Mobile Device Security

Information security management project

Submitted to
Mam RABAIL MUSHTAQ
Group no 3
Komal atta roll # 27
Maryam sheikh roll # 10
Rabia Hameed roll # 22
Ayesha aden roll # 34
 Mobile Device Security

DEDICATION
We dedicate this research work to our loving parents,
&
Our DIRECTOR SIR MAQBOOL TAHIR, Our PRINCIPAL PROF MUHAMMAD MATEEN, Our
respected teacher PROF. WAHEED AHMAD , who guide us and courage us in every step of our
research work. And also our college fellows and dear Friends who always have been a source of
courage and inspiration for us.

REGARDS:

All group members.

Group 3 Page 2
 Mobile Device Security

ACKNOWLEDGMENTS

First of all we bow our head before Almighty Allah for his kindness and
highly grateful for helping us that enabled us to complete this report. We pay our deepest
gratitude to all our teachers for their valuable guidance and encouragement throughout the
entire period of this work. This Project is a result of dedicated effort. It gives us immense
pleasure to prepare this project report on “ MOBILE DEVICE SECURITY”

We would also like to express our thanks to our parents for their prayers,
encouragement and moral support during the completion of our report. We are also thankful to
our college fellows and dearest friends who help us a lot during this time period.
Regards.

All Group Members

Group 3 Page 3
 Mobile Device Security

Group 3 Page 4
 Mobile Device Security

Abstract
This report will investigate about the security issues of mobile devices. The information
about the different mobile companies. What are the issues that these mobile companies or
mobile device faces. Further there is explanation of the rising risks related to the mobile
devices and managing the mobile devices. The brief explanation of issues and concerns of
mobile devices.

Group 3 Page 5
 Mobile Device Security

Questionnaire
1. What is mobile device security?
2. How many people have at least one smart mobile device that you use for
business?
3. How many people have Android?
4. What are the goals for allowing mobile devices into
your enterprise?
5. How can you measure how well you achieve these
goals?
6. What data will and will not be allowed on mobile
devices?
7. Which employees and contractors will be allowed to
connect?
8. What devices will be allowed to connect to the
enterprise? Apple? Android?
9. Will devices be required to be up to date/patched?
10.If so, how will this impact Android use?
11.Will jailbroken devices be allowed?
12.How will these requirements be monitored and
enforced?
13.How will you detect or prevent malware?
14.What are the specific security controls that you would
like to enforce?
15.Which devices support those controls?
16.How will you protect the enterprise from liability of
wiping personal data?
17.What controls (technology or policy) can you put in
place around Android devices?
18.Are you willing to support older/weaker versions of
19.Android that have limited security controls?

Group 3 Page 6
 Mobile Device Security

Table of content
Introduction to device seciruty………………………………………………………………………………………………………… 5
Top 5 mobile device security concern………………………………….………………………………………………………….. 5
Threats…………………………………………………………………………………………………………………..………………………… 6
Prime Targets for attacker………………………………………………………………………………………………………………… 7
Mobile security landscape………………………………………………………………………………………………………………… 8
The small mobile device environment………………………………………………………………………………………………. 9
Rising risks and Concern with smart devices………………………………………………………………………………….... 14
Managing mobile devices…………………………………………………………………………………………………………………. 27
Other issues and concerns………………………………………………………………………………………………………………… 33
Concluding remarks………………………………………………………………………………………………………………………….. 38

Group 3 Page 7
 Mobile Device Security

1 .Introduction to Mobile device security

Mobile security is the protection of smart phones, tablets, laptops and other portable computing
devices, and the networks they connect to, from threats and vulnerabilities associated with
wireless computing. Mobile security is also known as wireless security.

Securing mobile devices has become increasingly important in recent years as the numbers of the
devices in operation and the uses to which they are put have expanded dramatically. The problem
is compounded within the enterprise as the ongoing trend toward IT consumerization is resulting
in more and more employee-owned devices connecting to the corporate network.

