On Mobile Device Security
Nearly every one of our users is a business customer, and the data resident on their mobile devices is protected company property. We take security very seriously, and want all of our users to have the tools at their disposal to keep their work safe. The objective of this article is to shed light on a few techniques available already on your iOS and Android devices to help protect your data that’s floating out in the world with your staff as they’re using mobile devices in the field.
The risk of a device being lost or stolen is high and impossible to completely prevent. Given this fact, you can only deploy certain technical countermeasures as an owner of data to protect yourself from theft. Let’s review some basic info on the what’s available across the mobile hardware platforms, techniques and best practices, and management methods for keeping your IT staff sane while you have your 100+ mobile devices roaming the world with your corporate data.
Operating System-Level Security
Passcode locks have been available on smartphones and tablets since long ago, and are clearly the first step in keeping your data protected from theft or intrusion if your device gets into the wrong hands. Many applications also provide a small additional layer of security like their own passcode locks—things like banking applications, Evernote, Dropbox, and Google Drive. There are tools resident on the platforms natively now that let you step even higher up and protect everything.
The most effective way to keep your data secure is to protect the entire operating system, rather than the security of specific apps. All modern smartphone devices support disk-level encryption for all data on the entire device, using a combination of hardware and software encryption. If you’re using one app that contains private, protected, critical data, chances are high that you have many apps with important data you don’t want stolen.
On iOS, ever since the release of iPhone 3GS, Apple has enabled built-in hardware level encryption using their Data Protection feature by default whenever you have a passcode lock set up1. This means any time the device is locked, the entire device’s disk is encrypted until the passcode is entered. With Android devices, Android 3.0 introduced full-device encryption, which on that platform is optional, but can be easily enabled through the security settings. With this on, you can even set up your device to prompt for a password on startup.
Password Security & Device Passcodes
Android and iOS both support device-level passcodes, so it’s a no-brainer to set that up immediately if you don’t have it set up already. Both also have configuration settings for “auto-lock” after the device has been in standby mode for a set time, and I’d recommend lowering this to the shortest acceptable time to keep the re-locks from being annoying. It’s important to keep in mind that security and convenience are usually at odds, but if the system is too inconvenient to use securely, users are likely to disable passwords altogether, or make their password the proverbial
1234. Onerous security requirements can have the reverse impact if taken too far.
All tablets and smartphones now also support longer passphrase input for securing the device instead of numeric PIN-style codes. It’s recommended, if you can stand it, to use something more complex than 4 digits2. Most devices are good about locking out potential guessing attacks, but it’s still a good practice to use stronger passwords. All iOS devices since the iPhone 5S and the iPad Air 2 support Touch ID, Apple’s native biometric fingerprint authentication hardware. Enabling fingerprint access provides an added layer of authorization to passwords that make it easier to use long, hard-to-type passwords (since you don’t have to type them as much), and prevent the all-too-common shoulder surf where someone can nick your passcode on the bus, train, or at your desk.
It’s also worth taking a look at app settings for notification previews. We’ve all received text messages or emails containing private info. Without these settings configured to hide the content of messages when the device is locked, anyone looking at your device on the table can see that sensitive email or SMS message. Android has some pretty granular controls across all apps to determine what constitutes “sensitive” info and hide accordingly. The settings for this are a little messier on iOS, but many apps provide configuration options in the Notification Center for hiding the preview text that appears when you get a push notification.
Managing Tons of Devices
One problem that becomes apparent rather quickly in a business environment is how you integrate all these localized, individual-level authentication and security practices into an enterprise IT infrastructure with potentially hundreds of managed devices assigned to staff members. What happens when a field inspector can’t sign in because he doesn’t remember the complex passcode you set up on his iPhone for him? These are some hard challenges given the rate that the technology advances; it’s hard for enterprise management software providers to keep up with what’s new.
We’ve written previously on the blog about mobility management systems like Soti’s MobiControl product, VMware’s AirWatch, and MobileIron. These tools exist to help bridge this gap and provide higher-order platforms for managing dozens to thousands of mixed devices for employees. You can remotely sign in for providing support, install applications, control what can be installed, and handle on-device settings from a centralized control center. These options, naturally, aren’t free, but can be powerful additions to enable enterprises to manage their hardware securely and reasonably.
It’s a Hard Problem
If security was easy, no one would ever have their data stolen or compromised, but that’s not the world we live in. Establishing secure best practices in an environment with many different device types and versions and a diverse range of technical skill on the user side is a huge challenge. We hope this quick overview was helpful to point you to some of the built-in and ready capabilities of mobile platforms that can mitigate some of the risk inherent in mobile data collection.
Safe Photo: charliedees on Flickr