How to secure your smartphone
- 01 August, 2010 18:44
Making sure the data on your smartphone is secure is imperative for any individual and organisation. So we've pulled together a few articles to help you start thinking about smartphone security.
We've got one each on the iPhone, BlackBerry and Android along with an article on securing smartphones on corporate networks.
First up is the Android.
Secure Your Android Phone
Protect your Android device--and the data stored on it--with built-in tools and helpful third-party apps.
By Robert Strohmeyer, PC World
Whether you paid $500 for your Android phone or got it for a pittance with your new cellular contract, it's a good bet that the data stored on your handset is at least as valuable as the device itself. If your phone is ever lost or stolen, either you'll be glad you took precautions to protect all that data, or you'll sorely wish you had done so. In this article, I'll walk you through setting up Android's built-in security tools and suggest a few third-party extras that add valuable safeguards for your personal information.
Lock Your Phone Unlike the BlackBerry and other mobile handsets that use alphanumeric passcodes to keep interlopers from messing with your data, Android uses a novel system called an unlock pattern. Rather than punch in a code on a keypad, you swipe your fingertip across the screen in a prespecified pattern, connecting a series of dots along the way. If the pattern you swipe matches the pattern previously entered into the phone's memory, the phone unlocks. If it doesn't unlock, try again.
Like a passcode, the security of an unlock pattern is directly related to the number of data points it contains. Just as a six-digit code is likely to be safer than a four-digit one, a pattern connecting six dots will be harder to break than one with only four dots. (And four dots is the minimum number of points for any unlock pattern.) To set a passcode in Android, open the Settings menu and tap Location & security. If you haven't set an unlock pattern before, you'll see Set unlock pattern listed under the Screen unlock pattern heading. If there's already an unlock pattern in place, it'll say Change unlock pattern. In either case, tap that option to get to the Draw an unlock pattern screen. (If you already have a pattern entered, you'll need to confirm it before creating a new one.)
You can begin drawing your new unlock pattern by touching your finger down on any dot on the screen and then swiping your finger over nearby dots to connect them in any pattern vertically, horizontally, or diagonally. The more dots you connect, the better, and more complex patterns will be more secure than simple patterns. While it may be tempting to, say, connect four dots in a simple L shape, doing so will likely result in your phone being breached by the first interloper to pick it up. Sadly, convenience and security can sometimes be mutually exclusive, and this is definitely one of those cases. If you really want to lock your phone, don't wimp out on the unlock pattern.
Where's Your Phone? Whether you've let it slip it between the sofa cushions, left it on a restaurant table, dropped it in a busy airport, or had it stolen out of your car, a missing cell phone can be hard to recover. Fortunately, Android's built-in GPS functions can make it easy to find a phone that's gone AWOL--if you're running the right software. The Android Market offers several good apps for tracking down a missing handset.
One of the simplest location trackers for Android is called Where's My Droid. This simple GPS-driven app lets you create a secret "attention word" or passphrase that you can use to trigger a find-me mode on your phone via text message. When your phone goes missing, you'll have two options: Either text your standard attention word to trigger a loud ring that will let you find the phone when you're sure you're within earshot, or text your GPS attention word, and the phone will reply with its exact latitude and longitude so you can drive to its location and pick it up. While this app won't do anything to protect your data from theft, it does make it easy to recover a phone that's simply vanished from sight.
Advanced Security For more robust security options coupled with the ability to track your phone's whereabouts, two good options stand out. TenCube WaveSecure and Mobile Defense both give you the ability to locate your phone via a secure Web site, so you can not only get the GPS coordinates of your device, but also see that location on a map. And like Where's My Droid, both services let you set off an alarm on your phone that will make it easy to locate if you're within hearing range.
If your phone is truly lost, WaveSecure and Mobile Defense both offer additional tools to help you get your phone back. With each, you can remotely lock or unlock your phone to either prevent thieves from getting at the phone or enable a good Samaritan to get in if so desired. More important, you can use these apps to remotely back up and then wipe all your personal data off the device in the event that nobody turns it in to you--so you can not only get your latest data back, but also protect it from falling into the wrong hands.
