Home > Articles


  • Print
  • + Share This
This chapter is from the book

Securing Mobile Devices


220-1002: Objective 2.8: Given a scenario, implement methods for securing mobile devices.

Mobile devices have evolved to the point that they can hold as much valuable data as any workstation. Add to this their compact and easy-to-conceal design and the high cost of the devices, and it becomes clear why mobile devices pose a serious security threat. The following sections cover methods and practices that can mitigate mobile device threats.

Screen Locks

The first step in securing a mobile device is setting a numeric passcode or another type of screen lock. Such a passcode locks the device, making it inaccessible to everyone except those who know the passcode and experienced hackers. A screen lock can be a pattern that is drawn on the display, a PIN (passcode lock), or a password. A very strong password is usually the strongest form of screen lock. The screen lock setting can be accessed on an Android device by going to Settings > Security. On iPhone 6, go to Settings > Touch ID > Passcode (requires entering current passcode). On iPhone 7 go to Settings > General > Passcode. On iPhone X and later, go to Settings > FaceID & Passcode. While the navigation will vary between Android and iPhone versions, the settings here apply to both types of phones unless noted.

You can select how long the phone waits after inactivity to lock; this is usually set to three or five minutes, but in a confidential environment, it may be appropriate to set this to Immediate. To enable Auto-Lock, go to Settings > General > Auto-Lock and select a number of minutes. If this is set to Never, the device will never sleep, negating the security of the passcode and using valuable battery power. The default setting is two minutes. On an iPhone, Auto Lock is under the Display Settings area.

In addition to the default timeout, devices can also be locked by pressing the power button quickly. If configured, the passcode must be supplied whenever a mobile device comes out of a sleep or lock state and whenever it is first booted.

Some devices support other types of screen locking, including fingerprint lock (where the user’s fingerprint is matched against a list of authorized user fingerprints) and face lock (where the user’s face is matched against a list of authorized user faces). Windows Hello, a Windows 10 feature supported on some devices, is an example of a face lock. Face ID is the Apple version that is supported on newer versions of iPhone and iPad Pro.

A swipe lock app immediately locks a device when the user swipes the display to one side.

The next option on the Security screen is Visible Passwords. If this option is checked, the device shows the current letter of the password being typed by the user. This type of setting is vulnerable to shoulder surfers (people looking over your shoulder to find out your password) and should be deselected so that only asterisks (*) are shown when the user types a password.

There is also a Credential Storage option. By default, secure credentials are dropped after a session is over. (An exception to this rule is a Gmail or other similar login.) However, if Use Secure Credentials is checked, and a user accesses a website or an application that requires a secure certificate, the credentials are stored on the device. A user can set a password here so that only he or she can view or clear credentials or install credentials from a memory card. The use of secure credentials is usually configured only if a user needs access to confidential company information on the Internet.

Passcode locking can be accessed on iPad and iPhone devices by going to Settings > Passcode and tapping Passcode Lock to display the Passcode Lock screen. Tap Turn Passcode On to set a passcode.

Remote Wipes

A lost or missing mobile device is a serious security threat. A hacker can get past passcodes and other screen locks. It’s just a matter of time before the hacker has access to the data. So, an organization with confidential information should consider enabling a remote wipe program of a device. As long as the mobile device still has access to the Internet, the remote wipe program can be initiated from a desktop computer to delete all the contents of the remote mobile device.

Some devices (such as the iPhone) have a setting that causes the device to be erased after a certain number of incorrect password attempts (10 in the case of the iPhone). There are also third-party apps available for download for most mobile devices that can wipe the data after a specified number of attempts. Some apps configure a device to automatically take a picture after three failed attempts and email the picture to the device owner. Examples of software that can accomplish this include Google Sync, Google Apps Device Policy, Apple’s Data Protection, and third-party apps such as Mobile Defense. In some cases, such as with Apple’s Data Protection, the command that starts the remote wipe must be issued from an Exchange server or mobile device management (MDM) server. Of course, you should have a backup plan in place as well so that data on the mobile device is backed up to a secure location at regular intervals. This way, if the data needs to be wiped, you know that most or all of the data can be recovered. The type of remote wipe program, backup program, and policies regarding how these are implemented can vary from one organization to the next.

Locator Applications

By installing or enabling a locator application or service such as Android Device Manager, Lookout for iOS or Android, or Find My iPhone, a user can track down a lost device. These apps can be operated from any other phone that has a similar app installed as long as the power is on and geolocation is working.

Remote Backup Applications

There are two ways to back up a mobile device: via a USB connection to a desktop or laptop computer or to the cloud by using a remote backup application.

Apple’s iCloud offers free cloud backup service for a limited amount of data (currently 5GB), with more space available by subscription. iTunes, which can be used for USB-based backup, enables the entire device to be backed up to a hard drive at no additional cost.

Android users have free backup for email, contacts, and other information via Google Cloud. However, backing up photos, music, and other content and documents must either be performed manually via USB or file sync to the cloud, using a service such as Dropbox or another third-party app.

