As the world of computers, mobile devices, and technology in general, continue to exponentially evolve, so too must our need and desire to secure our communications, our data, and to that end our privacy. There is hardly a day that goes by anymore that we don’t hear of some major security breach of a large corporation, but this also directly impacts the individual. We have to make a concerted effort to protect our information – particularly on our mobile devices. Our mobile devices are inherently difficult to secure because they send their data over WiFi, which is susceptible to man-in-the middle attacks. We must pursue the security of our data on our mobile devices passionately. People nowadays carry so much private and more importantly valuable information on them that we just absolutely have to protect it. Particularly in this age of BYOD (bring your own device) to work. An even more difficult realm for the infosecurity folks trying to protect their networks. How does one protect a device on a network from malicious intent? How does one keep viruses, Trojans and worms off of the networks when everyone seems to be plugged in to their devices? This article intends to describe some steps that one can take to protect their mobile device both locally by encrypting the mobile device itself and also by utilizing apps that help to secure their email and telemobile device conversations from malevolence.
As noted on the previous article on State of Security released on June 17, 2014, Brent recently discussed 3 tips for BYOD, which were to get these devices off of the production networks, teach people about mobile device security, and finally use what you already have to your advantage when it comes to your own architecture when developing BYOD policies and processes.
There are numerous steps that the IT folks can take to help secure their networks in this age of BYOD as mentioned in our previous article, but there are also some very simple and usefultips that we can all follow that will help us in protecting our mobile devices too.
Every company should have policies in place regarding the use and misuse of BYOD devices. This must include encryption of the data and remote wiping of the data if the device is lost or stolen, (such as Find my iMobile device, Android Lost, Mobile Security, and Autowipe,). Assuming the BYOD device is under the company’s control. If not then as mentioned in the previous article getting these devices off of the production network is a must. Every company should at least require authentication and hopefully two-factor authentication of the device. This would allow the organization some degree of control when it comes to resetting passwords, locking the device when it’s not in use, logging, etc. If it’s not, then asking employees to adhere and sign a code of conduct with regard to their device is a must, as well as periodic employee education. A quick Google search will reveal apps that can help with two-factor authentication too. Such as RSA Secure Alternative, SMS passcode, and Duosecurity.
The next step is to encrypt the mobile device itself upon ending your session. Thereby protecting your information from even the apps that you currently having running on the mobile device itself. All apps go through an approval process where they are tested, validated and checked for security, but there have been times where an app passed through such a process and still contained malicious code that sent back stolen personal information to the attacker. This is a particular issue in the Android market. Companies such as Cryptanium and Arxan offer integrity protection, jailbreak detection, anti-debug detection and reverse engineering protection. So if a attacker does manage to get ahold of your device it makes it much more tamper resistant.
Apps that offer encrypted communication such as voice, video, text and/or file transfers are also a consideration. Silent Circle, Redmobile device and Whisper Systems offer such encrypted communication for a fee. Wickr and Cryptocat do this too, but are free. If you are just interested in encrypted text messages (SMS) then perhaps Babel, Whisper, or Akario is for you.
In today’s mobile device market there are a plethora of apps many of which do what they describe when it comes to helping to protect our information. Yet as with anything else if there is a will, there is a way, this is particularly true for those that mean to steal our information. If they have a desire to acquire your information they will make a concerted effort to try to extract it from your device. It is up to us to make it as difficult as possible for them to ever get it. For now there does’t seem to be a lot of apps that actually encrypt all of your information locally to the mobile device. Or if it does offer some degree of encryption then it does so over a potentially vulnerable, networked platform. In short there is no single magic bullet that will encrypt all of your mobile devices data and communications for free, but there are some out there for a fee will offer to do so. The other issue that arises is if you use said company do they have access to the information that you were trying to protect in the first place. What’s to keep a rogue employee from accessing your data? All of this can make your head spin. The moral of the story is to make good choices, use your common sense and don’t put anything on a mobile device that you aren’t willing to share with others. Be safe out there.
Preston Kershner is new to the info-security family, where he has a variety of lateral interests in topics such as cybersecurity, information security, incident handling and response, computer forensics and malware analysis. Preston has been in the medical field for over 20 years and is currently transitioning into the infosec community. When not being an information junkie, Preston enoys spending time with his family. He also enjoys learning everything he can about astrobiology (the search for exoplanets that have a potential to habour life). You can follow Preston as he continues to expand his knowledge and experience in these realms at http://www.linkedin.com/pub/preston-kershner/3a/493/965/ & follow him on Twitter (@redman7373).
Brent Huston is the Security Evangelist and CEO of MicroSolved, Inc. He spends a LOT of time breaking things, including the tools/techniques and actors of crime. When he is not focusing his energies on chaos & entropy, he sets his mind to the order side of the universe where he helps organizations create better security processes, policies and technologies. He is a well recognized author, surfer, inventor, sailor, trickster, entrepreneur and international speaker. He has spent the last 20+ years dedicated to information security on a global scale. He likes honeypots, obscure vulnerabilities, a touch of code & a wealth of data. He also does a lot of things that start with the letter “s”. You can learn more about his professional background here: http://www.linkedin.com/in/lbhuston & follow him on Twitter (@lbhuston).
It should be noted that some of the apps are free, some apps are cloud-based, some are open source and some are at a cost to the consumer. In no way do we endorse the applications in this article.