Next: Eight easy steps to iPhone security
Page Break
Eight easy steps to iPhone security
Apple's irresistible iPhone is a prize for thieves, vandals, and hackers too. Follow these tips to protect your device and its data. Tom Yager , InfoWorld
As someone who's been around the block a few times with mobile technology, I get a kick out of lengthy treatises on the practices one should follow to keep the information on your iPhone secure. They follow a commonsense pattern: Use a PIN, set the device to auto-lock after a minimal delay, set it to blank itself after a limited number of invalid unlock attempts, block access to the App Store, use Safari's security defaults, and use WPA2 security for Wi-Fi. This is helpful, but it isn't enough. Users of the iPhone, and mobile devices in general, deserve the big picture regarding the balance of security and convenience.
When you leave the store with your shiny new phone, you accept sole responsibility to protect your investment. It's not the manufacturer's or seller's job to keep your property safe. They've built in mechanisms that, if used as documented, will reasonably protect your phone and the information it contains. If the phone gets swiped, pillaged, or vandalized, it is either your fault or bad luck, and when bad luck plays a hand, it's likely that you contributed to the circumstances. Here are eight uncommon things you can do to steer the odds in your favor.
1. First and foremost, never, ever leave your iPhone unlocked. You've heard that, but you haven't heard how to make it painless: Practice. Whenever you'd ordinarily be bending paper clips or generally goofing off at work, sit in your chair and lock and unlock your phone over and over again until it's as natural as twiddling your thumbs. Practice with your nondominant hand. Practice with one hand concealing the other. Practice with your eyes closed. Practice with the display facing the floor. When entering your PIN becomes ingrained into muscle memory, you'll never be tempted to disable the lock to save time, and even sharp-eyed shoulder surfers can't watch you enter your PIN. As a bonus, you will never forget your PIN. Try it; it works.
2. Keep up with Apple firmware updates. Apple's well-publicized flaw that allowed access to the address book via the emergency call mechanism was repaired, but only if you applied the patch. Unfortunately, Apple requires the use of desktop tools for firmware updates: Users must run Apple Software Update on their Mac or PC to grab them from iTunes when they become available. I think that's poor design, especially when BlackBerry and Android demonstrate the ease with which OTA updates can be performed. In an enterprise setting where OTA firmware updates aren't possible, IT should send iPhone users a broadcast SMS alerting them that they need to dock to iTunes to load an urgent fix. When running iTunes at a work desktop is forbidden by policy (as it should be), easy access to IT-controlled update stations should be arranged.
3. Put your iPhone on a leash. Keeping your phone with you provides the only impenetrable shield against theft or tampering. A comfortable, fashionable holster that suits your style makes it less likely that you'll nonchalantly toss your phone in your bag when you leave the house. Don't choose a jacket pocket, a backpack compartment, or any container from which you walk away. In the same vein, don't let anyone borrow your iPhone. Even your best friend could leave your iPhone, take out his curiosity on your device, or get hoodwinked by a malicious hacker. Treat your iPhone as you do your wallet.
4. Secure your iTunes host. Your PIN affords you little protection if someone gets hold of your computer. That's because your PC or Mac keeps a complete image of the flash memory in your iPhone. From this recovery image, a skilled hacker could read all of the data on the phone. It only takes a few seconds to move that firmware image from your disk to a thumb drive. And it takes little time or skill to replace that image with one that can reflash your iPhone's firmware with something nasty. The smartest way to go is to keep your iPhone backups on your own thumb drive. This makes automatic restores and updates slightly more challenging, but it's worth it.
5. Don't jailbreak your iPhone. The iPhone jailbreak process purposely disarms the mechanisms that Apple created to protect your data. With App Store, a trusted party tests and vouches for the software, and Apple can trigger an uninstall of an app if a risk is discovered later. The protections offered by open source projects --multiple contributors, readily viewable code, and a central location for comments and fixes -- don't exist in the jailbreak world. I'll grant that jailbreaking an iPod Touch or a retired iPhone can be good fun. Relying on a jailbroken iPhone as your primary mobile device is idiotic. It's so quick and easy to jailbreak an iPhone that it takes a minimum of social engineering to trick a trusting user into bypassing Apple's built-in guard against modified firmware. It's a simple sell: By holding down one key while clicking Restore, you don't waste time waiting for new firmware to download from Apple. Don't fall for it. Always download firmware directly from Apple.
6. Hide sensitive data in plain sight. The iPhone has no device-wide data encryption. It does support encrypted databases, but the inconvenience of having to unlock the data every time you want to read it may limit your use of it. As an alternative, hide some of your most sensitive data in plain sight by scattering it across nonobvious places, like your iPod library and browser bookmarks. Embed what you really need to protect in nontext form, such as buried among lots of images or audio, to avoid discovery by string scanning of your desktop or firmware. As a bonus (or not, in some cases), using iPod files syncs your secrets across iPod, iTunes, MobileMe, and AppleTV.
