSL VPN, so that the data traveling between the phone and the company network will be encrypted in transit and can't be read if it's intercepted.

Data confidentiality

If users store business-related information on their smartphones, they should be required to encrypt the data in storage, both data that is stored on the phone's internal storage and on flash memory cards. Interestingly, a recent article in Cellular News notes that a Goode Intelligence survey found that 64% of users don't encrypt the confidential data stored on their smartphones. This is despite the fact that another survey by Juniper Networks found that more than 76% of users access sensitive information with their mobile devices.

In the past, this could be justified by the amount of processing power required to encrypt data and the slow processors on the phones. Today's phones, however, boast much more powerful hardware; the Motorola Droid 2 Global, for example, has a 1.2 GHz processor.

You also need to consider cached data in smartphone applications that are always running. Some applications display updates on the screen that could contain confidential data, as well. This is another reason to password-protect the phone. Smartphones should be capable of being remotely wiped if lost or stolen.

Physical security

Because of their highly portable nature, smartphones are particularly prone to loss or theft, resulting in unauthorized persons gaining physical access to the devices. In addition, some people may share their phones with family members or loan them to friends from time to time. If those phones are set up with corporate email or VPN software configured to connect to the corporate network, for example, this is a security problem.

A basic measure is to require that users safeguard their devices by enabling PIN or password protection to get into the operating system when you turn the phone on or to unlock it. Most smartphones include this feature but most users don't enable it because it takes a little more time to enter the PIN/password each time. This will protect from access by a casual user who finds the phone or picks it up when the owner leaves it unattended. However, those features can often be defeated by a knowledgeable person.

Android 2.0.1 had a bug that made it easy to get to the homescreen without entering the PIN by simply hitting the Back button when a call came in on the locked Droid. The iPhone had a similar issue in versions 2.0.1 and 2.0.2, which let you get around the security by hitting Emergency Call and double clicking the Home button.

In the future, PINs and passwords may be replaced by biometric or facial recognition systems.

Security best practices for smartphone policies

Smartphone security in the business environment requires a two-pronged approach: protect the phones from being compromised and protect the company network from being compromised by the compromised phones. Here are some security best practices that you can incorporate into your smartphone policies.

  1. Require users to enable PIN/password protection on their phones.
  2. Require users to use the strongest PINs/passwords on their phones.
  3. Require users to encrypt data stored on their phones.
  4. Require users to install mobile security software on their phones to protect against viruses and malware.
  5. Educate users to turn off the applications that aren't needed. This will not only reduce the attack surface, it will also increase battery life.
  6. Have users turn off Bluetooth, Wi-Fi, and GPS when not specifically in use.
  7. Have users connect to the corporate network through an SSL VPN.
  8. Consider deploying smartphone security, monitoring, and management software such as that offered by Juniper Networks for Windows Mobile, Symbian, iPhone, Android, and BlackBerry.
  9. Some smartphones can be configured to use your rights management system to prevent unauthorized persons from viewing data or to prevent authorized users from copying or forwarding it.
  10. Carefully consider a risk/benefits analysis when making the decision to allow employee-owned smartphones to connect to the corporate network.

Related TechRepublic posts

About

Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 add...

2 comments
joy2640
joy2640

The only phone that I know of that totally secures the data entered on that SD card and prevents a crook from unlocking a phone is the Blackberry!


When my Blackberry was lost/ stolen a few years ago, the man who returned it ,states he purchased it from a stranger. Once the cash exchanged occurred and he turned it on, he saw that it was locked. He even admitted he tried to unlock the device but he was warned he had ONE more attempts..


I changed the factory setting from TEN  to TWO....I know my password and I will not make TWO mistakes!


So, it was set  at TWO attempts. He tried and he only had one more attempt...


When he volunteered the information that he tried to VIEW what was on my DS card....and could not access it on his computer, I was relieved!


I did not know Blackberry functioned like that. I had no clue about the amazing security in that phone..I had no idea that ALL data entered into the device was encrypted..


Are any of the smartphone with this technology other than a Blackberry?

...I know they have the locator service...but what good is location if they are planning to "FLASH" the device?...All they have to do is remove the battery or simply turn it off until they are ready to " flash" the device. I was so happy he was not able to get into my device.



If a phone is stolen, all of your private information on the SD card, if NOT encrypted, is available to a complete stranger..I do not like that about these DUMB smart phones!!!!



kevaburg
kevaburg

I was surprised to see nothing about an employers written policy about the use of smartphones in the work place. There is normally some type policy regarding the use of USB drives etc but most smartphones function as mass storage devices equally well. The problem is that if an employee has not been made aware of the fact their smartphone may or maynot be used and if that information is not in writing, then the employer has very little room for maneuvre if the proverbial hits the fan. And whats more, although viruses can propagate through a network to the phone (or even the other way around) no real mention has been made of the security risks of synchronising files and Outlook (Calendar and perhaps more importantly, contacts) between the PC and the phone. There is a great deal more to this theme than simply saying "install security software". Security in IT is not absolute; it is quite simply, an evolving entity and our approach to security needs to embrace that philosophy. That means keeping the network (and the phone) safe, but not making life difficult for the end-user.

Editor's Picks