Smartphones and PDAs have grown more capable and connected, but many
mobile professionals use these devices without protecting the data they
store and send. ISPs can offer mobile security products and services to
help subscribers mitigate these risks.
1 of this series, we introduced common mobile device capabilities.
2 of this series, we described security threats, and OS defenses
Here in Part 3, we explore after-market products that can be re-sold
or used as a platform for offering secure mobile networking services.
Today’s Windows Mobile, Symbian, Palm, and BlackBerry-based devices
incorporate a number of built-in security measures, from power-on PINs
and secure web browsers to crypto libraries and privilege levels.
These measures provide basic defenses against threats like misuse of
a lost device, wireless eavesdropping, and system file tampering. But
that still leaves plenty of room for after-market solutions that add required
functionality or enable IT control over otherwise unmanaged mobile devices.
Basic device locks can be strengthened by policy enforcement programs
that ensure PINs or passwords meet minimum security standards for length,
complexity, uniqueness, and freshness. Some of these programs can also
disable or hard-reset a mobile device during a password-guessing attack,
or let users safely recover a forgotten PIN without requiring a return
trip to the office or a help desk call.
For example, TealLock (see above) defines Quick, Full, and Emergency
passwords. Users get just one try at entering their short password. If
they fail, the longer full password is required. If a user forgets his
full password, the emergency password can be used to unlock the device.
Alternatively, PINs or passwords can be replaced with authentication
methods that make mobile devices easier to use legitimately and/or harder
for a thief to compromise. For example, VoiceSecureIt lets a user unlock
her Palm PDA or smartphone by speaking a defined “voiceprint phrase” instead
of typing a PIN. One of several alternatives implemented by SafeGuard
PDA is X.509 certificate logon using an MMC card (i.e., logon fails if
the PDA is stolen without the user’s MMC card).
Compared to laptops, PDAs and smartphones are used more frequently for
shorter tasks, requiring these mobile devices to be instantaneously available.
Access controls that get in the way tend to get disabled; this is why
most OS-supplied PINs go unused.
To balance usability and security, some mobile security programs let
you control access more selectively—for example, requiring a user
password to read e-mail, an administrator password to install software,
but no password at all to answer phone calls. Instead of locking the device
itself, these access controls may actually unlock encrypted data associated
with the application (e.g., phone book, mailbox, registry).
This article was first published on ISPPlanet.com.