Search Security.com's 2012 enterprise mobile security survey polled 487 IT security
professionals and IT managers. The survey found the following top five mobile security
concerns:

Top 5 Mobile security concerns

1. Device loss was the top concern. If an employee leaves a tablet or smartphone in a taxi cab or
at a restaurant, for example, sensitive data, such as customer information or corporate intellectual
property, can be put at risk. According to Marcus Carey, a security researcher at Boston-based
compliance auditing firm Rapid7 Inc., such incidents have been behind many high-profile data
breaches.

2. Application security was the second-ranking concern. One problem is mobile apps that request
too many privileges, which allows them to access various data sources on the device. According
to Domingo Guerra, president and co-founder of San Francisco-based Appthority Inc., many
mobile apps -- especially free ones -- are built with ties to advertising networks, which makes
contacts, browsing history and geolocation data extremely valuable to application developers. As
Guerra put it, "Developers want to monetize, consumers want free apps and then ad networks
will pay developers to get all of that juicy data from their users." According to survey
respondents, leaked corporate contacts, calendar items and even the location of certain
executives could put the company at a competitive disadvantage.

Another concern is malicious or Trojan-infected applications that are designed to look like they
perform normally, but secretly upload sensitive data to a remote server.

Group 3 Page 8
 Mobile Device Security

3. Device data leakage was the third-ranking mobile security issue. Nearly all of the chief
concerns identified in the mobile security survey, from data loss and theft to malicious
applications and mobile malware, are sources of data leakage. While most corporate access
privileges on mobile devices remain limited to calendar items and email, new mobile business
applications can tap into a variety of sources, if the enterprise accepts the risks, said mobile
security expert Lisa Phifer. Increased corporate data on devices increases the draw
of cybercriminals who can target both the device and the back-end systems they tap into with
mobile malware, Phifer said. "If you're going to put sensitive business applications on those
devices, then you would want to start taking that threat seriously."

4. Malware attacks were the fourth-ranking mobile security concern. A new report from Finland-
based antivirus vendor F-Secure Corp. found the vast majority of mobile malware to be SMS
Trojans, designed to charge device owners premium text messages. Experts say Android devices
face the biggest threat, but other platforms can attract financially motivated cybercriminals if
they adopt Near Field Communications and other mobile payment technologies. An F-Secure
analysis of more than 5,000 malicious Android files found that 81% of mobile malware can be
classified as Trojans, followed by monitoring tools (10.1%) and malicious applications (5.1%).

5. Device theft was fifth on the list of top concerns. Smartphone theft is a common problem for
owners of highly coveted smartphones such as the iPhone or high-end Android devices. The
danger of corporate data, such as account credentials and access to email, falling into the hands
of a tech-savvy thief, makes the issue a major threat to the IT security pros who took the survey.

Challenges of mobile security

Threats

A smart phone user is exposed to various threats when they use their phone. In just the last two
quarters of 2012, the number of unique mobile threats grew by 261%, according to ABI
Research. These threats can disrupt the operation of the smartphone, and transmit or modify user
data. For these reasons, the applications deployed there must guarantee privacy and integrity of
the information they handle. In addition, since some apps could themselves be malware, their
functionality and activities should be limited (for example, restricting the apps from accessing
location information via GPS, blocking access to the user's address book, preventing the
transmission of data on the network, sending SMS messages that are billed to the user, etc.).

Group 3 Page 9
 Mobile Device Security

There are three prime targets for attackers

 Data: smartphones are devices for data management, therefore they may contain sensitive
data like credit card numbers, authentication information, private information, activity logs
(calendar, call logs)

 Identity: smartphones are highly customizable, so the device or its contents are associated
with a specific person. For example, every mobile device can transmit information related to
the owner of the mobile phone contract, and an attacker may want to steal the identity of the
owner of a smartphone to commit other offenses

 Availability: by attacking a smartphone one can limit access to it and deprive the owner of
the service.

