If your organization allows users to connect their smartphones to the company network, you need to consider the following potential security risks and then develop policies for addressing those issues. I also list 10 security best practices for your company's smartphone policies.
Potential smartphone security risksLack of security software
Smartphones can be infected by malware delivered across the Internet connection, or from an infected PC when the phone is connected to the PC over USB to sync data. It's even possible to infect the phone via a Bluetooth connection. It's a good idea to require that those users who connect their smartphones to your network install security software on the devices.
Mobile security software is available for all of the major smartphone platforms. Some of the most popular mobile security suites include Kaspersky Mobile Security, Trend Micro Mobile Security, F-Secure Mobile Security, and Norton's mobile security products.Security bypass
Some phones make it easy to bypass security mechanisms for the convenience of the user. This makes it a lot easier and less frustrating for those who are trying to set up their phones to connect, but it also defeats the purpose of those security measures.
For example, I was able to easily set up an Android phone (Fascinate) with an Exchange Server account despite the fact that it notified me that there was a problem with the certificate. It simply asked me if I wanted to accept all SSL certificates and set it up anyway. I clicked Yes and was connected to my mail. On a Windows Phone 7 device, that same message gave me no option for bypassing the certificate problem. I had to import the certificate to the device and install it before I could access the mail. This was obviously more trouble, but also more secure.Web security
Web browsers on smartphones have gotten a lot better and are actually usable. However, the web is a major source of malicious code, and with a small screen, it's more difficult for users to detect that a site is a phishing site. The malware can then be transferred onto the network from the phone. To protect the network, you should use a corporate firewall that does deep packet inspection of the smartphone traffic.
Most modern smartphones utilize the wireless carrier's 3G or 4G network, as well as connect to Wi-Fi networks. If users connect their phones to an unsecured Wi-Fi network, they become vulnerable to attack. If company information (such as a network password) is stored on the phone, this creates a real security issue. If the user connects back to the corporate network over a public Wi-Fi network, it could put the entire company network at risk. Users should be required to connect to the company network via an SSL VPN, so that the data traveling between the phone and the company network will be encrypted in transit and can't be read if it's intercepted.Data confidentiality
If users store business-related information on their smartphones, they should be required to encrypt the data in storage, both data that is stored on the phone's internal storage and on flash memory cards. Interestingly, a recent article in Cellular News notes that a Goode Intelligence survey found that 64% of users don't encrypt the confidential data stored on their smartphones. This is despite the fact that another survey by Juniper Networks found that more than 76% of users access sensitive information with their mobile devices.
In the past, this could be justified by the amount of processing power required to encrypt data and the slow processors on the phones. Today's phones, however, boast much more powerful hardware; the Motorola Droid 2 Global, for example, has a 1.2 GHz processor.
You also need to consider cached data in smartphone applications that are always running. Some applications display updates on the screen that could contain confidential data, as well. This is another reason to password-protect the phone. Smartphones should be capable of being remotely wiped if lost or stolen.Physical security
Because of their highly portable nature, smartphones are particularly prone to loss or theft, resulting in unauthorized persons gaining physical access to the devices. In addition, some people may share their phones with family members or loan them to friends from time to time. If those phones are set up with corporate email or VPN software configured to connect to the corporate network, for example, this is a security problem.
A basic measure is to require that users safeguard their devices by enabling PIN or password protection to get into the operating system when you turn the phone on or to unlock it. Most smartphones include this feature but most users don't enable it because it takes a little more time to enter the PIN/password each time. This will protect from access by a casual user who finds the phone or picks it up when the owner leaves it unattended. However, those features can often be defeated by a knowledgeable person.
Android 2.0.1 had a bug that made it easy to get to the homescreen without entering the PIN by simply hitting the Back button when a call came in on the locked Droid. The iPhone had a similar issue in versions 2.0.1 and 2.0.2, which let you get around the security by hitting Emergency Call and double clicking the Home button.
Security best practices for smartphone policies
Smartphone security in the business environment requires a two-pronged approach: protect the phones from being compromised and protect the company network from being compromised by the compromised phones. Here are some security best practices that you can incorporate into your smartphone policies.
- Require users to enable PIN/password protection on their phones.
- Require users to use the strongest PINs/passwords on their phones.
- Require users to encrypt data stored on their phones.
- Require users to install mobile security software on their phones to protect against viruses and malware.
- Educate users to turn off the applications that aren't needed. This will not only reduce the attack surface, it will also increase battery life.
- Have users turn off Bluetooth, Wi-Fi, and GPS when not specifically in use.
- Have users connect to the corporate network through an SSL VPN.
- Consider deploying smartphone security, monitoring, and management software such as that offered by Juniper Networks for Windows Mobile, Symbian, iPhone, Android, and BlackBerry.
- Some smartphones can be configured to use your rights management system to prevent unauthorized persons from viewing data or to prevent authorized users from copying or forwarding it.
- Carefully consider a risk/benefits analysis when making the decision to allow employee-owned smartphones to connect to the corporate network.
Related TechRepublic posts
- Seven antivirus solutions for Windows Mobile and Symbian
- Use Exchange 2010 ActiveSync to limit mobile security issues
- What are the prospects for smartphone security threats?
- Five tips for securing mobile data
- Mobile devices and security: Plug the leaks, then encrypt
- Mobile banking apps may be vulnerable: Testing and results
Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 additional books on subjects such as the Windows 2000 and Windows 2003 MCSE exams, CompTIA Security+ exam, and TruSecure's ICSA certification.