7. Use FileVault on the Mac or EFS on Vista. On a Mac, create a separate user account with a strong password, apply FileVault protection (using System Preferences), and activate and manage your iPhone exclusively from that account. If you never leave that account logged in, you can reinforce other desktop protection methods or skip them entirely. On Windows Vista, consider using Encrypted File System (EFS) to encrypt the entire iTunes file tree. Neither of these methods protects data on your iPhone, but it does guard against insertion of doctored firmware or simple copying of data.
8. If you use the iPhone professionally, use Exchange Server for its back end. Exchange Server keeps backups of all messages and mail settings, and most important in my book, it supports remote device blanking. In fact, Exchange is the only way to blank a remote iPhone. One drawback of remote blanking from Exchange Server is that it takes several hours -- eight, by Apple's estimation. But because the mail client is always running, a remote blank can only be circumvented if the thief is smart enough to disable your Exchange account before you discover your iPhone is missing. That's something he can't do because, of course, you've PIN-locked your device. Make sure that you or your IT department knows how to blank your device, and don't be shy about triggering a remote blank even if you just suspect your device is missing. You can always recover your data if you find your device. Several service providers offer hosted Exchange Servers for a small monthly fee. Call to make sure that the provider offers either Exchange Server 2003 with mobile extensions or Exchange Server 2007, and ask whether users are allowed access to Exchange Server's management console. Without management console access, you can't remotely blank your phone. Apple designed the iPhone as a consumer device, so it's heavy on convenience and light on security. If you want protection, you have to accept some pain. Fortunately, it doesn't take a lot of time or tech savvy to keep what's in your iPhone for your eyes only. The oft-repeated recommendations alluded to in the beginning of this story are all worthwhile, but if you augment them creatively, you'll befuddle the bad guys with techniques they hadn't considered and that don't yield to automated cracks. Never overlook unorthodoxy as a means of protection.
Next: How can employee-owned mobile devices be secured and managed on corporate networks?
Page Break
How can employee-owned mobile devices be secured and managed on corporate networks?
Companies increasingly allowing employees to keep their iPhones or other devices, but with strings attached With the rise of personal mobile devices, a growing number of enterprises have scrapped the homogeneity mandate: instead of requiring employees to use a standard smartphone, more IT departments are now looking at some degree of control over employee-owned (or "employee-liable") devices, to manage and secure them.
"The corporate standards dam is breaking, as platforms like Android and iPhone push their way into the enterprise," says Gartner Vice President Phillip Redman. "Most companies will accept these, and prepare guidelines and processes for managing and securing them." Best practices, Redmond says, include "segmenting users into work styles by mobility and application requirements, and matching up device choices." Another key: adopting of a mobile device management platform or service to help manage the use, configuration and security of these devices.
The approach needs to be systematic and comprehensive, says Khoi Nguyen, group product manager for the mobile security group at Symantec. Crucial elements are: general device and application management; security features to ensure policies are in place, enforced and up-to-date; and alerting and reporting on unauthorized access.
Whatever the details, the overall process "boils down to a regimented and policy-driven approach that recognizes that smartphones and other mobile devices need equal treatment because they've become equally important with other IT assets," says Tom Henderson, managing director of ExtremeLabs.
"Nothing technologically prevents this," says Enterprise Mobility Foundation President Philippe Winthrop. Instead, he says, the real issues are cultural. "There has to be a recognition by the individual [employee] that e-mail is corporate intellectual property," Winthrop says. "And if you're looking at more than e-mail, then the company has every right to secure that information."
A growing number of companies are formulating written mobile policies and requiring employees to read, understand and sign them before they have access to e-mail and other data from their device. One of Winthrop's neighbors bought a new iPhone 4, and his company's IT department installed, via the App Store, the corporate-mandated secure messaging platform. That will become increasingly common, Winthrop says.
"The big question surrounds legal issues -- agreements between employees and employer -- and placing an enterprise-owned agent on an employee's handset," says Craig Mathias, of the Farpoint Group mobile consultancy.
It's the start of whole new relationship between mobile device users, in dual roles as individual consumer and employee, and the company for which they work.
