Smartphone Security

Smartphone risks

Today's smartphones come with advanced features such as the ability to connect to the Internet, download applications, store pictures and videos, use wireless connectivity, and perform on-line banking. While smartphones increase productivity, they also come with risks.

Smartphones can be used to access corporate information systems. By exploiting smartphone and browser vulnerabilities, hackers have access to your applications and data.

Application based attacks are a big threat and can target your logon credentials, memorized passwords, financial data, etc. The software is typically installed by the phone user when visiting an infected web site, downloading and installing applications, or clicking on links in messages. However, it can also be installed by someone else who has physical access to your phone. All it takes is a few minutes to install the software and then it runs behind the scenes without your knowledge.

Not just restricted to PCs, phone spyware that can:

When your phone is not in use, spyware can turn on the microphone and listen in on conversations in your vicinity. Spyware can even track your location through the Global Positioning System (GPS) feature on your phone. Some spyware can automatically forward text messages to a designated phone number.

Establish standard

According to industry statistics, two thirds of fresh and critical business data is not stored on corporate servers. Smartphones and other intelligent devices frequently hold the most current customer contacts, communications with suppliers, vendors, and other service providers.

Many phone users adopt new technology before they are fully aware of the risks involved. Securing smartphones is the responsibility of both the phone user as well as the organization. Successful firms use a multi-layered approach to protecting smartphones and related "information assets".

The IT Department should establish standards for smartphones, phone protection software, etc. This reduces IT administration costs and offers better protection for the enterprise. IT must identify controls that address infrequent smartphone software patch updates compared with daily or weekly updates provided for servers and desktops. IT should have a firm policy that identifies devices that are allowed to connect to the network.

Encryption

Where possible, smartphone operating systems should support encryption. Many smartphones include a system encryption feature that encrypts all data, applications, and files. When a user powers on the phone they enter a password or PIN to gain access to the information on the device. The smartphone then uses the password or PIN to decrypt the data and make it readable.

Phone security configuration

Where possible, smartphone users should minimize their attack surface by disabling:

The phone should have a very strong password and a short screen timeout. This helps prevent an unauthorized person from accessing sensitive data or downloading and installing unwanted applications. Take advantage of smartphones that allow stronger passwords:

Like a traditional computer, smartphones have the ability to remember website logon usernames and passwords. This can present a security risk if the phone is lost or stolen. Configure the smartphones to disable the browser's auto-fill feature.

Security can be cumbersome when users must remember a different password for each application or website. Applications such as PasswordWallet, 1Password, LastPass, and SplashID help users manage multiple logon credentials.

Protection software

Phone protection software should be installed on all devices that access the Internet and especially phones that access corporate information systems. Smartphone security and device management software typically provides the following services:

Not all smartphone security software products include the features listed above. In addition, some features such as backing up call log files, photos, etc. may be an additional charge or may only protect the information on the phone and not on SD cards. Popular security software includes:

Security education

Staff security education and awareness training should be provided on a regular basis.

Smartphones are portable and easily misplaced or stolen. Ensure staff follow physical security best practices that include locking the device when it is not in use.

Staff should only download and install applications from trusted sources. Before installing software staff should read the application reviews and only install apps from trusted sources. Staff should read and understand the Permissions used by the application.

Staff should not click on message links from unknown senders or visit unknown web sites that can download and install malware to a smartphone. Once installed, the malware can launch attacks against your internal network.

When using the phone for personal activities such as banking, shopping, etc., the user should use a dedicated application provided by the retailer instead of using the smartphone's browser. Staff should periodically clear the browser history to prevent someone from retracing the user's activities.

Staff should be made aware that text messages are sent in unencrypted, clear text that can be read by others. In addition, most messaging applications do not offer security protection.

Summary

With immediate access to corporate systems, data, e-mail, and the Internet, smartphones offer enhanced productivity. Smartphones also present a variety of risks that must be managed using a proactive approach to security.

Network security audits and mobile security audits help organizations identify, manage, and reduce their risks related to smartphones.  Formal and documented policies ensure a top down approach to managing smartphone related risks.

Security Blog
verified If You Want a "Security Audit"
You Need a Certified Auditor.
Certified Information Systems Auditors

Unlike a security consultant, Altius IT is certified as a Certified Information Systems Auditor to perform a security audit of your environment and issue reports and recommendations to secure your systems. After your audit, Altius IT's Auditor Opinion Letter and Secure Seal let your clients and prospects know you meet security best practice/compliance requirements.

See our In the News page for video clips of our experts on national television as well as over 40 publications featuring Altius IT. In addition to our auditor certifications we hold many security, technical, and project management credentials. More information is available on our About Us page.

Our comprehensive audit service uncovers gaps in your existing defenses so that you can better:

  • Fortify your information systems, applications, and network infrastructure
  • Comply with regulatory requirements
  • Protect your valuable assets