Both iOS and Android users can use popular third-party cloud-based backups that are also supported for macOS and Windows, such as Carbonite (carbonite.com) and iDrive (idrive.com).

Failed Login Attempts Restrictions

Most mobile devices include failed login attempt restrictions. If a person fails to enter the correct passcode after a certain number of attempts, the device locks temporarily, and the person has to wait a certain amount of time before attempting the passcode again. If the person fails to enter the correct passcode again, on most devices the timeout increases. As mentioned earlier, multiple failed logins may result in a remote wipe of the hard drive.


Just as there is antivirus software for PCs, there is also antivirus/anti-malware software for mobile devices. These are third-party applications that need to be paid for, downloaded, and installed to the mobile device. Some common examples for Android include McAfee’s VirusScan Mobile, AVG, Lookout, Dr. Web, and NetQin.

iOS works a bit differently than Android. iOS is a tightly controlled operating system. One of the benefits of being a closed-source OS is that it can be more difficult to write viruses for it, making it somewhat more difficult to compromise. But there is no OS that can’t be compromised. For the longest time there was no antivirus software for iOS, but Apple now allows the download of previously unavailable applications and software not authorized by Apple.

Patching/OS Updates

Patching/OS updates help protect mobile devices from the latest vulnerabilities and threats. By default, you are notified automatically about available updates on Android and iOS-based devices. However, you should know where to go to manually update these devices as well:

  • For Android, go to Settings > General > About Device > Software Update or Settings > System > About Device > Software Update > Check for Updates.

  • For iOS, go to Settings > General > Software Update.

When it comes to large organizations that have many mobile devices, a mobile device management (MDM) suite should be used. McAfee and many other companies have MDM software suites that can take care of pushing updates and configuring many mobile devices from a central location. Decent-quality MDM software secures, monitors, manages, and supports multiple different mobile devices across the enterprise.

Biometric Authentication

Both current and older Android and iOS devices can use biometric authentication through the use of add-on fingerprint readers or iris readers.

Recent and current iOS devices have built-in support for fingerprint reading with all Touch ID feature enabled phones and iPad versions.

Face locks, like Microsoft’s Windows Hello and Apple’s Face ID, are also considered a type of biometric authentication.

Full Device Encryption

With full device encryption, your data is not accessible to would-be thieves unless they know the passcode. Apple’s iOS devices feature full device encryption that is activated when a passcode is assigned to the device. To learn more about this and other iOS security, Apple provides an iOS Security guide at https://www.apple.com/business/docs/iOS_Security_Guide.pdf.

Android 5 and later supports full disk encryption, and Android 7 and later supports file-based encryption. File-based encryption is encryption on individual files, meaning each file has a separate encryption key, so all the phone resources do not have to be tied up in the encryption process.

Multifactor Authentication

Any authentication method for email, e-banking, or other tasks that requires two forms of authentication is considered multifactor authentication. For example, websites and apps might require authentication of both the account information (name and password) and the device being used to access the account. Typically, this is done by sending an SMS text message or making a robocall to the pre-registered mobile phone of the account holder. The account holder must enter the code received when prompted by the website or app before the app can run or the website opens. Unless the app is deleted or cookies are deleted from the browser, the device is an approved device for that account.

Authenticator Applications

An authenticator application is used to receive or generate authentication codes for one or more apps or services.

Google Authenticator from the Google Play app store enables a user to receive or generate multifactor codes with Android, iOS, and BlackBerry devices. It supports options to add or remove trusted computers and devices and works with the Security Key USB device. There are several other authenticator apps for mobile devices, but before selecting one, be sure to determine which websites and services it supports.

Trusted Sources vs. Untrusted Sources

The Apple Store (apps for iOS), Google Play (Android), and Microsoft Store (Windows 10 Mobile) are trusted sources for apps for mobile devices. Apps downloaded from other locations are considered untrusted and should not be used if at all possible. Jailbreaking the phone is usually required to run untrusted apps, and jailbreaking removes security measures built into the phones.


Android does not include a firewall, so third-party apps must be used to provide protection against unwanted Internet traffic. Google Play offers many free firewall apps for Android.

Apple does not include a firewall because the design of iOS uses a feature called “sandboxing” that runs apps in separate protected space.

Policies and Procedures

Many individually owned mobile devices are now being used on corporate networks. Because these devices were not configured by the corporation, they could potentially present security threats. To prevent security threats, organizations need to address these issues in their policies and procedures.

BYOD vs. Corporate-Owned Devices

Benefits of bring your own device (BYOD) policies include:

  • No hardware cost to the organization

  • Higher usage due to employee satisfaction with their selected device

  • Greater productivity

Potential drawbacks include:

  • Hidden costs of management and security

  • Possibility that some employees will not want to buy their own devices

Profile Security Requirements

Whether an organization uses corporate-owned mobile devices, BYOD, or a mixture, setting and following profile security requirements are very important to achieving increased productivity without incurring significant risks. Issues involved include specifying approved devices and operating system versions, requiring passwords and lock screens, requiring device encryption, support issues, and when and how to remove company information when an employee leaves the organization.

  • + Share This
  • 🔖 Save To Your Account