Thinking About Mobile Security
Mobile devices are, like any powerful tool, a double edged sword. They enable unprecedented ability to access and create information from anywhere! They are also a huge problem for information security.
Unlike a traditional PC, where there are a number of solutions to address various information security needs, mobile devices (those running iOS, Android, Symbian, Blackberry and others) provide little if any mechanisms for third parties to provide security solutions. Beyond ActiveSync integration, which itself is potentially untrustworthy (remember how iOS used to lie to Exchange servers that their mail store was encrypted?), other options for securing the device or data on the device are limited.
That said, mobile operating systems have had the benefit of experience of other operating systems. They are designed to be more resistant to intrusion by requiring signed code, employing sandboxing, limiting the available APIs, and more. It doesn’t eliminate the risk of security vulnerabilities, but it does minimize the risk known ones will occur.
Unfortunately, the “baked in” security only addresses a small segment of potential security issues. It does nothing to address future security issues that might crop up. Due to the limited APIs, it is not possible for third parties to address these issues without cooperation from the OS vendor (e.g. Apple, Google, Nokia). Unfortunately, security threats evolve far faster than an OS vendor’s ability to mitigate these threats on their own. Just look at how long it took Microsoft to enable the firewall in Microsoft Windows by default, implement driver signing, or any number of other security mechanisms that are just the default on mobile operating systems.
Even so, the most important feature of a mobile device–the ability to access and share information from anywhere–is also a threat to an enterprise. The potential for data leakage is substantial! All I have to do is take a picture of a whiteboard in an office with confidential data on it using an Android phone with Google+ automatically uploading my photos “in the cloud” to have a potential data leak! Not to mention using your personal device to access mobile email and working with attachments.
Even if adequate tools existed to address all the issues on mobile devices, one should not blindly rely on these tools. It comes down to people understanding the security implications of their actions and adjusting their actions accordingly.
Comment by jason @ Voip
It took years to get users to even consider security on their PCs. How long do you think it’ll take them to consider it on their mobile phones? Till they are hacked? Oops! They have been and they’ve still not learned!
Pingback by Securing Mobile Devices May Be Impossible « The PhoneBoy Blog
[...] While I myself have been thinking about mobile security, this is an angle I didn’t even consider. If hackers can pwn the mobile phone network itself, well, everyone’s mobile device is in danger. There’s not much you can do about it, either. [...]
Comment by Peter
Thanks a lot for this nice article. I think there are too many security breaches in mobile devices to use it with peace of consience. Just for example the untrostworthyness like you told the fact that iOS used to lie to exchange servers that their mail store was encrypted. I don´t know if i want to use a smartphone as long as i can´t get a clear overview over the security possibilities that are trustworthy.