Avatar

Now when I’m talking about safekeeping a mobile device, I’m not saying don’t use your Kindle by the pool or let your toddler play on the iPad while eating ice cream. These are dangerous things to be doing with a gadget, but today I want to focus more on the data within that device, rather than the device itself.

No matter what you do, your device may be stolen. It only takes a moment of inattention for someone to swipe your phone or tablet. Before that unfortunate event occurs, there are several things that you can do to mitigate the damage that occurs from the loss of a mobile device.

Enable the device auto-lock feature
Number one is to enable to device auto-lock! This is the first line of defense of someone just snatching your device. If you set an aggressive auto-lock timer—I personally use two minutes—then chances are good if your device is picked up by someone, the device will be locked. Assuming your device is not stolen right out of your hands when you’re walking down the street, a lock password on the device prevents untrusted parties from access.

Setting strong lock passwords
Passwords aren’t foolproof; they can be guessed or brute-forced. But strong passwords prevent all but the most determined parties from accessing the device directly, which means they might simply wipe the storage and resell it. You’ve lost the device, but you probably haven’t had any data stolen, unless an attacker simply attempts to read the storage on the device. But you’ve enabled encryption on your storage, right?

Storage encryption
Another defense-in-depth measure, encryption of storage volumes on the device prevent unauthorized users from attempting an end-around on data stored within your device. Normally, a user has to access data on the device through the normal user interface. But if an attacker simply reads the contents of storage volumes on the device, they don’t need any access passwords to get to it. Unless the volume is encrypted, your data has fallen into the hands of an attacker.

Data history retention
Consider the type of information you keep on your mobile device. Is it mostly texts from friends and snapshots from your daughter’s basketball game? In that case, you probably don’t have to worry about how long and how much data is stored on your device. However, if you are storing customer information or proprietary company designs, you need to carefully weigh your convenience with the amount of data kept on the device. Consider clearing your web history or removing documents and app data that you haven’t used in a while. You can even use extra storage cards for sensitive data and wipe those cards after your current project or quarter has wrapped up. In the event of a loss, the amount of data on the device should be minimal.

Remote wipe
The above protections usually just buy you time. If your device is stolen, you can reset account passwords and de-authorize the device on various services. But if your device supports it, you should consider setting up some type of remote wipe capability. Some mobile devices feature remote wipe as part of the operating system, such as Android Device Manager or Apple iCloud, and some you need a third-party application. But a remote wipe feature is the last line of defense if your device is stolen.

VPN and Wi-Fi security
Free Wi-Fi is pretty great when you’re wandering around town and want to check what movies are playing in the theater across the street or if there are any open tables at your favorite restaurant. However, you might think twice about using untrusted Wi-Fi or using open wireless for critical services. SSL, the technology used to encrypt communications between websites and end users, has some weaknesses when used over wireless channels, and attackers can exploit those weaknesses to monitor your communications. You should also disable wireless when you are in an area that offers free Wi-Fi, or prevent the device from automatically connecting to open access points, so that your device doesn’t inadvertently connect and possible expose your device.

Some people use VPN services, where you establish a secure connection to a remote server, and that server proxies your requests to sites you are trying to reach. In this way, any connections between you and the remote server are encrypted, protecting people who may be snooping on your wireless connection. If you find yourself using a lot of unsecured Wi-Fi in public areas, you might consider a VPN service.

Applications and app stores
Installing apps from the major providers is easy and usually fairly safe. However, you should carefully consider the source of your new app and any permissions it requires before you install the app on the device. Some apps have exposed personal information on devices to unauthorized first parties and may perform actions without your knowledge. Make sure you know what you are getting into when you install a new app!

There are also third-party app stores out there, and those can be very dangerous. Many apps on third-party app stores may contain malicious software or attempt to make fraudulent charges on your phone bill. On many devices you can only access third-party app stores if you jailbreak or root your device, which has its own set of dangers. If you are using the device for critical purposes, third-party app stores and untrusted apps are too great of a risk!

Many of my recommendations are common sense, but sticking to the basics will go a long way toward safekeeping your device and the data it contains. Strong passwords, data encryption, safe use of Wi-Fi, and a healthy dose of skepticism when installing apps are all great strategies. After you’ve done all that, the important thing is just not to forget your mobile device on the table at your coffee shop!



Authors

Nicholas Leali

Security Analyst, IntelliShield

Cisco Security Intelligence Operations