The source of these attacks are the same actors found in the non-mobile computing space:

 Professionals, whether commercial or military, who focus on the three targets mentioned
above. They steal sensitive data from the general public, as well as undertake industrial
espionage. They will also use the identity of those attacked to achieve other attacks;

 Thieves who want to gain income through data or identities they have stolen. The thieves
will attack many people to increase their potential income;

 Black hat hackers who specifically attack availability. Their goal is to develop viruses, and
cause damage to the device. In some cases, hackers have an interest in stealing data on
devices.

 Grey hat hackers who reveal vulnerabilities. Their goal is to expose vulnerabilities of the
device. Grey hat hackers do not intend on damaging the device or stealing data.

Group 3 Page 10
 Mobile Device Security

Group 3 Page 11
 Mobile Device Security

They are everywhere

• At the end of 2011, there were 6 billion mobile subscriptions,

worldwide

• That is equivalent to 80 percent of the world population

• In the US mobile cellular subscriptions 100% of population

• In Europe around 120%

• Other areas ranging from 74% to over 150%

Group 3 Page 12
 Mobile Device Security

• In terms of geographic distribution smart Mobile devices are everywhere

• Developing nations might be currently lagging behind in total numbers

and per capita use

• However developing nations also among the fastest growing smart mobile

user base

• Partly because there is very little terrestrial infrastructure for other forms

of connectivity like fixed wire line telephone or broadband service

• Its cheaper and easier to build a cellular infrastructure than a wired one

• And that infrastructure is less likely to be washed out by a flood or

damaged by an earthquake

Group 3 Page 13
 Mobile Device Security

When it comes to Internet connectivity, mobile broadband usage eclipses

fixed wire-line broadband services

• Vastly more people have a mobile broadband connection than a

fixed broadband connection

• This is true even in the United States, where there are almost

double the number of mobile broadband vs. fixed broadband

1. Smart mobile devices have had a phenomenal adoption rate

• The iPad has the fastest adoption rate of any technology,

ever, possibly eclipsing even the wheel, or fire if you believe

Apple

• 2011 numbers are a huge increase from 5.4 billion in 2010

and 4.7 billion mobile subscriptions in 2009 – up over 50%

in some areas

• Market growth is being driven by demand in the

developing world, led by rapid mobile adoption in China,

Africa and India

Group 3 Page 14
 Mobile Device Security

• Mobile subscriptions outnumber fixed lines 5:1 (more so in

developing nations);

• Mobile broadband outnumbers fixed broadband 2:1.

• Total smartphone sales in 2011 were almost 500 million

units up over 60 percent from 2010. This makes

smartphones about 32 percent of all handsets shipped.

• Looking at smartphone growth, In terms of the major players in

the market, I don’t think there is a lot of surprise here

• When it comes to hardware sales, the top five smart

phone vendors worldwide in 2011 were Samsung, Apple,

Nokia, RIM, HTC

• Of those Nokia sales declined 23% and RIM’s sales were

almost stagnant at 5% growth

• Samsung, Apple, and HTC had a 310%, 96%, and 100%

growth rate respectively

Group 3 Page 15
 Mobile Device Security

• Growth by operating system reflects the hardware sales

• Android had almost 250% year on year growth 2011 vs

2010

• iOS had almost 100% growth in the same period

• Interesting newcomer Bada from Samsung – aimed at

being a low end smartphone OS for not so smart hardware

platforms – small market share but huge growth – worth

keeping an eye on

• Nobody else in the market even comes close –Symbian

and Windows phone had negative growth

• What are the driving factors for integrating smart mobile devices into the

enterprise?

• One that is often talked about is cost reduction

• That is, off setting the cost of corporate provided or corporate

subsidized handsets by allowing employees to to use their own

devices

Group 3 Page 16
 Mobile Device Security

• Quite frankly, I have never seen any numbers to support the cost

reduction argument, MDM vendors are also backing away from it

• Another factor that is often discussed in the media is increased

productivity

• Again, I have yet to see any numbers supporting this claim

• I do believe there is a significant potential value, as new and imaginative

ways of leveraging smart mobile devices arrive,

• there may be some other arguments to support enterprise mobile device

integration

• And as we will see, there are some significant concerns that need to be

Considered.

