Mobile Device Security

Computing has advanced beyond desktop computers — to laptop computers with all the power of a desktop and handheld smart phones with Internet access anywhere a cell phone signal is available. While desktop and laptop computer configuration is rather well understood, this document will address needs specific to handheld devices.

Key Challenges

Turnover

  • Most smartphones are purchased on 2-year agreements, resulting in high turnover of devices connecting to the network
  • University is typically open and accepting of new technologies brought onto the network
  • Users will expect technology staff to support the devices

Portability

  • Small size of portable devices increases portability but also makes them more susceptible to loss or theft
  • Accessing stored, unprotected data becomes trivial for someone in physical possession of the device

Privacy

  • university information must always be appropriately protected, even on personally-owned mobile devices
  • User still have privacy expectations if using a personally-owned device, even if the university pays a portion of the bill

Risk assessment

  • Most universities do not have technology in place to prevent the flow of sensitive data from
    their network onto a mobile device
  • Difficult to assess individual risk associated with the loss of a device without the ability to
    ascertain the amount of data stored

Key Risks

  • Loss
  • Theft

The two greatest risks to computers in general are loss of the physical device itself and loss of sole control of the device. Smartphone operating systems are still young and not a primary target of criminals looking to gain administrative access to a device. Therefore, the primary risk to a smartphone is loss or theft of the device.

top

Recommendations

The following recommendations should help prevent the theft of the data from a mobile device, even if the device is in the possession of a criminal.

The most common Smartphone interface into University services is through the e-mail system. Centralized enterprise e-mail systems like Microsoft Exchange and Lotus Notes allow policies to be defined on a device before access to the system is allowed.

Passcode Lock

  • Require a passcode lock on the device
  • A device should not be permitted to access data when powered on or waking up until the user enters a passcode

Automatic Sleep Mode

  • Enable an automatic sleep mode after a short period of inactivity
  • This prevents data exposure on a misplaced device
  • The automatic passcode should activate and protect the data stored on the device

Remote Wipe

  • Enable the ability to remotely wipe the device
  • The owner should be able to initiate a wipe even if they no longer posess the device
  • A device will receive the instruction to wipe all data as soon as it is connected to Wi-Fi or the cellular network

Most e-mail systems (including Microsoft Exchange) store data centrally, so no email data should be lost; Locally stored files will be wiped. Wiping the device should also be performed when the device is being retired, replaced by a new device, or sold/transferred to another party.

Data Encryption

  • Enable data encryption if supported by the device
  • Encrypting data saved on the device prevents an attacker from removing the memory and easily reading it via an alternate method

Disable Bluetooth

  • Disable Bluetooth completely if you do not use it
  • Disabled Bluetooth when not in use

GPS and Location-Based Services

Users of modern smartphones with integrated GPS need to be aware of how this affects device usage. For example, photographs taken on a mobile device with GPS will encode GPS coordinates into each photograph taken on the device. When these photos are shared with others or posted on the Internet, that data is made available to anyone.

top

More Information

For more detailed information about specific services or devices, visit Mobile Devices in the UITS Knowledge Base.

top

Security & Policy Blog Posts

  • May 10, 2012 at 7:48 AM

    • 55,000 Twitter Accounts Hacked
    Tens of thousands of Twitter accounts have been compromised in a recent hack attack in which more than 55,000 passwords were leaked and posted to Pastebin by anonymous hackers. You should probably change your Twitter password today.
  • May 7, 2012 at 8:47 AM

    • Mac OS X Lion User Passwords Exposed
    A mistake by Apple can cause Mac OS X 10.7.3 (Lion) to store your login password on the hard drive in clear text.
  • May 4, 2012 at 11:10 AM

    • Adobe Flash Player Security Update
    Adobe Flash Player Security Update
  • April 26, 2012 at 12:53 PM

    • Information Security and Privacy Program Awareness Update
    A memo has been sent to the President's Cabinet to help raise awareness of the Information Security and Privacy Program.

    Recent Security Bulletins

  • April 11, 2012 at 3:24 PM

    • Vulnerability in Windows Common Controls active exploit
    A remote code execution vulnerability exists such that an attacker who successfully exploited this vulnerability could run abitrary code on the target system, then install programs; view, change, or delete data; or create new accounts with full rights.
  • April 5, 2012 at 2:51 PM

    • Mac Malware Exploiting Java Vulnerability
    "Flashback" is Mac-specific malware that is currently spreading via a recently patched Java vulnerability
  • March 16, 2012 at 11:42 AM

    • Vulnerability in Microsoft Remote Desktop
    A remote code execution vulnerability exists such that an attacker who successfully exploited this vulnerability could run abitrary code on the target system, then install programs; view, change, or delete data; or create new accounts with full rights.
  • February 28, 2012 at 1:53 PM

    • Phone Phishing Observed at IU
    Warning about phone calls requesting information or requesting users to take action to compromise computers.