Home > Articles

Security

This chapter is from the book

Securing Mobile Devices

220-1002-exam-icon1.jpg

220-1002: Objective 2.8: Given a scenario, implement methods for securing mobile devices.

Mobile devices have evolved to the point that they can hold as much valuable data as any workstation. Add to this their compact and easy-to-conceal design and the high cost of the devices, and it becomes clear why mobile devices pose a serious security threat. The following sections cover methods and practices that can mitigate mobile device threats.

Screen Locks

The first step in securing a mobile device is setting a numeric passcode or another type of screen lock. Such a passcode locks the device, making it inaccessible to everyone except those who know the passcode and experienced hackers. A screen lock can be a pattern that is drawn on the display, a PIN (passcode lock), or a password. A very strong password is usually the strongest form of screen lock. The screen lock setting can be accessed on an Android device by going to Settings > Security. On iPhone 6, go to Settings > Touch ID > Passcode (requires entering current passcode). On iPhone 7 go to Settings > General > Passcode. On iPhone X and later, go to Settings > FaceID & Passcode. While the navigation will vary between Android and iPhone versions, the settings here apply to both types of phones unless noted.

You can select how long the phone waits after inactivity to lock; this is usually set to three or five minutes, but in a confidential environment, it may be appropriate to set this to Immediate. To enable Auto-Lock, go to Settings > General > Auto-Lock and select a number of minutes. If this is set to Never, the device will never sleep, negating the security of the passcode and using valuable battery power. The default setting is two minutes. On an iPhone, Auto Lock is under the Display Settings area.

In addition to the default timeout, devices can also be locked by pressing the power button quickly. If configured, the passcode must be supplied whenever a mobile device comes out of a sleep or lock state and whenever it is first booted.

Some devices support other types of screen locking, including fingerprint lock (where the user’s fingerprint is matched against a list of authorized user fingerprints) and face lock (where the user’s face is matched against a list of authorized user faces). Windows Hello, a Windows 10 feature supported on some devices, is an example of a face lock. Face ID is the Apple version that is supported on newer versions of iPhone and iPad Pro.

A swipe lock app immediately locks a device when the user swipes the display to one side.

The next option on the Security screen is Visible Passwords. If this option is checked, the device shows the current letter of the password being typed by the user. This type of setting is vulnerable to shoulder surfers (people looking over your shoulder to find out your password) and should be deselected so that only asterisks (*) are shown when the user types a password.

There is also a Credential Storage option. By default, secure credentials are dropped after a session is over. (An exception to this rule is a Gmail or other similar login.) However, if Use Secure Credentials is checked, and a user accesses a website or an application that requires a secure certificate, the credentials are stored on the device. A user can set a password here so that only he or she can view or clear credentials or install credentials from a memory card. The use of secure credentials is usually configured only if a user needs access to confidential company information on the Internet.

Passcode locking can be accessed on iPad and iPhone devices by going to Settings > Passcode and tapping Passcode Lock to display the Passcode Lock screen. Tap Turn Passcode On to set a passcode.

Remote Wipes

A lost or missing mobile device is a serious security threat. A hacker can get past passcodes and other screen locks. It’s just a matter of time before the hacker has access to the data. So, an organization with confidential information should consider enabling a remote wipe program of a device. As long as the mobile device still has access to the Internet, the remote wipe program can be initiated from a desktop computer to delete all the contents of the remote mobile device.

Some devices (such as the iPhone) have a setting that causes the device to be erased after a certain number of incorrect password attempts (10 in the case of the iPhone). There are also third-party apps available for download for most mobile devices that can wipe the data after a specified number of attempts. Some apps configure a device to automatically take a picture after three failed attempts and email the picture to the device owner. Examples of software that can accomplish this include Google Sync, Google Apps Device Policy, Apple’s Data Protection, and third-party apps such as Mobile Defense. In some cases, such as with Apple’s Data Protection, the command that starts the remote wipe must be issued from an Exchange server or mobile device management (MDM) server. Of course, you should have a backup plan in place as well so that data on the mobile device is backed up to a secure location at regular intervals. This way, if the data needs to be wiped, you know that most or all of the data can be recovered. The type of remote wipe program, backup program, and policies regarding how these are implemented can vary from one organization to the next.

Locator Applications

By installing or enabling a locator application or service such as Android Device Manager, Lookout for iOS or Android, or Find My iPhone, a user can track down a lost device. These apps can be operated from any other phone that has a similar app installed as long as the power is on and geolocation is working.

Remote Backup Applications

There are two ways to back up a mobile device: via a USB connection to a desktop or laptop computer or to the cloud by using a remote backup application.

Apple’s iCloud offers free cloud backup service for a limited amount of data (currently 5GB), with more space available by subscription. iTunes, which can be used for USB-based backup, enables the entire device to be backed up to a hard drive at no additional cost.

Android users have free backup for email, contacts, and other information via Google Cloud. However, backing up photos, music, and other content and documents must either be performed manually via USB or file sync to the cloud, using a service such as Dropbox or another third-party app.

Both iOS and Android users can use popular third-party cloud-based backups that are also supported for macOS and Windows, such as Carbonite (carbonite.com) and iDrive (idrive.com).