Group 3 Page 17
 Mobile Device Security

• Based on some recent surveys, there is at least C level recognition of the

risks associated with mobile devices in the enterprise

• Given this level of concern, and in light of the amount of customer data

stored on mobile devices,

• it is definitely worth taking a hard look at the risks and potential

mitigating factors when considering mobile devices in the enterprise

• So what are the security concerns with smart mobile devices?

• Well, obviously given that there is customer data stored on half of the

devices used for business, physical security of the device is a huge

concern

• Stored data, including access credentials, is at risk anytime a

devices is lost, stolen, an employee leaves the company, the device

is recycled, or sold on ebay

• How can the enterprise be sure that sensitive data, or network

access, does not into the wrong hands?

Group 3 Page 18
 Mobile Device Security

• Encryption of locally stored data is available in iOS since about iOS 4.3,

as long as a passcode is configured

• iPad2 and iPhone4 and later have hardware based encryption

• Android is a different story, no device encryption until 4.0 aka Ice Cream

Sandwich, and then it depends on vendor support

• Even more troubling however, is the official stance by both Android and

Apple that ultimately the security of the device rests with the end user

• Obviously a disturbing position for those with responsibility for securing

corporate data

• Second to the physical security issue, but rapidly gaining ground, is the

mobile malware risk

• Mobile malware is becoming more and more sophisticated

• Mirroring malware in the desktop world, but evolving at a much greater

pace

Group 3 Page 19
 Mobile Device Security

• 2011 saw an incredible growth in mobile malware

• over 1,500% as compared to 2009, almost 370% over 2010

• Amost a 2,000% increase in December vs January

• 2012 is on track to be the year of mobile malware

• Mobile malware is borrowing technology from the desktop world

• adapting to not only the mobile technology, but the mobile usage patterns

• In particular leveraging social networking and social engineering

approaches

• By far the greatest growth in malware is in Androids

• Last week the first Android Bootkit – DKFBootKit – was discovered –

raising the ante again

• DKFBootKit piggybacks on legitimate applications to infect the device,

then replaces key daemons to compromise the device at boot time before

the Android framework is fully loaded

Group 3 Page 20
 Mobile Device Security

• Mobile malware exhibits all the same types of behavior we’re used

to in other environments

• In addition mobile malware can monetize the infection directly by

sending SMS messages to premium rate numbers

• Further, device features like cameras, microphones, and GPS receivers

can all be controlled and accessed remotely

• This is a real concern when executives are traveling with devices,

bringing them into sensitive meetings etc.

• There is some evidence malware authors leveraging this

information to gain advantage in stock trades

• The Android mobile platform is considered to introduce the greatest

security risks from mobile malware

• almost 11 million infected Android devices world wide

• 472% increase in Android malware July through November last year

• China leads the infection rate

Group 3 Page 21
 Mobile Device Security

• India, Russia, and the US roughly equal with a little over 10% of total

infections each

• Several reasons exist for this, one of the most significant is simply

market share

• Malware written for Android has the potential to infect many more

devices than any other mobile OS

• 49% of smart phones run some version of Android

• 19% run Apple iOS

• 16% run Nokia’s Symbian – However, Nokia is ceasing

support for Symbian and moving to Windows Mobile

• Symbian malware’s decline mirrors the growth of Android

malware, perhaps the malware authors are switching

platforms

• Only 10% of devices run RIM’s Blackberry OS – RIM is

rapidly losing ground to the others

• Windows Mobile OS only accounts for 1.4% - and is

expected to grow slowly

Group 3 Page 22
 Mobile Device Security

1. However market is not the whole story – to really understand

the issue we need to take a closer look at the almost 50% of the

market that Android owns

1. While iOS is only available from Apple, and only on Apple

devices

2. The Android market is split between Samsung (35%), HTC

(24%), LG (11%), Motorola (9%), Sanyo, Sony, and a

myriad of smaller players (21%)

