3.5 Given a scenario, implement secure mobile solutions.

3.5 Given a scenario, implement secure mobile solutions

• Connection Methods and Receivers
  • Cellular
  • Wi-Fi
  • Bluetooth
  • NFC
  • Infrared
  • USB
  • Point-to-Point
  • Point-to-Multipoint
  • Global Positioning System (GPS)
  • RFID
• Mobile Device Management (MDM)
  • Application Management
  • Content Management
  • Remote Wipe
  • Geofencing
  • Geolocation
  • Screen Locks
  • Push Notifications
  • Passwords and PINs
  • Biometrics
  • Context-Aware Authentication
  • Containerization
  • Storage Segmentation
  • Full Device Encryption
• Mobile Devices
  • MicroSD Hardware Security Module (HSM)
  • MDM/Unified Endpoint Management (UEM)
  • Mobile Application Management (MAM)
  • SEAndroid
• Enforcement and Monitoring of
  • Third-Party Application Stores
  • Rooting/Jailbreaking
  • Sideloading
  • Custom Firmware
  • Carrier Unlocking
  • Firmware Over-the-Air (OTA) Updates
  • Camera Use
  • SMS/Multimedia Messaging Service (MMS)/Rich Communication Services (RCS)
  • External Media
  • USB On-the-Go (USB OTG)
  • Recording Microphone
  • GPS Tagging
  • Wi-Fi Direct/Ad Hoc
  • Tethering
  • Hotspot
  • Payment Methods
• Deployment Models
  • Bring Your Own Device (BYOD)
  • Corporate-Owned Personally Enabled (COPE)
  • Choose Your Own Device (CYOD)
  • Corporate-Owned
  • Virtual Desktop Infrastructure (VDI)

Let’s look at different ways for connecting mobile devices and keeping them secure.  A device may have more than one connection method.

Connection Methods

• Cellular.  Most mobile devices use cellular.  A cellular antenna in a tower can only talk to one phone at a time.  How do we connect multiple phones to a tower at the same time?  What if everybody is at the Super Bowl and texting and talking and tweeting?

There are three types of cellular network connections – GSM (Global System for Mobile Communications), TDMA (Time Division Multiple Access), and CDMA (Code Division Multiple Access).

A cellular phone connects to a tower through its cellular modem.  The phone will contain a SIM card that allows it to authenticate with that network.  Some laptops and routers also support cellular connections.

A cellular phone may be locked to a specific cellular network (Bell, Telus, AT&T, Verizon, etc.) or unlocked (in which case it can connect to any network).  You pay for a cellular plan with a specific carrier (Bell, Telus, AT&T, Verizon, etc.), which could include any number of features.

Some cellular phones have room for two SIM cards.  A cell phone with two SIM cards can connect to two networks at the same time (or maintain two separate connections to the same network).

When a phone is outside the range of its default network (for example, when it is in another country), it is roaming, and will attempt to connect to any number of available networks.  The user may incur additional charges for roaming.

GSM and CDMA are the two main types of cellular radio networks.  Most cellular networks are GSM, except for those maintained by Sprint and Verizon.  Some phones can operate on both GSM and CDMA networks. A carrier will operate their radios on several different frequencies (for example, Sprint operates over the CDMA 800 MHz and 1900 MHz frequencies).  For a phone to connect to a carrier’s network, it must have a modem that operates on at least one of that carrier’s frequencies.

TDMA was an older cellular technology that has been incorporated into GSM.  With TDMA, a cellular antenna would give each cell phone a time slot.    The width of each slot is measured in milliseconds.  Each phone would only listen during its slot.  This way the tower can connect multiple phones at the same time.  It’s like a person trying to have a conversation with several other people: say a few words to person one, say a few words to person two, say a few words to person three, come back to person one and say a few words, etc..  Each of the other people only needs to listen when they are being talked to.

GSM continues to use the same time slots that TDMA did.  GSM data uses the GPRS (General Packet Radio Service) protocol, which is no longer considered secure.

