Friday, May 3, 2013

Smartphone security

Smartphone security is a topic I've had an interest in for several years.

It doesn't help that for my entire IT Security career I've worked for a major cell phone company.  During that time, I've seen the emergence of smartphones.  I had one of the early Windows-based phones, which was nice (tho limited).  Later I moved to an Android phone, which was even better.  (so far I've gone thru 3 Android phones)

And I've watching how things have changed.  Early on at the company, we saw our executives make use of smartphones not just as a companion item (like the early PDAs), but almost as a replacement for their desktop/laptop computer.

This even led to our company coming out with products that better enabled smartphones to replace laptops, and we even had an internal project to show how this can be done with hardware and software.  I was part of this effort, and this really opened my eyes.

Other trends were moving forward that showed changes coming in the IT world due to smartphones (and tablets).  There was the emergence of the whole "Bring Your Own Device" (BYOD), where IT had to contend with users (usually high level execs) wanting to use their smartphones &/or tablets on the corporate network and accessing corporate data.  This lead to the emergence of a whole "Mobile Device Management" field to address this.

Another trend that many haven't noticed is that we've hit a couple of tipping points.  Mobile devices (smartphones & tablets) now outsell traditional devices like laptops & desktops.  Now, some claim this is the "death of the PC", but I think that's foolish.  The PC will continue, it just won't continue as a device that almost everyone needs (when not everyone really needed one in the first place).  We have also seen that smartphones now outsell "feature phones" (non-smartphones), which should surprise no one.

I certainly think that for some people, a smartphone (or tablet) may be their FIRST computing device.  And for some of those people, may be their ONLY computing device.

So what does this all have to do with security?

We need to keep in mind that smartphones (and tablets) are computing devices.  They ARE computers.  They have OSs, they have data, and they have access to (and are accessable by) networks.

This puts them on par with "real" computing devices, such as laptops and workstations.  This means they have many of the same security issues as those other devices.

Sadly, it seems that many don't want to view it that way.  We have many who think that these mobile devices are more secure then traditional computing devices.  They may be "more" secure, but that doesn't mean they are totally secure.  They are still vulnerable to malware.  They are still vulnerable to being hacked (tho often you need physical access to the device).  They still have security issues.

And considering how many of these devices are being used to access corporate data, maybe even storing corporate data, we need to be treating them in the same way we treat traditional devices.  What do we do with corporate laptops in terms of security?  What applications and policies are we applying?  Should we not be doing the same on these mobile devices?  (many often are, hence the growth of MDM)  But what about the average user?  Are they as mindful of security on their smartphone as they are on their laptop?  I bet not.

I several times had conversations with my boss, where I expressed the concern that we will get some serious security breach via a mobile device.  I kept think of those incidents where someone downloaded a whole database of critical data on their laptop, which got stolen.  I keep wondering (and still do) as to when we will see something equivalent occur in the mobile device arena.  And I don't think I'm alone in this.  I think some of the mobile device security researchers out there think the same.  But they seem in the minority.

As I said, we'll revisit this concept more in the future.  We'll go more indepth on some of these points, I'll share some of the things I've found out there as well.

No comments:

Post a Comment