3. Each device, and each carrier’s version of that device, has

their own slightly different version of Android

4. Each one is tweaked to support different hardware,

different software bundles, and other offerings and carrier

requirements

5. This presents some significant concerns with respect to

platform security, and security of carrier-bundled software

Group 3 Page 23
 Mobile Device Security

• Its when we start looking at the relative update history of the devices

that the real story comes out – and its not a pretty one for Android

• Just like in the desktop and server world

• Keeping operating systems updated and properly patched is a

central tenet to maintaining information systems security

• The next three slides show the update history of every smart mobile

phones released in the US between 2009 and 2011

• Green indicates that updates were available to keep the device

on the current major version

• Yellow 1 major version behind, orange two versions behind, red

three versions

• The X’s indicate when the device was being actively sold

• Updates and patches were available for all iOS based phones sold since

day one

• Apple updates iOS regularly and they updates are published by

Apple direct to device owners

Group 3 Page 24
 Mobile Device Security

• Since iOS 5 updates are pushed OTA, and don’t require

computer connectivity

• Android updates on the other hand go from Google/Android, to the

hardware vendors, to the carriers, and thence to the device users

• Or more often don’t….

• Android updating, or lack thereof, is a major security problem

• Of the 18 Android phones shipped in the US between 2009 and 2011, 7 of

them never ran a current version of the OS.

• 12 of 18 only ran a current version of the OS for a matter of weeks

or less.

• 10 of 18 were at least two major versions behind well within their

two-year contract period.

• 11 of 18 stopped getting any support updates less than a year after

release.

Group 3 Page 25
 Mobile Device Security

• 13 of 18 stopped getting any support updates before they even

stopped selling the device or very shortly thereafter.

• 15 of 18 don’t run Gingerbread, v2.3, which shipped in December

2010.

• When 4.0, or Ice Cream Sandwich, came out in November, every

device on this list was another major version behind.

• At least 16 of 18 will almost certainly never get Ice Cream

Sandwich.

