This year mobile phone market for the first time ahead of the PC market. This is a landmark event, as well as the rapid growth of computing power and capabilities of mobile devices poses new questions and challenges in information security.
Today’s smartphones and tablets contain a fully functional adult, similar to that of their “big brothers”.Remote administration, support VPN, web browsers with flash and java-script, synchronization of mail, notes, file sharing. All this is very convenient, but the market remedies for such devices is still poorly developed. A good example is the corporate standard BlackBerry, smartphone with support for centralized management via a server, encryption, remote wipe on the device. However, its market share is not as great as in Russia and did not exist virtually. But there are plenty of devices based on Windows Mobile, Android, iOS, Symbian, which are protected by much weaker. The main security issues related to the fact that a variety of operating systems for mobile devices is very large, as well as the number of versions of them in one family.
Testing and Vulnerability in them is not as intense as for the OS on a PC, the same goes for mobile applications. Modern mobile browsers have almost caught up with desktop counterparts, but the expansion of the functional leads to greater complexity and less secure. Not all manufacturers make update, covering critical vulnerabilities for their devices – business, marketing and life in terms of a specific device. I propose to consider the typical data stored on the smartphone, which may be useful to the attacker.
As a rule, access to postal services and the synchronization of mail are configured on the device once, and in case of loss or theft of the machine an attacker gains access to all correspondence, as well as to all services which are linked to this mailbox.
Skype, Icq, Jabber – all this is alien to modern mobile devices, resulting in the entire correspondence of the individual, and contact lists can be threatened.
DropBox for mobile devices could become a source of compromise of any documents, as well as notes and calendar events.The capacity of modern devices is large enough so that they can replace usb-storage devices, and documents and files with them, are fully capable to please attackers. Often found in smart phones using notes as a universal directory passwords and store passwords distributed applications protected with a master key. It should be considered in that case all passwords resistance is resistance of the key literacy and implement the application.
Sometimes, information about specific individuals are very expensive.
Using your smartphone or tablet for remote access to the workplace through VNC, TeamViewer, and other remote administration tools are not uncommon. As well as access to corporate networks via VPN. Compromising your device, the employee can compromise the whole “secure” network enterprise.
Imagine that your employee is using on your mobile device DBS – quite modern browsers allow this kind of activity, and the same mobile device linked to a bank to get the sms-alerts and passwords. It is easy to guess that the whole system can be compromised by RBS loss of a single device.
The basic ways of compromising information from mobile devices is their loss or theft. Reports of huge financial losses due to the organizations of missing laptops we receive on a regular basis, but the loss of book board with current financial information can also bring a lot of hassle. Malware for smartphones and tablets are now more fearful myth and marketing tool, but should not be vigilant, because this market is developing at a frantic pace. Let us see what are and how to implement security into today’s mobile OS.
Modern operating systems for mobile devices have a nice set of built-in security, but often some of the functions are not used or disabled.
One of the oldest operating system on the market. Software versions 5.0 and 6.x compatible, because of what they face a large number of remedies. Starting with version 6.0 supports encryption of memory cards. OS does not have the means to prevent the installation of applications from third-party sources you trust, and therefore likely to be infected with malware. In addition there are several concepts of real malware for that platform. Corporate solutions are many companies (Kaspersky Endpoint Security for Smartphone, Dr.Web Enterprise Security Suite, McAfee Mobile Security for Enterprise, Symantec Mobile Security Suite for Windows Mobile, ESET NOD32 Mobile Security, GuardianEdge Smartphone Protection).
These solutions not only offer anti-virus protection, but also a means to filter traffic through all channels of communication of mobile devices, encryption, centralized deployment and management. The decision of the GuardianEdge includes elements of DLP-system. Means the OS with ActiveSync and Exchange Server allows remote wipe on the device. With Exchange Server, you can configure security policies for devices such as the use of the lock screen, the length of the pin code and so on.
The release of new firmware, containing fixes for vulnerabilities that depends on the manufacturer’s devices, but in general it is very rare. Cases raising the OS version is also very rare.
Windows Phone 7 (WP7) was published recently on enterprise solutions for the protection of the OS, nothing is yet known.
Despite the recent shift in the arms of Nokia WP7, Symbian still dominates the market for mobile operating systems.Applications for Nokia distributed in the form of sis-package with a digital signature of the developer. Signature homemade certificate is possible, but it imposes restrictions on the ability of the software. Thus, the system is well protected from possible malvari. Java-applets and sis-applications ask the user for confirmation to perform certain actions (access to the network, sending SMS), but as you know, it stops the attacker does not always – many users tend to agree with all the proposals put forward by the operating system is not particularly vchityvayas in their essence.
