IT administrators can mitigate many of the mobile data security risks associated with mobile devices and applications by instituting best practices and native security measures.
When smartphones first emerged, they offered little built-in security. With its native encryption and over-the-air device management, BlackBerry was a noteworthy exception and fostered broad business adoption, leading other manufacturers to emulate BlackBerry.
When the Apple iPhone launched, for example, it had no encryption or IT management hooks. Today, every Apple iOS device comes with an encrypted file system, can be locked with a long, complex passcode and supports more than 150 IT-configurable policies. Although such native capabilities vary by device make and model, all four major mobile OSes — Apple iOS, Google Android, BlackBerry and Microsoft Windows Phone 8 — support those best practices and more.
Mobile data security best practices
PIN or passcode. The first line of defense against the unauthorized use of a lost or stolen device is a robust PIN or passcode. All four OSes support numeric PINs and alphanumeric passcodes. The primary challenge is enforcing long, complex passcodes that users must re-enter frequently. Pairing shorter passcodes with secondary user authentication to open every sensitive business application is a practical way to reduce risk.
Remote find and wipe. Most employers also want the ability to remotely locate a lost or stolen device and, when warranted, wipe all corporate data. Again, all four OSes support remote find and wipe, but wipe effectiveness varies. For example, wiping an iOS device renders all encrypted data (personal or corporate) inaccessible. In contrast, wiping an Android device simply resets it to factory default settings, which can leave recoverable data behind. Pairing remote wipe with applications that rigorously encrypt their own data makes remote wipe more effective.
Stored data encryption. Stored data encryption has become an enterprise must for mobile devices that store business data, including temporary files, message attachments, screen snapshots, cached Web pages and other data that "leaky" applications generate. Full device encryption is widely supported, though noteworthy exceptions include Android 2.x and Windows Phone 7. Further, some devices can’t encrypt everything, even if the OS supports it. And even an encrypted device exposes data to a thief with a cracked PIN.
Here, best practices pair full-device encryption with software encryption by each application. To improve mobile data security and avoid leaks, application developers must be careful to rigorously encrypt everything written to flash storage and to safeguard their encryption keys. Emerging trends include sandboxed applications that create their own safe (authenticated, encrypted) operating environment and secure data containers that safely store IT-managed documents for offline access.
Over-the-air encryption. Employers also worry about data in motion: that continuous stream of traffic to and from always-connected wireless mobile devices. All four OSes natively support Transport Layer Security (TLS)-encrypted email and Web traffic, WPA2-encrypted Wi-Fi traffic and virtual private network (VPN)-encrypted network access. Unfortunately, related settings and certificates are too complicated to rely on end-user configuration. In addition, requiring secure Wi-Fi on-site doesn’t prevent users from exposing data at public Wi-Fi hotspots, and VPN configurability varies by device make and model. As a result, application developers should use TLS to encrypt their own traffic, independent of network or VPN security.
Anti-malware. The above practices focus on mobile data security, but they can also deter malware, preventing Android malware from grabbing files on removable storage accessible to all applications, for example. In addition, mobile OSes sandbox applications to insulate them from one another and require users to grant each application permission to access device features or shared data. Unfortunately, users often accept those requests without understanding the consequences. While Apple’s App Store policies have deterred iOS malware, the same can’t be said for Google’s or Microsoft’s stores. Even BlackBerry users can install applications from less-trustworthy sources (a risky behavior known as sideloading).
Best practices to deter mobile malware are still emerging, but they include monitoring for blacklisted applications or compromise, routing mobile traffic through cloud services that scan for malware and running malware scanners on mobile devices. Application development best practices include self-protection of data, testing for exploitable vulnerabilities and requesting only essential permissions.
Mobile device management. IT can gain visibility into and control over smartphones and tablets with mobile device management (MDM). Methods include using Microsoft Exchange ActiveSync to require a PIN and encryption and using third-party MDM tools to configure and continuously enforce security policies. Supportable security policies vary by mobile operating system/version, device make/model and MDM tool, but centralized security policy management is necessary to implement other practices such as PIN/passcode, remote find/wipe, encryption and even anti-malware, without depending on compliant end users to always do the right thing.
Mobile application management. Increasingly, MDM tools also provide good mobile application management, letting IT inventory, deliver, install, update and remove applications. However, application developers need to understand how applications can be packaged, deployed and updated for each mobile OS, as well as the distribution rules imposed by each manufacturer and app store. Those rules have mobile data security implications — all four mobile OSes require applications to be signed, for example — but differ as to who issues the signing certificate and how that affects application permissions. The best practice here is developer education.
Data backup. To ensure that data can be restored after a device is damaged, wiped or lost, take advantage of data backup capabilities supported by each mobile OS. Native backup capabilities typically include writing backup files to a laptop or desktop and routinely backing up data to cloud storage (e.g., Apple iCloud, Google Drive). Best practices include passcode-protecting access to backup files and cloud storage, encrypting those backups wherever possible and preventing business data from being backed up to personal storage areas. Mobile application developers may want to take advantage of native backup capabilities, but they also need to consider the security implications of doing so.
As indicated, many mobile data security best practices use native mobile device and OS capabilities as a starting point, strengthened by combining those with application-specific security measures. Building security into each mobile application not only reduces risk but also levels the still-uneven playing field of mobile platforms. Mobile OS security and management hooks will continue to improve, and new mobile devices will emerge with new vulnerabilities.
Further, although we have focused here on device, OS and mobile data security, mobility involves many other components that must also be secured by IT, including the wireless networks, mobile messaging servers and cloud storage accessed by mobile users. Understanding all of these mobile risks and looking for ways to offset them during mobile application development is an investment.