Is “Secure Mobile” an Oxymoron?

If you haven’t noticed, mobile device use is pretty much ubiquitous. Apple iPhone/iPod/iPad, Windows Mobile, Palm, Google Android, Blackberry–all of these device families have their own Operating Systems that could be exploited by an attacker.  Yet, we’re seeing more and more mobile device use in business settings.

SMobile published a white paper yesterday (6/22), Threat Analysis of the Android Market,  about the ~20% of apps available from the Google Android Market that are granted permissions to potentially exploitable features/information when they’re installed. As they point out, it’s pretty easy for an attacker to encourage a potential target to install a seemingly innocent application when that application is available from the Google Market and was never vetted for security issues.

Another big issue is how easy it is to lose a mobile device. If the device is not encrypted, any confidential or private information you’ve placed on the device is at risk. If you’ve cached login credentials to your institution’s network, an attacker has easy access.

We’re working on developing mobile device security guidelines for use in accessing our university data. Because almost all devices are individually-owned and pose their own unique security risks, it’s hard to develop a one-size-fits-all policy. We’re looking at both general and device-specific guidelines.

I’ve included a preliminary draft below, parts of it based on materials developed by EDUCAUSE member institutions.  What would you add or subtract? Is it a good approach?

General Guidelines for Mobile Device Use

• Configure mobile devices securely. Depending on the specific device, you may be able to:
  • Enable auto-lock. (This may correspond to your screen timeout setting.)
  • Enable password protection.
    • Use a reasonably complex password where possible.
    • Avoid using auto-complete features that remember user names or passwords.
    • You may want to use a password safe application where available.
  • Ensure that browser security settings are configured appropriately.
  • Enable remote wipe options.
    • If you’re connecting to the university email with ActiveSync for email and calendaring, you may be able to wipe the email and calendaring information from your device remotely.
    • Third party applications may also provide the ability to remotely wipe the device.
  • Ensure that SSL protection is enabled.
• For improved performance and security, register your device and connect to the university WPA2 network where available.
• Disable Bluetooth (if not needed). This will help prolong battery life and provide better security.
• Keep your mobile device and applications on the device up to date. Use automatic update options if available.
• Install an antivirus/security program and configure automatic updates if possible. Like computers, mobile devices have operating systems with weaknesses that attackers may exploit.
• Use an encryption solution to keep portable data secure in transit and at rest. WPA2 is encrypted. 3G encryption has been cracked. Use an SSL (https) connection where available.
• Take appropriate physical security measures to prevent theft of mobile devices.
  • Never leave your mobile device unattended.
  • Report lost or stolen devices and change any passwords immediately.
  • Include contact information with the device.
    • On the lock screen (if possible). For example, “If found, please call 585-475-HELP.”
    • Engraved on the device.
    • Inserted into the case.

• Know your mobile vendor’s policies on lost or stolen devices. Know the steps you need to take if you lose your device. Report the loss to your carrier ASAP so they can deactivate the device.
• Use appropriate sanitization and disposal procedures for mobile devices.

Related articles

• Secure Mobile-an Oxymoron? (Redux) (benwoelk.wordpress.com)
• How to Secure Mobile Devices (brianpennington.co.uk)