Security Trends in Mobile Devices

What do businesses need to know?

Recent Articles

Careless Talk Costs Revenue India Makes Stready Progress Security Trends in Mobile Devices Cloud Computing Effects of Data Loss Information Theft Warning Signs Staff Vetting Portable Media Legal Developments

A new generation of mobile devices has emerged, shaking up the world of traditional corporate mobile phone usage, led by Apple and Google (with the iPhone and Android respectively). Furthermore, it is likely that Apple's iPad will follow a similar path to the iPhone towards mainstream popularity in the business world, at the same time creating a lucrative market for corporate tablet computing.

The new mobile phones are structurally radical compared to the previous generation of 'smart' phones in two key ways.

1. Greatly enhanced functionality
Continuous hardware development means these devices now have enormous processing power, equivalent to desktop computers of a few years ago.

This enables vendors to equip the devices with operating systems developed for PC's, instead of creating customized phone operating systems. Apple has taken their OS X from the Macintosh platform and created iOS, Google has taken the publically available Linux to be the basis of Android OS. Limited mobile tuning does take place, mainly focused on battery use reduction, stripping functionality which makes no sense on a mobile phone and creating user interfaces that can be operated with fingers instead of a mouse. Yet, the core of the operating system - with all its functionality - remains, allowing a huge variety of applications to be run on the phone. This means you can use the same browser, same Google Maps and same chat application on your mobile device as you are using on your desktop.

Furthermore, advances in the area of mobile connectivity allow these devices to be more effectively and efficiently connected to the Internet, not to mention enabling other interactivity such as GPS and the latest wireless networking. These applications often involve a continuous Internet connection. You can for example choose to no longer store a selection of your music on your mobile device but instead stream the entire music collection from the cloud, without experiencing many difficulties.

2. Consumerization of mobile devices
This new generation of mobile devices has been designed with the individual consumer, not the professional market, in mind. Their manufacturers and retailers are also exceptionally successful at marketing their device as the latest 'must have' accessory.
It is therefore not surprising to see why many employees are now preferring their new personal phone over their corporate phone (based both on what it can do and how it looks). Instead of having two devices to do their corporate and private communications it is preferred to have the latest and most easy to use device to handle both. This means that that private information of the user - such as social media interaction, private telephone calls, text messaging, web browsing - becomes intertwined with corporate information such as emails, documents (receiving, amending and sending) and calls.

New opportunities mean new risks
These differences present major new security risks, especially in relation to keeping sensitive personal and corporate data both secure and private.

Because these devices are based on standard operating systems, and have a huge range of functionality, they will inevitably be exposed to a larger set of risks. The altering of the PC-oriented operating systems for mobile use is also a new concept for manufacturers, as are new technologies like 3G and GPS and changed user interaction due to smaller screens for displaying security messages like incorrect security certificates of websites. As a result associated security measures around data sitting - or being transported - on these devices are not fully mature or proofed. Finally, the likelihood of attack is increased as the devices are almost continually connected to the Internet.

A good example of a not fully matured security measure is the device encryption of the iPhone which implies that the data is stored encrypted. That is true however decrypting is as easy as powering on the device. An attacker is then able to access that email with business critical information if he knows the pass code. Although the vendor has addressed this specific issue by providing added encryption on email, contacts and calendar items, it must be noted that this is far from all data on the device and also this second level of encryption is not fully effective. Some double encrypted data can still be read.

Also, if an attacker doesn't know the pass code of the device he can use freely available tools to remove vendor applied locks in a process that is called 'jail-breaking'. Jail-breaking is even as simple as browsing to jailbreakme.com on your iPhone or running one-button applications on your computer with the iPhone connected as there are critical vulnerabilities in the software components of iOS that allow for low level removal of the 'jail'. And being able to do so is defined as legal by a recent US copyright rule change (as now declared in the Digital Millennium Copyright Act).

The use of personal phones for corporate purposes makes it more difficult to enforce corporate policies around business communication, data privacy and security. Passwords used to log on to a personal website may be stored on the device and also be used for a corporate website. Also logical application errors may leave logon credentials stored on the device as a well known US bank recently encountered, effectively providing the information needed to check balances, transfer funds and pay bills. Ultimately, a lot more data exists on the devices in a greater number of files and folders (not just email and calendar). Maybe not all files may be directly accessible by the end user, the data is being stored and can negatively impact data leakage and privacy. There are serious concerns about whether existing mobile security tools are geared up to cope.

What can be, or is being, done?
As the phone manufacturers do not currently provide complete security solutions, this leaves the market open for third party vendors to provide businesses with these solutions. These solutions can range from enhanced capability to locking down the device, to creating 'encrypted containers' on the device to hold corporate data. Such solutions will make it significantly harder for an attacker to get access to your data. But these solutions will be inherently insecure if the underlying phones are not secured.

Due to the fact that this is a burgeoning, but still evolving and immature market, it is unrealistic to expect fully matured solutions yet. In the meantime, it is important to both acknowledge that the risks have changed and increased with the greater benefits that this new generation of mobile devices offers, and to be more vigilant than ever to protect your business' critical data.

This means that until fully effective technical security measures are offered by vendors and suppliers, you should be educating your end users on the risk of the devices, enforcing security measures that the devices support - knowing that they only provide a first level of defense, be wisely selecting technical solutions that enables your IT department to withstand the challenges and tailoring the usage of such devices in corporate standards that fully fit your corporate data handling policies.

By Marc Smeets

© 2012 KPMG International Cooperative ("KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.