Mobile Meanderings - Security
Date posted
5 October 2012
Reading time
7 Minutes
Mobile Meanderings - Security
It's no secret that the world has gone mobile. MobileFactbook 2012 predicts that mobile subscribers worldwide will reach 6.5 billion by the end of this year. In a short space of time, consumer demand has sparked a wave of innovation, making our mobile technology experience richer, easier and cheaper.
Many of Kainos' customers have already adopted mobile solutions, or are beginning to explore the potential of mobile. My earlier post touched on our Evolve for iPad healthcare app and our approach to information security particularly on how it was imperative that we went the extra mile in securing our app!
In this post I return to the same theme of security, but in a more general sense. For a start, do you know what information your mobile device holds about you? Quite a lot, actually: there's enough information on an average smart phone to identify and profile the owner, locate his home, access his private messages and identify his friends and family.
In fact, every application on your phone potentially has access to information like this. Once you agree for an application to be installed on your device, it is given space to function as it needs to for example saving game scores, documents, usernames, emails and even passwords. Depending on the type of application, this data could be particularly sensitive. So is it secure? The technical name for this issue is 'information security' and right now it's a hot topic.
There have been a few high profile public security blunders in the news recently, but in general, people are becoming more aware that information security is important. Security awareness in the corporation has also improved dramatically, having been a relatively neglected part of the IT portfolio until recently. Now, many organisations have a Chief Information Security Officer, or CISO, responsible for protecting the company's data and IS assets, including mobile devices and associated data.
For both consumers and corporations, managing the risk of device and information security is done in two ways. As a starting point, it's essential to have a good mobile strategy, covering mobile device management, device white listing, firewall configurations for secure communications, remote wipe and certificate enforced security policies. Security policies should also be used to enforce password complexity and duplication. Second, to be secure even when the mobile device has been compromised, all apps need to have a robust data storage solution designed from the ground up,
Other tips for mobile security are largely common sense. For example, only enable the networks/connections that you plan to use - so if you don't use a Bluetooth device then disable Bluetooth! Only install applications from vendors you trust and check reviews before installing. Use a complex device password! Backup your data and encrypt your back up. Other less obvious security steps include:
- Enabling remote wipe and location services. This allows you to locate and remote wipe the data on your device;
- Enabling auto erase data wipe on 10 failed password attempts;
- Beware of unfamiliar 'open' or public wireless access points;
- Keep your device software up to date. (Beware that some devices are permanently vulnerable (like the iPhone 1, iPhone 3G, iPod Touch);
- If you choose to jailbreak your device, know the risks your device becomes more vulnerable to malware;
- Before you download an app, read the access rules / permissions that an application will be granted. (The iOS App Store doesn't state application permissions);
- For Android, be aware that unsigned applications (applications from unknown sources) could be running any code they want, and never open an 'apk' file from anyone you don't know.
- For iOS, beware of anyone that asks for your Unique device Identifier (UDID) and never open an 'ipa' or 'mobileprovision' file from anyone you don't know.
- If your mobile device is used for business you should be using Mobile Device Management (MDM) software.