CDMA is more complicated.  It involves complicated math, linear algebra to be specific.  You can think of the signal from a cell tower to a phone like a wave.  Each phone agrees on a code with the tower.  The tower creates a signal that is a mash of all the messages that it wants to send each phone; the messages are coded so that they don’t cancel each other out.  Every phone receives the same signal but extracts its own portion from it.  It’s like if I hid French words between all the English words in this book.  An English-speaking person would read the English words and a French-speaking person would read the French words.  Now imagine that I hid words from eighty different languages in this book.  Every person could see all the words but only understand their own language, and ignore the words from the other seventy-nine languages.

There are several cellular network technologies/speeds

• 3G – 3G is also known as Third Generation.  It provides data transfer rates of at least 144 kbit/s. 
  
  
  • 4G – 4G is also known as Fourth Generation.  4G must use an underlying IP network, and provide data speeds of up to 100 Mbit/s for moving users and 1 Gbit/s for stationary users.
    
    
  • 5G – 5G is also known as Fifth Generation.  It provides data rates of up to 1 Gbit/s.  5G is supposed to provide enough bandwidth to allow devices to function as primary internet connections.  5G broadcasts signals at 24 Ghz to 40 Ghz.
    
    
  • LTE – LTE is also known as Long Term Evolution.  It is an advancement of the 3G network, but does not meet the standard of 4G.  LTE provides download speeds of up to 299 Mbit/s.  It also requires IP packet switching for both data and voice calls.
    
    

Some phones support both GSM/CDMA and either 3G/4G/5G/LTE.  GSM/CDMA are becoming less popular as 5G takes over.

When selecting a phone

• Ensure that the phone’s modem is compatible with the chosen carrier
  
  
  • Ensure that the carrier has adequate network coverage in the areas you plan to visit
    
    
  • Ensure that the cost of the cellular data and voice plan is known in advance
    
    

There is not much we can do about cellular security because the cellular network is operated by third parties.

I mentioned the StingRay earlier.  The StingRay is a device that allows people to intercept your phone calls and text messages.  It acts like a fake cell phone tower.  Your cell phone connects to the StingRay instead of the tower because the StingRay has a stronger signal.  The StingRay forces your cell phone to use a weaker form of encryption, and then intercepts your phone calls and text messages.  It passes the messages to the tower so that you don’t know that you’ve been hacked.

If you are having a sensitive conversation, you should use a more secure mode of communication such as Signal (an app).

• Wi-Fi.  Most mobile devices use Wi-Fi as well.  We have discussed Wi-Fi security in great detail.  We should ensure that the device only connects to secure networks.
  
  
• Bluetooth.  Some mobile devices use Bluetooth.  Bluetooth is vulnerable to attack.  We should ensure that the device has adequate security and only pairs with other trusted Bluetooth devices.
  
  
• NFC.  Some mobile devices use Near Field Communication.  The main purpose is to allow a cell phone to interact with a payment terminal.  We should turn off NFC when not in use.
  
  
• Infrared.  Infrared communication is no longer popular.  Some mobile devices use it to share data over a short (a few inches) distance.
  
  
• USB.  Almost all devices use USB to charge, back up their data, and receive software updates.  Only connect a mobile device to a trusted computer. 
  
  When you first connect your phone to a computer via a USB cable, it will ask you for permission to trust it.  If you choose “yes”, then your phone will share data with your computer.
  
  Well, a hacker came up with a USB cable that contained a whole computer inside the USB connector.  If he left it on your desk, and you used it to connect your phone to your computer, then your phone would again ask you if you wanted to “trust” the computer (the phone is actually talking to the computer in the cable, but you don’t know it).  If you said “yes”, then your phone was trusting the computer in the cable and sharing all the data with it.  Be careful where your USB cables come from.
  
  
• Point-to-Point.  A Bluetooth, NFC, or USB connection is point to point because two devices create a direct connection with each other.
   
• Point-to-Multipoint.  A Wi-Fi connection is point to multi point because several devices device create a direct connection with one central device.
  
  
• Global Positioning System (GPS).  GPS is common on most mobile devices.  GPS uses an antenna to connect to various satellites.
  
  
• RFID.  Radio Frequency Identification can be used track devices or inventory.

Mobile Device Management (MDM)

One way that we can ensure our mobile devices are secure is with MDM or Mobile Device Management.  Some of the things that MDM can enforce

• Application Management.  We can restrict the types of applications that a user can install.  We can also force the phone to download and install specific applications, prevent a user from installing any new applications, or prevent a user from uninstalling any existing applications.
  