Failed Login Attempts Restrictions

Most mobile devices include failed login attempt restrictions. If a person fails to enter the correct passcode after a certain number of attempts, the device locks temporarily, and the person has to wait a certain amount of time before attempting the passcode again. If the person fails to enter the correct passcode again, on most devices the timeout increases. As mentioned earlier, multiple failed logins may result in a remote wipe of the hard drive.

Antivirus/Anti-malware

Just as there is antivirus software for PCs, there is also antivirus/anti-malware software for mobile devices. These are third-party applications that need to be paid for, downloaded, and installed to the mobile device. Some common examples for Android include McAfee’s VirusScan Mobile, AVG, Lookout, Dr. Web, and NetQin.

iOS works a bit differently than Android. iOS is a tightly controlled operating system. One of the benefits of being a closed-source OS is that it can be more difficult to write viruses for it, making it somewhat more difficult to compromise. But there is no OS that can’t be compromised. For the longest time there was no antivirus software for iOS, but Apple now allows the download of previously unavailable applications and software not authorized by Apple.

Patching/OS Updates

Patching/OS updates help protect mobile devices from the latest vulnerabilities and threats. By default, you are notified automatically about available updates on Android and iOS-based devices. However, you should know where to go to manually update these devices as well:

  • For Android, go to Settings > General > About Device > Software Update or Settings > System > About Device > Software Update > Check for Updates.

  • For iOS, go to Settings > General > Software Update.

When it comes to large organizations that have many mobile devices, a mobile device management (MDM) suite should be used. McAfee and many other companies have MDM software suites that can take care of pushing updates and configuring many mobile devices from a central location. Decent-quality MDM software secures, monitors, manages, and supports multiple different mobile devices across the enterprise.

Biometric Authentication

Both current and older Android and iOS devices can use biometric authentication through the use of add-on fingerprint readers or iris readers.

Recent and current iOS devices have built-in support for fingerprint reading with all Touch ID feature enabled phones and iPad versions.

Face locks, like Microsoft’s Windows Hello and Apple’s Face ID, are also considered a type of biometric authentication.

Full Device Encryption

With full device encryption, your data is not accessible to would-be thieves unless they know the passcode. Apple’s iOS devices feature full device encryption that is activated when a passcode is assigned to the device. To learn more about this and other iOS security, Apple provides an iOS Security guide at https://www.apple.com/business/docs/iOS_Security_Guide.pdf.

Android 5 and later supports full disk encryption, and Android 7 and later supports file-based encryption. File-based encryption is encryption on individual files, meaning each file has a separate encryption key, so all the phone resources do not have to be tied up in the encryption process.

Multifactor Authentication

Any authentication method for email, e-banking, or other tasks that requires two forms of authentication is considered multifactor authentication. For example, websites and apps might require authentication of both the account information (name and password) and the device being used to access the account. Typically, this is done by sending an SMS text message or making a robocall to the pre-registered mobile phone of the account holder. The account holder must enter the code received when prompted by the website or app before the app can run or the website opens. Unless the app is deleted or cookies are deleted from the browser, the device is an approved device for that account.

Authenticator Applications

An authenticator application is used to receive or generate authentication codes for one or more apps or services.

Google Authenticator from the Google Play app store enables a user to receive or generate multifactor codes with Android, iOS, and BlackBerry devices. It supports options to add or remove trusted computers and devices and works with the Security Key USB device. There are several other authenticator apps for mobile devices, but before selecting one, be sure to determine which websites and services it supports.

Trusted Sources vs. Untrusted Sources

The Apple Store (apps for iOS), Google Play (Android), and Microsoft Store (Windows 10 Mobile) are trusted sources for apps for mobile devices. Apps downloaded from other locations are considered untrusted and should not be used if at all possible. Jailbreaking the phone is usually required to run untrusted apps, and jailbreaking removes security measures built into the phones.

Firewalls

Android does not include a firewall, so third-party apps must be used to provide protection against unwanted Internet traffic. Google Play offers many free firewall apps for Android.

Apple does not include a firewall because the design of iOS uses a feature called “sandboxing” that runs apps in separate protected space.

Policies and Procedures

Many individually owned mobile devices are now being used on corporate networks. Because these devices were not configured by the corporation, they could potentially present security threats. To prevent security threats, organizations need to address these issues in their policies and procedures.

BYOD vs. Corporate-Owned Devices

Benefits of bring your own device (BYOD) policies include:

  • No hardware cost to the organization

  • Higher usage due to employee satisfaction with their selected device

  • Greater productivity

Potential drawbacks include:

  • Hidden costs of management and security

  • Possibility that some employees will not want to buy their own devices

Profile Security Requirements

Whether an organization uses corporate-owned mobile devices, BYOD, or a mixture, setting and following profile security requirements are very important to achieving increased productivity without incurring significant risks. Issues involved include specifying approved devices and operating system versions, requiring passwords and lock screens, requiring device encryption, support issues, and when and how to remove company information when an employee leaves the organization.

Pearson IT Certification Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Pearson IT Certification and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Pearson IT Certification products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by Adobe Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.pearsonitcertification.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020