Countermeasures: Similarly to securing desktops, servers, networks, and other equipment, you can take some basics steps to make mobile devices more resistant to attack.
What’s included here is some basic guidance but not a comprehensive list of all that can be done:
- Setting passwords on all mobile devices is a requirement for all devices that will be attached to a corporate network and/or store sensitive data.
It is worth nothing that enabling certain features such as encryption will require the setting of a password before they will work.
- Strong passwords are recommended on all devices. This step is of particular importance because many mobile devices allow you to use methods to unlock the device other than passwords. Many devices allow you to set PIN codes, gestures, and regular alphanumeric passwords.
- Install antimalware applications to thwart the spread and infection of malware. Ideally, the antimalware application should scan not only the device but also newly installed applications and email for maximum effect.
- Use encryption on all devices wherever possible to protect both internal storage and SD cards. This is an essential part of protecting data on a device in the event that it is lost or stolen. Note that some older devices and older operating system do not support encryption.
- Ensure that you device is always current with the latest software updates. This can be problematic because devices that are subsidized by wireless companies such as AT&T do not always get the latest updates until long after they are released. Such is the case with subsidized devices that run Android; Google will release updates to the system, but providers may not release them to their users for to a year or more.
- Avoid installing applications from unknown source. Not all apps that can be installed on a device must come from Google or Apple; many can be downloaded from various websites. While many of these applications are legitimate, others may contain malware or cause other issues.
- Back up the device regularly. Do we really need to say more on this topic?
- Avoid rooting or jailbreaking a device. While it may seem attractive to get more power and control over a device, doing so introduce security risks.
- Enable remote wipes if possible. This feature, if available, should be enabled on device that contain sensitive data and are susceptible to being lost or stolen.
- Verify applications before downloading. Some apps could be harmful to your mobile device, either by carrying malware or by directing you to a malicious website that may collect your sensitive information.
Summary: Mobile device have taken the world by storm and seen incredibly rapid growth and adoption over the last several years.
Along with this growth have come a number of security issues to plague mobile devices. This ability to have a small and powerful device that is internet connected and allows communication from anywhere at any time is alluring as well as a problem for companies.
With the average person today possessing at least three mobile devices and using those devices for both personal and work purposes, the devices pose a problem for the work place. With the rise of BYOD policies at many workplaces, users now attack to a network not only because they want to but also because they have to in order to work.
Operating system such as Google’s Android and the second-place Apple iOS are in many ways similar to but also different from traditional systems, presenting a security challenge.
The vast numbers of devices has led to a host of problems, including mixing of multiple versions of the same OS and countless numbers of devices each having unique characteristics.
As a penetration tester you will need to familiarize yourself with the similarities and difference of the myriad of devices that exist.
Pen testing these devices will require a combination of methods learned over previous articles as well as the adoption of new tools and techniques to properly test the system.
Exam Essentials
Know the challenge posed by mobile device: Mobile device represent a shift from a laptops and desktops PCs to highly compact tablets and Smartphones. While very powerful and portable, they present a huge potential for security holes within an organization.
Know the basics of protecting mobile data: Data on mobile devices is much more vulnerable than data in a fixed location. This risk that data may be compromised on a lost or stole device is quite and thus requires extra protection.
Understand the challenges of keeping Android devices up to date: Android devices come in many different versions and flavors by vendors and devices. Since there are so many versions, patches and other updates may not be available as quickly as needed on many devices.
READ MORE: Penetration Testing Mobile Devices Using Android