Group 3 Page 26
 Mobile Device Security

• There are three primary ways that malware infects a mobile device

• The most significant is piggy backing off a legitimate application

• Generally the malware author will download a popular legitimate

application from an app store, disassemble it, compile in the malware then

reupload it to the app store as a different version

• Angry Birds, one of the most popular applications, had at least one

version infected in this fashion

• Sometimes the malware isn’t included, just some code to download the

malware as an in app upgrade once the program is started

• Malware can also be loaded by tricking users to go to malicious web sites

that then attack via browser vulnerabilities – just like in the desktop world

Group 3 Page 27
 Mobile Device Security

• The single biggest source of malware for mobile devices are the various

app stores

• Neither Apple nor Google do much to vet software for security issues

• Although Apple seems to do a slightly better job

• Google is starting to make changes – it remains to be seen how well they

will do

• In addition to the official Android Market, Android devices can also “side

load” applications and download applications from unofficial app stores

• As you might expect, the unofficial Android stores contain significantly

more malware

• To make matters words, with Android in particular, the security model

depends on the end user to make a determination regarding the specific

permissions granted to the application

• Most users just blindly accept whatever the application asks for

Group 3 Page 28
 Mobile Device Security

• As it stands right now, there are only very limited anti-malware

protections available

• There are some tools to scan email attachments, but this is really focused

on preventing forwarding on malware rather than preventing local device

infection

• Ironically, it’s the architecture of the device operating systems that keep

each application in its own segregated application space that also prevents

anti-malware software similar to what we see on the desktop

• Desktop like anti-malware would require a jail break

• Jailbreaking devices, popular on both iOS and Android, breaks the

security model of each application in its own space

• Jail broken devices are much, much more likely to be infected

with malware

• By the jailbreak itself

• By other malware that takes advantage of the removal of security

by the jailbreak

• Best option currently user training and education, blacklisting known

malware, not allowing jailbroken devices

Group 3 Page 29
 Mobile Device Security

• Managing Mobile Devices

• APIs built into the mobile operating systems allow management

of the devices

• Each OS has its own specifics, there is no standardization

• Currently Apple’s MDM API is by far the most capable and

flexible

• Allows restrictions on device passcode length, complexity,

expiration, re-use history, # failed attempts before wipe

• Deny or allow use of various applications, restricts some

Group 3 Page 30
 Mobile Device Security

application settings to administrator proscribed settings, allow or

deny cloud backups, and force various browser and application

settings, lock device, and clear passcode

• Apple MDM APIs can provision email accounts including

username and password

• Allows either a corporate wipe or a full wipe

• Android MDM APIs much weaker than iOS, though slightly better in 3.0

• Android API’s provide much less control – essentially a limited

subset of password controls

• One of the most significant problems with the Android API is the

lack of an “enterprise wipe” –it’s a Nuke from high orbit only

• Lack of enterprise wipe is a significant problem, especially in

BYOD environments – no way to avoid deleting personal data

• Additionally, our testing shows that sometimes the device does not

even restore to the configuration and software that came from the

carrier

Group 3 Page 31
 Mobile Device Security

• Samsung SAFE devices – custom APIs to allow much greater

control of security on a limited subset of new Samsung Android

devices

• It is possible that LG might be coming out with additional MDM

APIs of their own also.

Group 3 Page 32
 Mobile Device Security

• Two Primary Architectures for Mobile Device Management

• “API Based” and “VPN and Proxy”

• API based – installs restrictive profiles on device, generally use

some additional agent

• Once the profiles are installed, all communication between

device and network services is direct – MDM plays no part in

the communication

• Agent does on-device monitoring and compliance checking –

reports back to the MDM service periodically

• Can verify compliance with required security settings as well as

detect jailbreaks and installation of blacklisted software

• There is another component, eliminated from this drawing for simplicity

• Both Google and Apple have a mechanism for store and forward

asynchronous messaging between the MDM provider and the

device

• These allow MDM to send a message to the device, and for that

message to be held until the phone is online

• When it comes online if can then respond to the message by

checking in with the MDM service

• Apple’s is called the Apple Push Notification Service, or APNS

Group 3 Page 33
 Mobile Device Security

• The other primary architecture is the VPN and Proxy method

• VPN and Proxy - Forces all traffic back to enterprise proxy via

IPSEC VPN

• Proxy may be in the enterprise data center, cloud, or vendor site(s)

• Again, there is usually an agent that does on-device monitoring

and compliance checking

• May allow browser content filtering and URL black listing

• May provide email filtering on cloud email/personal email

• Architecture could allow for network-based DLP

• Architecture could allow for IDS/IPS and other network-based

malware detection/protection

• On iOS forces an automatic VPN configuration

Group 3 Page 34
 Mobile Device Security

• In general, the VPN-based architecture will provide a higher level of

control and security

• However, as always it comes at a price

• Requires all traffic to come back to the proxy – eliminates many

of the advantages of cloud based enterprise services e.g. email

• Depending on enterprise architecture, may increase bandwidth

requirements and costs – particularly if proxy in the cloud, could

double or quadruple bandwidth costs

• Possible reduction in fault tolerance – issues with data center may

take all mobile devices offline

• For global companies, and/or those with highly distributed mobile

work force, VPN and Proxy might require building out a global

infrastructure to support them

• However, one of the biggest issues with VPN and proxy, there is no

IPSEC VPN possible on Android 2.x devices

• Android 2.x is by a long way the majority of Android devices in

Group 3 Page 35
 Mobile Device Security

the field today

• The only way to support it on Android 2.x is a custom ROM –

essentially your own jail break

• This raises huge device management issues for a remote work

force, help desk.