Symbian also provides tools to encrypt memory card, you can use the lock with persistent passwords that are supported by Exchange ActiveSync (EAS) policies, allowing a remote wipe on the device. There are many solutions protect information submitted by the leading manufacturers (Symantec Mobile Security for Symbian, Kaspersky Endpoint Security for Smartphone, ESET NOD32 Mobile Security), which are similar in functionality to Windows Mobile versions.
Despite all of the above, there are several ways to get full access to the substitution of a file «installserver», carrying the signature and permission to install software. Typically, users use it to install the hacked software, which, of course, loses the signature after the break. In this case, a good security system as a whole operating system may be compromised. Firmware for your Nokia device produces a regular basis, especially for new products. The average lifespan of the device 2-2.5 years, this period can be expected healing childhood diseases vehicles and fix critical vulnerabilities.
Operating system from Apple. For devices of third generation (3gs and over) supported hardware encryption means of the system. OS supports the policy of EAS, enables remote management and configuration through the Apple Push Notification Service, including support and remote wipe of data.
The closed nature of the platform and focus on the use of Apple Store provides high protection against malicious software.Corporate protections are fewer companies (GuardianEdge Smartphone Protection, Panda Antivirus for Mac, Sophos Mobile Control). And the decision of the Panda – it’s for desktop antivirus which can scan and iOS-devices connected to the Mac. The solution from Sophos announced, but is in development (at the time of this writing, March 2011. – Ed.). However, as in the case of Symbian, the system may be compromised by the made Jailbreak’a. Recent news about breaking iOS Fraunhofer Institute for Information Security Technology – proof. Firmware upgrades and closing vulnerabilities occur for devices from Apple on a regular basis.
Young on the mobile market system, the brainchild of Google, the rapidly won market. Starting with version 1.6 it supports protocol Exchange Activesync, which makes the device interesting with this operating system for the corporate segment. Policies EAS (though not all) are also supported. Encryption using OS memory cards are not provided. There are a number of enterprise solutions for the protection (McAfee WaveSecure, Trend Micro Mobile Security for Android, Dr.Web for Android, announced the decision of Kaspersky). Applications are distributed through the Android Market, but there is nothing stopping them and install from other sources. Malicious software for Android exists, but when you install the operating system shows all the steps required for the installed program, so in this case everything depends directly from the user (however, indicated nye installing warning anyway nobody reads most fully legitimate programs from Market issue vorningov bunch of access to all conceivable locations of the system. – Ed.).
OS is protected from modification, but as for Symbian and iOS, you may receive full access to the system here is called root. After receiving the root can write to system areas and even replacement of system applications. Firmware upgrades and increased OS versions, bug fixes and security vulnerabilities are regularly on most devices.
Summing up the interim, we can say that modern mobile operating systems have good means of protection – both embedded and on the market. The main problems are lack of timeliness or failure to receive updates, bypassing the protection by the user, the lack of corporate security policies for mobile devices. Due to different operating systems and versions there is no single enterprise solution, which would be well advised. But consider what steps should be taken to protect the device and what to consider when creating policies IB.
Imagine that your smartphone into the hands of a stranger. For most users, this means that someone gains access to everything at once. You must lock the device password (persistent or with a limited number of attempts to enter), after which the data on the device or rubbing device is blocked.
You must use the encryption of removable media, memory cards – all to what an attacker can gain access.
You can not save passwords in the password manager of browsers, even mobile. It is desirable to limit the access to the correspondence email and SMS, use encryption.
There are many applications that are built to store all the passwords on your mobile device. Access to the application by entering the master key. If it is not enough racks, all password policy organization is compromised.
Unfortunately, the means to enforce the ban is only for Windows Mobile devices, in other cases, users have to trust the word. It is advisable to use software from large, well-known developers.
If possible, avoid a variety of threats (including new ones), and in case of loss or theft of the device make it a lock and destroy all data on it.
For users that have access to the trusted zone (the internal network over VPN, remote administration tool), you need even more carefully monitor the implementation of these rules (encourage them to use IPSEC, not to store authentication information in the appendices). In the case of compromise of the device can be a threat to all internal / trusted zone, which is unacceptable.
Modern mobile devices and applications focused on the use of multiple cloud services. Make sure that the sensitive information and data relating to trade secrets, were not synchronized, or sent by accident in one of these services.
In conclusion we can say that the corporate applications it is desirable to use the same platform (and better – the same unit) with installed enterprise-class, which can be configured and updated centrally. From the text of the article is clearly necessary to develop and implement policies regarding information security of mobile devices, to monitor its performance and be sure to use the Exchange-server to set policies EAS. This article has not been dealt BlackBerry OS (due to the almost complete absence in the Russian market), but it is worth noting that this platform is the corporate standard in many countries around the world.