Feeds

How to stay out of big trouble from little devices

Beware the smartphone apocalypse

Top three mobile application threats

Here's the tricky thing about mobile security: the perfect storm of smartphone threats is always just over the horizon. Every couple of years, the vendors are up in arms about it and predict handheld apocalypse.

At the same time, we are seeing an unprecedented level of activity in the mobile space. Morgan Stanley analyst Mary Meeker predicts that smartphones sales will surpass those of PCs next year. They overtook notebook sales in 2008.

Pirate raid

Security firm McAfee says there has been a 46 per cent surge in malware targeting mobile devices over the past year. The Symbian operating system has been compromised more than the Android and Apple’s iOS.

At the beginning of March, Google pulled dozens of applications from its Android Market web site, after discovering that more than 50 apps had malware that could ruin the device. At least 50,000 users downloaded them before they could be pulled. All the apps were pirated versions of legitimate software, rebundled under new names.

One of the most telling aspects of McAfee’s report was the lack of separation between personal and business use for smartphones and tablets.

We tend to put all our data on these devices because they are regularly used and close at hand. The report said that on average, almost two-thirds of employees are accessing the corporate network with mobile devices.

What can you do to protect your mobile workforce? Simply banning all of the devices from connecting to your corporate network is one way round the problem, but it is akin to taking the engine out of the car to avoid crashing.

A more realistic solution is to use the phone’s built-in features, or better still buy a third-party solution to help you manage your mobile portfolio.

Don't forget the tablets

The National Institute Of Science and Technology (NIST) in the US has something to say on this. It issued guidelines on mobile device security three years ago, although such is the speed of industry developments that the coverage didn't include tablets. Nevertheless, its advice is useful at a broad level.

The guidelines acknowledge the difficulty of managing multiple device types in an organisation.

One way is to find a compromise between blocking everything and allowing all kinds of device onto the network. Specifying permitted device types at least allows the IT department to profile them and plan for their use.

Mandating user authentication via a PIN helps to prevent a device being compromised if it is lost or stolen, but other options should complement this.

Data wiping solutions remove sensitive data from a phone before determined attackers can extract it. The iPhone offers a feature that wipes the phone after ten incorrect password entries. MobileMe also offers remote data wiping, and there are third-party solutions for business users to manage this centrally.

Encrypting data is one way to protect sensitive assets on phones

Various vendors offer products that not only remotely wipe phone data, but also lock down stolen phones and automate patch management and imaging.

Encrypting data is one way to protect sensitive assets on phones, assuming that you can't prevent users from storing them there. Automatic encryption is built into iOS, although researchers have criticised its level of security, and Android’s Honeycomb build will also have it. However, a third-party solution offering some sort of digital wallet may be a safer route.

What a turn-off

Of course, basic common sense needs to be codified into a mobile security policy. Not lending devices to other people, not downloading unknown software, always using a secure password or PIN and similar measures must be formalised and drilled into users.

What is most interesting is that the NIST guidelines effectively advise minimising the functionality of the device. Turning off wireless interfaces when the device is not in use so that it does not automatically connect, not storing sensitive data on the phone, turning off all the apps people don't regularly use are all sensible precautions.

But they fly directly in the face of what mobile vendors and users really want. As we navigate the security landscape, that might be the ultimate challenge. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Feast your PUNY eyes on highest resolution phone display EVER
Too much pixel dust for your strained eyeballs to handle
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
Report: Apple seeking to raise iPhone 6 price by a HUNDRED BUCKS
'Well, that 5c experiment didn't go so well – let's try the other direction'
Rounded corners? Pah! Amazon's '3D phone has eye-tracking tech'
Now THAT'S what we call a proper new feature
Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
Up, up and away in my beautiful balloon flying broadband-bot
Nvidia gamers hit trifecta with driver, optimizer, and mobile upgrades
Li'l Shield moves up to Android 4.4.2 KitKat, GameStream comes to notebooks
AMD unveils Godzilla's graphics card – 'the world's fastest, period'
The Radeon R9 295X2: Water-cooled, 5,632 stream processors, 11.5TFLOPS
Sony battery recall as VAIO goes out with a bang, not a whimper
The perils of having Panasonic as a partner
NORKS' own smartmobe pegged as Chinese landfill Android
Fake kit in the hermit kingdom? That's just Kim Jong-un-believable!
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.