• There are other, non-technical issues that any enterprise considering smart

mobile device integration should consider

• Especially if the enterprise will be providing help desk service for mobile

devices

Group 3 Page 36
 Mobile Device Security

• Consider that the current crop of devices are consumer devices

• Also, If the enterprise is using, or intends to use, cloud services for email/

contacts/calendars such as Google Apps – which we see a lot and which is

often associated with a mobile initiative

• Realize that many of these services are consumer focused services

as well

• Additionally, the mobile device vendors and the cloud service provides

aren’t talking as often as they should

• Also, Mobile Device Management software is still early stage technology

• Take a look at the Gartner Magic Quadrant for MDM, they are all almost

all in the lower left Niche Player/Start up Quadrant

• When you try to combine two consumer items, the mobile device and the

cloud service, and manage it with an early stage technology, You will not

get enterprise grade service levels

• its simply not possible

Group 3 Page 37
 Mobile Device Security

• Also, especially in large enterprises, properly integrating mobile devices

into the enterprise is likely to require some organizational reshuffling

• We all know how smoothly that is likely to be

• It is imperative to realize, the latest crop of smart mobile devices are not

just phones

• They are generally as powerful as a 3-4 year old laptop

• They should not be considered a telephone, they should not be managed

like a telephone

• When coupled with always-online technology, and some of the other

concerns I've discussed,

• It should be clear that smart mobile devices should be managed through

IT/technology channels

• And that security policies and procedures must be reviewed and

properly applied to the devices and the business processes

• In particular, HR processes around separation are critical for enterprise

data protection

• Timely recovery and/or erasure of enterprise data.

Group 3 Page 38
 Mobile Device Security

• Integrating smart mobile devices into the enterprise also brings additional

liability risks

• This is particularly true if you are allowing BYOD

• There is a potential for wiping an employees personal data from their

device if the enterprise is managing it

• Either accidentally, or deliberately – particularly at separation

• What happens if this is the employee’s only picture of his dead Granny? -

Actual case!

• What happens if the employee then goes to work for another company,

and your HR processes don’t get around to wiping his or her device until

a few days later

• Now you are wiping some other companies data off their employee’s

device

• Remember – There is no such thing as a selective wipe in Android – it’s a

nuke from high orbit

Group 3 Page 39
 Mobile Device Security

• Also, consider that smart mobile devices aren’t for everyone

• Consider making only certain job functions or payroll bands eligible

• Also, consider the costs/impacts of rising help desk calls with these

devices

• It might also be worth reviewing employment terms for non-exempt

employees and hourly contractors.

• If they are receiving enterprise email on their phone at night, is there an

expectation that they respond and has that been communicated clearly?

• If so, how does that impact hours worked or billing? Can the bill for that

time? What about the intervening time between the end of the day and

the 2am email?

• What if the employee is on vacation? Can he or she now claim that is not

a vacation day?

• Another critical issue to consider for enterprises that utilize cloud services

for email or customer management for example

• If you do not integrate provisioning of these services and mobile devices

with some sort of central Identity Management mechanism, and mobile

device users have a password rather than using SAML or OAUTH, the

enterprise has very little visibility into and control over the data

• It is impossible to ensure that data is erased as it could have been

synched anywhere

Group 3 Page 40
 Mobile Device Security

• A final consideration must be given to enterprises statutory and regulatory

obligations when it comes to data on mobile devices

• Consider PCI, GLBA, HIPAA, FTC Red Flags

• If a device is lost, and there is a possibility for regulated data on it, it may

trigger obligations for reporting and breach notification

• For global companies, it is likely that EU Data Protection laws may

impact the monitoring and management of devices in those regions

• In which case your US based data center must comply with the

Safe Harbor principles

• Also consider the use of these devices by your executives and board

members

• It is worth determining if they need additional protections

• And what the legal and other implications of a potential breach of

security on one of their mobile devices.

Group 3 Page 41
 Mobile Device Security

Mobile devices are ubiquitous

The power and connectedness of mobile devices is increasing rapidly

IT departments under increasing pressure to integrate them into the

environment

There are significant technical and non-technical risks to using mobile

devices in the enterprise

Particularly if BYOD is considered

IT, InfoSec, HR, and Legal at a minimum need to been involved in the

decision making process

Group 3 Page 42