Next: BlackBerry Security Basics: Five Tips to Keep Your Smartphone Safe
Page Break
BlackBerry Security Basics: Five Tips to Keep Your Smartphone Safe
BlackBerry smartphones are known for security, but if you don't know the common gotchas, your new or "unsecured" BlackBerry device could be a disaster waiting to happen. CIO.com's "CrackBerry" addict Al Sacco offers five BlackBerry security tips to fix your smartphone security holes and reduce unnecessary risk.
By Al Sacco, CIO
CIO — BlackBerry has gained a reputation in the mobile space during the past decade or so as the "most secure" handheld device and mobile platform available. That's largely due to RIM's BlackBerry Enterprise Server (BES) software for corporate e-mail deployments, which has earned high-level security certifications from some of the world's most demanding information-security organizations, including the U.S. National Institute of Standards and Technology (NIST); Canada's Communication Security Establishment (CSE); and the U.K.'s Communications Electronic Security Group (CESG), among others.
That's all fine and good for corporations looking to secure infrastructure and resources associated with their BlackBerry deployments. But no amount of security certifications can make up for an uninformed and/or careless BlackBerry user.
That's why, as a BlackBerry smartphone owner, you need to do your part to keep your device, and all the information on it, secure; whether you're a corporate BlackBerry user on a BES or a BlackBerry Internet Service (BIS) customer, you can manage a number of quick and easy security safeguards on your own...and you'd be wise to do so if you'd prefer that personal and/or sensitive data on your device remains "for your eyes only."
Here's a detailed list of five tips you can use to reinforce your BlackBerry smartphone's security protections -- and perhaps reduce future headaches associated with a lost or stolen BlackBerry.
1) Password, Password, Password...One More Time: Password If your corporate BlackBerry administrator doesn't enforce a password policy on your device or you're a consumer BlackBerry user on BIS, the very first thing you should do with your smartphone is enable password-protection. This is probably the single most important--and effective--BlackBerry security tip that anyone can offer you.
After all, there's little an average perpetrator can do with a locked-down BlackBerry, besides erase its contents.
To enable a new password for your BlackBerry smartphone, simply open your BlackBerry Options menu, then scroll down to and click the word Password. On the following screen, select the Password field and then enable the option via the corresponding pop-up box.
From there, hit your BlackBerry Escape key--located directly to the right of your track ball or trackpad--save your changes when prompted and then enter your new BlackBerry password. After typing the new password once, you'll be prompted to confirm your selection. Verify the password by typing it again, and your BlackBerry will be properly locked down. Just type your password again to unlock the device.
Employing a password that's easy to guess and/or determine defeats the purpose of password-protecting your device; pick a random password that isn't the word "password" or your birthday, etc. (Your BlackBerry password must be at least four characters.) And don't store that password anywhere on your BlackBerry, unless it's in the built-in password keeper app--more on that in a minute.
After enabling a BlackBerry password, you gain access to a number of related security options on the same screen. For instance, you can specify the number of failed password attempts you'd like to permit before your device locks itself down; you can pick a Security Timeout period for how long your device should remain unlocked before enabling the password; and you can choose to require a password whenever new applications are installed, to prevent apps from being installed without your knowledge.
2) Encrypt BlackBerry Device Data Another way to help protect your BlackBerry device and the information stored within it is by encrypting your smartphone data. You can encrypt data stored on your device and/or your microSD media card. Doing so "scrambles" the information so it can't be transferred and interpreted if your device falls into the wrong hands or gets hacked.
To enable encryption on your BlackBerry, again open up your BlackBerry Options menu, scroll down to Security Options and on the following screen, choose Encryption. Then, open up the Encryption menu on the next screen and pick Enabled.
As soon as you enable the BlackBerry encryption option, a number of additional choices appear on the same screen, to let you customize your device encryption. For example, you can set your device/memory card encryption strength (strong, stronger and strongest) and fully encrypt your device memory, including contacts and media files. Or, you can choose to encrypt only your media card, so it cannot be removed and then inserted into another device to access stored information.
After enabling encryption, you may be prompted to tap BlackBerry keys to "generate random information for the new content key pair." This process is used to generate a new, random encryption key that'll help ensure your device and/or media card remain protected. Simply tap your BlackBerry keyboard until you're returned to the Security Options page. (Note: You may see some performance degradation after enabling device-memory encryption, especially if you choose the "strongest" setting, i.e., your BlackBerry may slow down a bit. So depending on your security needs, it could be a good idea to begin with the lowest encryption setting to see how it affects your handheld.)
