Ever since the cell phone came into our lives in the eighties and nineties, security has always been a key issue. In recent years the use of these handhelds has caught on like wildfire, taking over many facets of our daily lives (both personal and professional). Correspondingly, mobile security is now becoming really critical, increasing in complexity by the day and calling for ever greater attention on our part.
The beginnings of cell phone security
The first analog mobile networks suffered from serious security flaws. The use of unencrypted analog modulations laid them open to easy eavesdropping without even the need for any especially expensive or difficult-to-obtain equipment. Many of you will no doubt recall the historic tapping of a high-up Basque politician that made a bid splash back in 1991.
Another even bigger threat was the possibility of “cloning” a cell phone and making calls that were then charged to another user. This security loophole wreaked havoc, especially in the USA’s AMPS type mobile networks.
The advent of digital networks (GSM) and the use of SIM cards tended to solve these “classic” problems pretty satisfactorily. The possibility of creating new added-value services, however, led to a parallel increase in security loopholes. Witness the first voice mailbox services, in which it was possible and even easy to access other users’ private mailboxes to listen to their messages or even change their greetings.
The Current Situation
There are now various types of threats acting on different levels.
First and foremost there is the security in the call itself. Increasing use is now being made of data connections and it is also becoming increasingly common to connect up outside the operator’s network. Any connection made to a public Wi-Fi network (or a private network without proper encryption) exposes us to third-party capturing of the information we are sending at the time.
Use of third party applications also poses a risk. The traditional traffic of short messages has now evolved towards whatsapp and the like. To save the cost of the messages we users are now prepared to make all our messages, photos and agenda contacts completely available to third-party firms offering us no sort of protection and often only too keen to market all this information on their own behalf. As a good friend of mind said “give me freebies whatever they cost”.
But perhaps the greatest threat of all resides in the indiscriminate installation of apps in the handhelds. The open operating systems, especially in Android, are spreading an ever increasing number of malware apps. Hacking the phone from within, these applications may then potentially carry out any action, such as subscribing us to a payment service without our knowledge, “kidnapping” our own photos and holding us to ransom, stealing our credit card data or even capturing our passwords and personal data for phishing purposes or carrying out any other barbarity in our name.
When we turn to firms whose employees use cell phones things become even more complicated. The introduction of mobility services makes cell phones of this type a threat not only for users themselves but the whole organization. At times the handheld itself stores confidential information that poses a risk if lost or stolen. To make matters worse the handheld might contain certificates or passwords allowing a third party to connect up illicitly and gain access to information stored in critical systems.
There is an even higher level of complexity if we factor in firms that allow their employees to use their own personal cell phones on business (known as “Bring Your Own Device”: BYOD). This practice, which offers some obvious advantages, poses additional security risks. It hinders company control over the models, operating systems or application-versions used. A new problem crops up when users leave the firm and take the handheld away with them, together with its passwords, apps and even sensitive information.
Solutions to the threat
For private users the best recommendation is prudence. Just as with PC use, if they take certain precautions when installing programs, mistrusting annexes and the like, the risks are reduced. A suitable antivirus, updated and paid for if necessary, should clear up the problems. As regards confidentiality, the best idea is to avoid sending any information that might be sensitive while we are connected up to a Wi-Fi network and, above all, never doing so by means of third-party applications.
For companies the solution is more complex. It would not seem recommendable to leave security in the hands of one of the employees, so whatever is implemented here should try to cover the whole chain. At least the following ideas occur to me:
- Proper control of the handhelds used: models, updating of operating systems and control of each piece of installed software.
- If employees use their own handhelds (BYOD) the above point will be complicated. In this case it will be essential for corporate information and applications to be kept as far apart as possible from the rest of the phone’s operating system.
- A clear and centralized handheld security policy: use of passwords, encrypted storage.
- Ensure that all communications are end-to-end encrypted
- A strict personal certificate use policy
- A review of the security design of any company service allowing mobility access
And all this should be done in such a way as to allow users to continue using their mobility-access applications in an easy and convenient way. We should never lose sight of the fact that security must be as transparent as possible. My opinion is that if security becomes too onerous for users, then problems and perceived nuisance will produce medium-term rejection of these solutions.
It is certainly no easy task to fit all the pieces of this puzzle together; neither is there a panacea. We have to think of solutions that can then keep pace with the development of technology itself, enabling all advantages of future mobility solutions to be harnessed while reducing their risks. Probably the best idea, especially for big corporations, is a shrewd mix of “out of the box” solutions and tailor made developments to suit each particular system.
What does seem to be certain is that, just as with the famous Chinese shield and spear paradox, as the spears (threats) get sharper, the shields will also improve to repel them.
Author: Crescencio Lucas Herrera
Las opiniones vertidas por el autor son enteramente suyas y no siempre representan la opinión de GMV
The author’s views are entirely his own and may not reflect the views of GMV