Unit-5

Mobile Device Security

Importance of Mobile Security:
The security of mobile device is very important because of the following things:
• It is used as your camera for recording your memorable movements with the help of photos
and videos.
• It is your communication partner through voice calls, SMS, chats, video calls, emails, and
other applications.
• It is used as a computer device for Internet browsing and online shopping.
• Smartphone is your guide to new area through maps and GPS (Global Positioning System).
• Mobile device is your entertainment partner.
• Mobile is used as the payment wallet for traditional shopping.
• Mobile device is used for physical access management and even for the digital access
management tool.
• You store your valuable contacts and personal information.
• You use it as your temporary data storage.
Types of Mobile Platforms:
Mobile OSs can be classified in the following categories :
• (1973–1993): Embedded OSs for function controls (1973–1993).
• (1993–1999): During this period, independent mobile OSs were introduced, which included Newton
OS, IBM Simon, Palm OS, Symbian OS, Nokia S40 and others.
• (2000–2010): This period was the starting of the smartphones. The main OSs, which were launched
during this period, include Windows CE, Blackberry, Maemo OS, iOS, Android, webOS, Bada OS,
and Windows OS.
• (2010 to Present): During this period of time, there were a very few new launches of OS platforms.
But during this period of time, the newer versions of Android, iOS, Windows, Blackberry, and others
were launched. During this period, a huge competition between iOS, Android, Windows, and
Blackberry started, which is still running. Nowadays, the main competition exists between Android
and iOS in terms of market of OSs.

Android Phone Security Guidelines:

• Always purchase the phone that runs the latest version of the Android OS.
• Data files and important information should be stored in the encrypted form. Android
phones support encrypted data storage on the internal memories. You can also make
arrangements to encrypt the data on the external memory like SD card.
• It is highly recommended to save your account credentials in Account Manager tools, which
are very highly reliable and protected. Thus, your credentials become less prone to the
security threats.
• Always download trusted Android applications on your mobile phone. Google Play store
checks and verifies the secure applications before putting on the Google Store. So always
download Android applications from Google Play store.
• Always install an antivirus and anti-spyware software to safeguard your mobile device from
popular cyber threats. Using the paid version of the trusted antivirus offers many other
security features. So prefer to download the paid version.
• Before installing any application, read the permissions that the application needs to use your
resources available on the mobile. If any application asks for more permissions that look not
reasonable, don’t use that application.
• Read the privacy policy of the applications that you want to run on your Android phone.
• Update all Android applications running on your mobile. Any vulnerabilities in Android
applications can lead to cyber attack on your mobile phone and valuable data.
 • Check and make sure that any application does not expose your information or personal data
to the third party, especially to the content and service providers.
• Try to avoid using the public wireless networks or any other insecure network; this will help
you remain away from any hackers and malware available on the networks.
• Check if your applications don’t use the READ_LOGS permission. Normally, at the time of
installation, the applications may ask for this permission. Never give this permission to the
Android applications; this may lead to breach to your data, privacy, and security.
• Try to use virtual private network (VPN) connections for your Internet browsing and online
shopping. This will save you from many security-related issues.
• Always try to use different numbers for two-factor authentication. If you use the SIM that is
inserted in the mobile that has also the Google account, then your SMS will go to the same
number. If your mobile is lost, some immediately changes the passwords by using the
two-way authentication.

iPhone Security Guidelines:

The major guidelines for iPhone security are listed below:
• Always take care of Siri security by not leaving your phone unattended.
• Implement iPhone Configuration Utility (iCU) in enterprise environments.
• Create stronger passwords for the accounts.
• Use password manager tools for better password security.
• Don’t use unauthorized iPhone applications.
• Disable the on-screen notifications.
• Enable the two-step authentication on your Apple account as well as iCloud.
• Disable auto-synch feature to iCloud.
• Disable the use of Siri on a locked screen.
• Always choose to use VPN connection.
• On browser, disable the auto-fill form feature.
• Don’t allow your applications to access your personal information.
• Cookies on your browser should be turned off.
• Disable auto-connection to available Wi-Fi networks.
• Use the secure networks and avoid public networks.
• Turn off application protocols that are not in use.
• Always encrypt the local files on the phone.
• Backup your data files to the iCloud.
• Use encrypted communication at maximum.
• Always update your iPhone mobile applications.
• Keep your mobile OS up to date with the latest software releases.
• Use your common sense when browsing and shopping online.

