Smartphones took off with consumers, fueled by the ease of use of apps paired with cloud services.  Today, 4 of every 5 Americans own a smartphone, compared to just 1 in 4 owning a desktop or laptop computer.

Smartphone users want to bring these benefits to the workplace, just as they did a generation earlier with home PCs.  The mobile revolution has opened up new levels of productivity with so many technologies  combined into just one device (voice, camera, GPS, email etc.) but also new types of risk compared to traditional PCs, networks, and storage.

This article covers the wavetops of mobile device cybersecurity and privacy from three perspectives of increasing sensitivity to risk -- consumers, business, and government organizations.  

Consumers – device lifetimes

Smartphone security depends on mobile hardware, software, and services all working together.  Services include regular updates to the operating system, apps, and a well-policed app store.   For this reason, jailbreaking, rooting, or side loading apps are not generally good ideas since they bypass security and make it easier for adversaries to attack devices.

The major mobile vendors including Apple, Google, and Samsung generally do a good job across all of these.  The services aspect can be challenging in devices where on-going updates and upgrades are not available.  

A lack of updates for a device can mean that it becomes obsolete or end of life (EOL) since it can no longer be safely used, a sharp difference with say automobiles where service lifetimes can be much longer than hardware or software support warranties.   Typically, mobile vendors offer three years of updates, although Lenovo’s Motorola line recently launched a mobile device that offered only one year.

Business – fleets and data

The business use of smartphones builds on the same consumer considerations, adding the challenges of managing fleets of devices, and a greater need to maintain Confidentiality, Integrity, and Availability for business systems and their lifeblood of data, the so-called CIA triad of security.

Companies need to keep business running, keep out adversaries, and keep a large number of stakeholders happy -- employees, customers, partners, investors, cyber insurers, auditors, state, federal, and international regulators, lobbyists, and politicians.

Running a risk-based assessment, for example, NIST’s Cybersecurity Framework  or leveraging a set of best practices such as those of the Center for Internet Security for a given company and industry will typically lead to a core set of mobile security tools known by Three Letter Acronyms (TLA):

• MDM Mobile Device Management - Manage apps, data, and settings
• MTD Mobile Threat Defense - Continuous diagnostics and monitoring
• IAM Identity and Access Management - Are users who they say they are
• VPN Virtual Private Network - Mitigate data losses on insecure networks

These tools build on pre-existing corporate controls of networks, servers, and storage, as well as ties to cloud-based productivity tools like Office365, Google Apps, Dropbox, Salesforce, and Slack.  The most important  enterprise controls  are anti phishing and security awareness training, to avoid users clicking on a tempting link, attachment, or sharing passwords to the nice person calling from “tech support,” “the Internal Revenue Service,” or that new “friend” with an awesome headshot on social media.

Government – provenance, controls, and MILS

Government agencies are not all cut from the same cloth, dealing with different areas for different constituencies.    There are degrees of classification of computing device usage.  For example, in the national security space, there is unclassified and then three levels of classified - - ‘‘Top Secret’’ – where breaches could lead to grave damage to national security, (2) ‘‘Secret’’ - serious damage to national security, and (3) ‘‘Confidential’’ – damage to national security.

Unclassified usage cleaves most closely to that of commercial mobile security setups and then as the sensitivity of usage climbs, so does the need for additional security.  Sometimes the line where data should be classified is not obvious ahead of time, especially where standards were framed in the PC and desktop phones era.  For example, a fitness tracker last year inadvertently outlined some of the US’ secret bases around the world.

In higher risk environments, the provenance of hardware, firmware, software, apps, and updates becomes of increasing interest (so called supply chain integrity), as well as the ability to control capabilities on the device itself e.g. switching on / off and monitoring the cell connection, Wi-Fi, GPS, Bluetooth, NFC, USB, camera, microphone, voice, Voice Over Internet Protocol (VOIP), texting, messaging, email, and app activity.   A particular Holy Grail for government agencies is to run a mobile device with Multiple Independent Levels of Security (MILS) at the same time.

Conclusion

It used to be the accepted wisdom that mobile device attacks were rare, high cost, and targeted  to so-called “million-dollar dissidents” at the consumer level,  to businesses where direct or ransomware payouts were largest, and to government agencies that touched foreign states, organized crime, and/or terrorist organizations.   Recent iPhone hacking, however,  has shown that mobile hacking is a much more widely applicable risk, which means more of the controls applied at the government side will flow to business, and from business to end consumer protections.

About Simon Hartley

Simon has been captivated by innovation since first setting eyes on an Apple II in grade school.  Today, he works with US government customers at CIS Mobile with its altOS mobile security platform.  Previously, he worked with Apple and Samsung in hardening their mobile devices for US Government use, and is a frequent speaker on cybersecurity at industry events.  He was  VP and Co-Founder of startup RunSafe Security, VP at startup Kaprica Security (exited to Samsung), and Mobile Program Director at DMI, managed mobility market leader.  Simon began his career in nuclear software engineering then executive roles at HP, Red Hat, and Capgemini. He holds BS, MS, and MBA degrees, along with several cybersecurity and privacy certifications.