3) Locking Down BlackBerry Bluetooth Security All new BlackBerry devices have Bluetooth radios for connecting wirelessly to calling- and media-accessories, as well as for small-file transfers. Bluetooth can be invaluable to BlackBerry users, but it should be employed securely. For example, you can enable a number of Bluetooth options to secure connections to accessories and devices, as well as ensure you only connect to the desired gadgets.
To access your Bluetooth options, turn your Bluetooth radio on by opening the BlackBerry Manage Connections menu and checking the box next to Bluetooth. Next, while still on the Manage Connections screen, scroll down to and pick Bluetooth Options.
The following screen shows a variety of Bluetooth options, some are which are security-oriented. First, you'll see an option labeled Discoverable. This option lets you determine whether or not you want your BlackBerry to show up when nearby users search for Bluetooth enabled devices. If you set the option to No, others will not be able to pair or connect with you via Bluetooth; you'll have to manually add them if you wish to connect. If you choose the Yes option, anyone with a Bluetooth device in range will see your BlackBerry if they scan for nearby gadgets. And the third option, 2 Minutes means your device will be viewable to others scanning for Bluetooth devices for only two minutes after you make the change.
Setting BlackBerry Bluetooth discoverability to No is probably the most secure option, because no one will be able to connect to your device via Bluetooth. But I often use the 2 Minutes option, as well, to let other, known parties quickly connect to my device.
On the same screen, you can choose to allow or deny outgoing calls via Bluetooth--I use the "Always" option, because I frequently place hands-free calls via Bluetooth, with my device both locked and unlocked. You can also enable or disable your Bluetooth contact-transfer option, which allows you to quickly transfer BlackBerry contacts via Bluetooth. And there's a Security Level that lets you choose either High or High + Encryption to protect data sent and/or received via Bluetooth--the latter option scrambles data transferred via Bluetooth.
Finally, you can pick and choose which services you want to enable Bluetooth for--headset, hands-free, dial-up networking, etc.--to reduce possible security threats. So, for example, if you never use your device for wireless tethering, you could uncheck the Dial-Up Networking option.
4) Protect Passwords and Other Sensitive On-Device Data It may be tempting to store password, payment card information or other login data on your BlackBerry, but there are right and wrong ways to do so. The wrong way is to simply store such information in saved BlackBerry e-mail messages, to-do items or notes, without any sort of protection. If your device falls into the wrong hands, a hacker could potentially search your inbox or message list for the terms "Visa," "Master Card" etc., in hopes of locating financial information that could lead to cash.
But if you protect all your passwords and/or sensitive information using something like RIM's built-in Password Keeper app, potential baddies looking for personal data would have to find not only a way into your device, but also a way to crack your password keeper.
To employ Password Keeper, simply open up the app--it ships with all new BlackBerrys--and create a password to protect all your other passwords. Obviously, this master password should be difficult to guess. Then simply hit your BlackBerry Menu key--to the left of the trackball/trackpad--and choose New to create a new password item. You'll be prompted for a Title, Username, Password, a Website and Notes, but you can use any of the fields to store whatever information you wish.
You may also want to check out RIM's BlackBerry Wallet, which is designed to securely store payment information.
After storing information in either RIM's Password Keeper or BlackBerry Wallet, you simply open up the apps and enter your master passwords to access your sensitive data in the future.
5) Parting With Your Device? Make Sure It's Wiped Whether you've upgraded to a new model, traded handhelds with a friend or colleague, or misplaced your BlackBerry, if you part with your device for any significant period of time, you should "wipe" it clean to ensure no sensitive information is lost.
Obviously, if you've lost or misplaced your device, or--gulp!--it was stolen, you can't wipe it on your own. But if you're on a corporate BES or BES Express, you can still have your BlackBerry administrator remotely wipe your device clean, assuming it's still connected to your organization's BlackBerry Server.
And it's best not to waste time; if you suspect your device has been nabbed, tell your BlackBerry administrator immediately, even if you think you may be able to find it. Mistakes happen and your admin should understand. Even if you locate the device in the future, it's safer to wipe it clean and simply restore your data from a backup, than take a chance of someone hacking your personal information. (You are backing up your BlackBerry regularly, right?)
If you're trading your device with a colleague or upgrading and sending off the device to Cell Phones for Soldiers or some equally deserving organization, you'll want to wipe your BlackBerry yourself before parting with it.