Windows Phone Security Guidelines:

The security guidelines for Windows phone are mentioned below:
• Always purchase the Windows phone with the latest OS version.
• Always keep your OS up to date by installing any new update and releases.
• Always download the mobile applications from the trusted stores like Microsoft Store.
• Try to use the paid mobile apps that are free from apps and other pop-up annoyance.
• Always keep your Windows apps updated.
• Install the best antivirus and anti-malware tool in the marketplace.
• Activate multi-step authentication security.
• Always use screen lock pin to keep the phone secure.
• Enable the “Find My Phone” feature so that you can locate your mobile easily in case you
lose your mobile.
• Use Internet Explorer browser with strong security settings.
 • Don’t allow your browser to store cookies on your phone.
• Never use the insecure public networks.
• Always visit the secure websites.
• Use VPN connection for secure browsing and shopping.
• Always try to back up your precious data regularly.
• Use the latest mobiles that have security microchips or Trusted Platform Modules (TPMs).
• Try to use facial recognition, fingerprints, or iris scanning for phone unlocking.
Mobile Application Management:
The MAM normally covers the following aspects of mobile cyber security:
• Assessing the mobile applications’ security measures implemented by the developers of the
mobile applications
• Auditing the vulnerabilities of the mobile applications
• Establishing the controls over the mobile applications
• Managing those applications for any updates
• Checking for any violation of the security policy
• Integration of apps in a container so that inter-app data is guarded
• Addition, modification, and deletion of the applications
• Blacklisting and white-listing of the applications and activities
The most important guidelines for mobile apps management to maintain a high level of security
include the following:
• Always download mobile applications from the trusted stores such as Apple Store and
Google Play.
• Before downloading any mobile application, make sure you read all details about the
applications and the past user reviews.
• Take special care about the permissions that an app asks for at the time of installation of the
application.
• Read each and every component on the application wizard; don’t click next… Blindly.
• Choose the custom installations that suit your needs.
• Be very much picky while choosing the mobile apps.
• If undue permissions are sought, don’t install that app.
• Always delete the applications that you don’t use.
Role based Access control:
Open authorization:
NIST guidelines:

Cybersecurity Standards
ISO/IEC 27001 & 27002 Standards:

The objectives of this standard include the following:

• Establishing information security controls
• Reducing the security risk in the organization
• Streamlining the cybersecurity procedures
• Selection of the information security controls
• Management of information security controls
• Implementation and monitoring of the information security controls.
These standards allow the company to take the following steps:
• Choose the right controls over the information security processes for the organizations that
are defined in the recommendations.
• Implement the already accepted controls that have already been used and proven in different
industries for IT controls.
 • Develop new information security controls that are in compliance with the set criteria in the
ISO standards and also suit the requirements of the organization.

Information Security Forum (ISF) Standards:

The major areas that the ISF good practices cover include the following:
• Risk associated with the Agile software development methodology
• Privacy of information and intelligence about the emerging threats
• Security aspects of industrial control systems (ICSs)
• Assessing and establishing the co-relationship between the operational risk and the
information risk
This is also an international set of good practice acceptable worldwide. These standards help the
organizations in the following:
• Helping the leaders and teams exploit new areas for improving productivity and efficiency
while maintaining high level of security against information risks
• Preparing the organizations to preempt the potential threats to reduce the risk through agility
and preparedness
• Identifying the ways to implement the security standards in efficient and effective manner

Payment Card Industry Data Security Standard (PCI/DSS):

The Payment Card Industry Data Security Standard (PCI/DSS) is focused to the personal information
of the online shopper. This standard is developed by the PCI Security Standard Council. The standard
was developed to safeguard the bank and card information of the card users who use their cards for
online shopping.

This standard directly impacts the millions of the people across the world. Security Standard Council
helps the financial institutes and merchants to implement the standard guidelines devised by the
council so that the card information of the people can be safeguarded easily.
The council includes the following financial organizations:
• American Express
• MasterCard Inc.
• Visa Inc.
• JCB International
• Discover Inc.

The PCI council focuses on the following organizations to help them safeguard the personal and
financial information of the card users.
• Point-of-sales (POS) manufacturers
• Financial software developers
• Financial hardware developers
• Merchants of all sizes
• Financial institutes/banks