  
• Content Management.  We can control the type of data stored on the phone and we can set policies based on the type of data.
  
  
• Remote Wipe.  If the phone is lost or stolen, then we can erase it.  The server sends the phone a signal to wipe it.  If the phone is not connected to a network (if it is turned off, or if the thief has disconnected the network), then the remote wipe command will not reach the phone.
  
  
• Geofencing.  We can restrict the geographic areas where the phone can function.
  
  
• Geolocation.  We can track the physical location of the phone.
  
  
• Screen Locks.  We can force the phone to lock after a period of inactivity.
  
  
• Push Notifications.  We can send notifications to the phone.
  
  
• Passwords and PINs.  We can force the user to set a password and/or PIN, and we can enforce password complexity.
  
  
• Biometrics.  We can force the user to set a biometric lock on the phone.
  
  
• Context-Aware Authentication.  Context-aware authentication uses artificial intelligence to predict whether a user is legitimate or malicious.  If the system believes that the user is legitimate, then the authentication gives the use access.  If the system suspects that the user is malicious, it might request an additional form of authentication (2FA).
  
  
• Containerization.  We can separate business applications from personal applications so that they do not share data.
  
  
• Storage Segmentation.  We can separate business data from personal data.
  
  
• Full Device Encryption.  We can force the phone to encrypt its entire contents.  This is a standard feature on most Android and Apple phones.
  
  

Mobile Devices

Some components that keep mobile devices secure

• MicroSD Hardware Security Module (HSM).  A MicroSD HSM is a Smart Card that is in the shape of a MicroSD card.  We can insert the MicroSD card into our Android phone and now we have access to our security keys.
  
  
• MDM/Unified Endpoint Management (UEM).  UEM is an application that allows us to enroll, provision, and secure end user devices.  We first create a template that includes configuration, device names, and applications.  Then we enroll the end user devices.  The UEM automatically pushes the necessary configuration onto the devices.
  
  For example, we might configure the devices to download the Microsoft Outlook App, have a password of at least ten characters, and encrypt all the data.  Anytime we enroll a new smartphone, UEM automatically forces that phone to install the Microsoft Outlook App, enforces a password, and encrypts the device data.
  
  
• Mobile Application Management (MAM).  MAM takes MDM a step further by allowing an administrator to configure specific application settings.
  
  An example of MAM is Microsoft Intune.  Some of its features
  
  
  • Automatically install apps on a user device
    
    
  • Configure installed apps
    
    
  • Encrypt company data in installed apps
    
    
  • Erase company data in installed apps.  That means that a user can use the same app for business and personal, and keep the data separated.
    
    
  • Update apps
    
    
  • Install proprietary apps (company-created apps that are not in the app store)
    
    
• SEAndroid.  Also known as Security Enhanced Android or Security Enhanced Linux in Android or SELinux.  SELinux is a tool that allows an administrator to lock down a mobile Android device.  This protects the device and the user from malicious applications that exploit security holes.
  
  SELinux can do one of two things – deny an app any action that is not explicitly permitted (enforcing mode), or simply log any action that is not explicitly permitted but permit it anyways (permissive mode).  In permissive mode, we can review the logs to later determine whether specific actions should be prohibited.
  
  

Enforcement and Monitoring

Some things we can monitor

• Third-Party Application Stores.  There is only one official app store for the iPhone (Apple App store), and two for Android phones (Google and Amazon).  These stores verify the identity of their app publishers.  There is a lower risk that an app from one of these stores contains malicious content.
  
  We should not install apps from other third-party stores or sources.  By default, an Android phone will not allow the use of a third-party app.
  
  
• Rooting/Jailbreaking.  Rooting or Jailbreaking is a method for unlocking an iPhone or Android phone so that it can run unauthorized content.  Rooting and jailbreaking are bad because they remove restrictions that the operating system has placed to protect the user data from malicious applications.
  
  Specifically, rooting gives applications the ability to run as the “root” user, without any limitations as to what they can do.
  
  
• Sideloading.  Sideloading is a practice of manually downloading and installing an app from a USB source or from the web, instead of from the app store.  It mainly applies to Android phones.  It is not a good idea to do so because the source of these apps cannot be verified.
  
