Challenges in Smartphone Security

What Your Phone Says About You Quantainia Challenges in Smartphone Security Simon Walker & Javvad Malik The mighty device The ubiquitous Smartphone - you can shop, chat, manage your e-mails ( work and personal), announce your location, check those of friends, the list goes on. More than that, in recent times we have seen real social change enabled by technology including such devices; for example in Moldova, Iran, and more recently in Tunisia and Egypt; as Smartphone's have facilitated the rapid, first hand, communication of events. Moreover, the popularity and increasing affordability of Smartphone's has led many organisations to consider their use to provide ready access to corporate resources. This is perceived to lead to significant gains, in terms of cost and efficiency. Mobile Banking 13.1m 5.5m As noted, Smartphone's are no longer limited in function to checking email. Users can now work on and store documents, access not simply contact details but other corporate information, and indeed participate in business workflows. These activities can be performed via the handset's web browser, customised applications or proprietary systems such as Microsoft Exchange. Whatever the technology used, clearly the Smartphone has become the custodian of a large amount of corporate data, sometimes including highly sensitive information. The issues All this potential does not come without risk. Most Smartphone's available at present display inherent Mobile Phone Subscriptions security flaws. In many cases, the security features in handsets are not an intrinsic part of the device design, and amount to merely superficial additions to what is otherwise a product driven mainly by the need for a fundamentally open architecture. Such security as exists in Android and iOS can easily be overridden after user provisioning. As the complexity and functionality of smart phones increases, so to0 does their susceptibility to security vulnerabilities, and the potential impact of a security breach. The a mind, do exist per 100 inhabitants Arab States 2010 2005 means to Smartphone's designed with a consumer, rather than a busines user in the form of third party add-ons, but uptake has been patchy at best. 26.6 199% 79.4 In a corporate context, Smartphone's represent an extension of the corporate perimeter, even more so if the same device is used for both corporate and personal functions. Since they are not equipped with security measures of equivalent strength to those usually found in other mobile IT equipment like laptops, it is hardly surprising that they are now often targeted by criminal organisations and other threat agents. Indeed, given the fact that they are highly likely to be used outside the physical premises, this increases their attractiveness as a target. Rapid uptake of the technology simply ensures that the "bad hats" will be more familiar with the possibilities - for example rogue apps or Smartphone-focussed Asia Pac 2010 | 201% 67.8 2005 22.5 malware. Africa 2010 The BlackBerry platform may be offered as a counter-example to this trend. Since it was designed from the outset for business users, we can broadly say it is based on more secure design principles than other platforms on the market. Nonetheless, the security of BlackBerry devices still depends on effective deployment of a robust set of security policies. The Blackberry has been accepted for use with Restricted material in some countries, and banned by some others, which can be interpreted as an indication that it is secure enough to prevent eavesdropping by a fairly sophisticated organisation. That said, not all Western governments have been as accepting - France, for instance, has a specific ban on the use of Blackberries in a government context. 2005 12.3 236% 41.4 Americas 2005 2010 52.9 I 78% 94.1 Europe 2005 2010 91 31% 120 Source: International Telecommunication Union Statistics Getting to grips with securing your estate Blackberry Security Facts With all this in mind, there are some straight- forward step that can be taken at a corporate, and indeed, an individual level to limit the risk, not only to Smartphone's that form part of a corporate estate, but also your own personal phone. Government Security Accreditation Banned or threatened to ban Blackberry's No Government Security Accreditation At a personal level At a corporate level | Ensure any business-use Smartphone's are explicitly under governance A Keep Wi-Fi and Bluetooth off when you aren't using them | Lock your phone when not in use A Define a workable acceptable use policy and supporting awareness. E.g. is "jailbreaking" explicitly forbidden? A If it's your device, consider registering it with a service like http://www.immobilise.com/, to make theft a phones a less attractive prospect and their return more likely Consider integrating Smartphone anti-virus products A Limit the loss value of the device, disable unnecessary functionality, backup data, and ensure there is a clear and unambiguous process for reporting and reacting to the loss of a device. A Exercise the same caution with e-maiks (and texts) from unknown sources on your phone as you would from your PC A Carefully consider any apps you may want to download - are they from a reputable source ? What data will they access? Some closing thoughts 1627 The number of free Android Apps with greater than 250,000 copies distributed by end Jan 2011 200000 Android devices activated every day in August 2010 The number of paid for Android During this period the first malware was reported for Android OS Apps with greater than 250,000 copies distributed by end Jan 2011 The estimated number of mobiles to be lost every year in the US Quantainia 70,000,000 Mabledon Place, London. WCIH 988 +44 (0) 20 7125 0364 [email protected] www.quantainia.com Innovation Quality Excellence ...