Security in the Mobile Device Enterprise
I have been noticing a lot of the current media about mobile security and just want to throw in my personal “2-cents” as well with my own observations and comments.. :-)
Hacking and Vulnerabilities in Mobile Devices This of course is brought up all the time by the security software manufactures and always definitely something we should be aware of. As more and more devices are being used in daily life for all of our personal and corporate task, the risks will just get greater and greater, no doubt about it. As it stands today, there are some vulnerabilities and malware out there, but not a whole lot.. Yet..
Mobile Security Looming As New Hacker Frontier:
http://www.informationweek.com/blog/main/archives/2009/03/mobile_security_1.html
$10,000 Mobile Hacking Competition to find new vulnerabilities: (so far no hits!)
http://dvlabs.tippingpoint.com/blog/2009/02/25/pwn2own-2009
But the single largest threat could be lost devices with no passwords being used. Some estimates are that up to 40% of all mobile devices have no password!
UK survey on mobile phones being vulnerable to Identity Theft:
http://patricksalmon.blogspot.com/2009/03/uk-survey-on-mobile-phones-being.html Windows Mobile Security
In the corporate environment Windows Mobile brings a lot to the table. Security wise there are several great options and mechanisms you can use to protect your corporate assets. Think certificates, not AntiVirus. I think historically there was just not a big push to prioritize this security realm and the necessary information was somewhat hard to find. I believe this has all changed, and most companies take this very seriously now. If they do not yet have a strategy I believe they are long overdue to have one and execute on it!
Some great recent Windows Mobile security resources are mentioned here:
http://blog.enterprisemobile.com/2009/03/mobile-security-resources/
Vik also has a good round up of the current Windows Mobile encryption and security certifications:
http://blogs.technet.com/vik/archive/2009/03/03/windows-mobile-encryption-and-security-certifications.aspx
iPhone Security
The iPhone is a great consumer device, no doubt about it. But regarding iPhone security, there are well published and documented aspects you should be aware of if you are using and allowing the iPhone in your enterprise and giving permission for corporate data and e-mail to be stored, or even viewed!, on the devices.
Keystrokes, screen shots, GPS coordinates, and all data can all easily be retrieved if you have physical access to a device. Anyone can take an iPhone and connect it to a machine running iTunes and make a complete backup of it’s contents. For the causal consumer this is probably not a big deal, unless you are using it for all our online banking, personal e-mails (that you don’t want someone else to see), or any other online site you might be using on the device. But think identity theft. Think work related web sites and passwords!
A scenario: You are using a key corporate enterprise application or web site, where critical or sensitive information is shown on the iPhone screen. But when the user moves away from the application, unbeknownst to them, a screen shot of this critical or sensitive information is being cached on the iPhone.. Highly recommended reading:
iPhone hacking: Lessons from the front line:
http://searchmobilecomputing.techtarget.com/news/article/0,289142,sid40_gci1349572,00.html iPhone Forensics: Recovering Evidence, Personal Data, and Corporate Assets:
http://www.amazon.com/gp/product/0596153589
Also, looking at the newly announced iPhone 3.0 features, I didn’t see anything at all about security or enterprise usage improvements to combat the security issues mentioned above..
Update June 22, 2009: Please see new post on the hardware encryption in the iPhone 3G S model here, and also the actual slide deck from the great forensics presentation Jonathan Zdziarski had from the Gartner Mobile Summit.
|\\arco..