  
• Custom Firmware.  Some users have written custom firmware (operating systems) for their Android phones.  These are also known as Custom ROMs.  They give the phone additional features, but they may not be sophisticated enough to verify that their ROMs are free of security holes.
   
• Carrier Unlocking.  When you purchase a phone, it may be locked to a specific carrier’s network.  You can unlock the phone so that it can function on other networks.  To do so, you must obtain a code from your current carrier.  Some phones come unlocked from the factory.  Unlocking the phone does not pose a security risk.
  
  
• Firmware Over-the-Air (OTA) Updates.  Some phones automatically receive updates when connected to Wi-Fi.  It is important to install updates as they patch security vulnerabilities.  We must make sure that the update is coming from a legitimate source.
  
  
• Camera Use.  In a high-risk environment, we might choose to restrict the use of the camera.
   
• SMS/Multimedia Messaging Service (MMS)/Rich Communication Services (RCS).  We might restrict whether a user can send SMS messages or MMS messages.  We might want to use a Data Leak Prevention application to control the content of these messages.
  
  
• External Media.  We might restrict whether the phone can access external media such as SD Cards.  We don’t want a user to be able to copy sensitive data from the phone to an SD Card.
  
  
• USB On-the-Go (USB OTG).  OTG allows a smart phone to read data from a USB drive or accept a connection from another USB device such as a keyboard.  Because USB devices can contain viruses, USB OTG is risky.  We also don’t want a user to be able to copy sensitive data from the phone (where it is encrypted and monitored) to a USB drive (where it is not encrypted and not monitored).
  
  
• Recording Microphone.  In a high-risk environment, we might choose to restrict the use of the camera.
  
  
• GPS Tagging.  We might force the phone to place a GPS tag on each photo taken.
  
  
• Wi-Fi Direct/Ad Hoc.  We might prohibit the phone from making a direct wireless connection to another device.
  
  
• Tethering.  We might prohibit the phone from tethering (sharing its internet connection with another device via USB).
  
  
• Hotspot.  We might prohibit the phone from sharing its internet connection via a hotspot.
  
  
• Payment Methods.  We might enforce specific payment methods for purchases made by the phone.
  
  
  

Deployment Models

There are several ways to deploy mobile devices

• Bring Your Own Device (BYOD).  With BYOD, an employee can use their own personal device and not have to carry two devices.  They can use a device that they like.
  
  

The organization must be able to provide technical support for a wide range of manufacturers and models.  The organization may limit the support that they provide for BYOD devices to only basic technical support.

We might use MDM to separate the user’s apps and data from the company’s apps and data.

There may be legal restrictions on what the organization can do with an employee-owned device (such as GPS tracking, data erasing, encryption). 

The organization may be required to reimburse employees for the use of their phones.

• Corporate-Owned Personally Enabled (COPE).  The organization supplies and owns the mobile devices, but employees are permitted to use them for non-work purposes.  This is good because people do not want to carry two phones.  The company can choose which phones employees will use and can enforce policies through MDM.
  
  The company might allow the user to keep their phone (for free or for a fee) when they leave.  The company should require the user to erase any company data from the phone at this time.
  
  The company must be careful to keep each user’s personal activities private.
  
  
• Choose Your Own Device (CYOD).  CYOD is like COPE, except that a user can choose any type of phone that they want.  This can create a headache for the IT department because they will have to support a wide variety of devices.  Also, some of those devices might not meet the company’s security or performance standards.
  
  
• Corporate-Owned.  The organization supplies and owns the mobile devices.  The company enforces its policies on all of the devices and employees are prohibited from using them for personal activities.
  
  
• Virtual Desktop Infrastructure (VDI).  Virtual Desktop Infrastructure and Virtual Desktop Environment.  This allows an organization to host end users’ desktop and applications in the cloud.  A user will access his desktop via a remote desktop tool or a thin client.
  
  VDI provides enhanced security because all the data is stored on an encrypted server in a physically secure data center, and none of it resides on the end user’s computer.  If the end user computer is lost or stolen, the data is not compromised.
  
  A Virtual Desktop can be accessed through an app on a laptop, phone, or tablet.
  
  An example of a VDI is Amazon Workspaces.