Complete Guide to Mobile Device Security

A mobile device attack is launched every 39 seconds. How can you stay protected?

By
Reviewed by
Updated January 22, 2021

All reviews, research, news and assessments of any kind on The Tokenist are compiled using a strict editorial review process by our editorial team. Neither our writers nor our editors receive direct compensation of any kind to publish information on tokenist.com. Our company, Tokenist Media LLC, is community supported and may receive a small commission when you purchase products or services through links on our website. Click here for a full list of our partners and an in-depth explanation on how we get paid.

Mobile device security entails the course of action embarked upon to safeguard the confidential data and information stored on and transmitted through mobile devices such as smartphones, tablets, laptops, wearable, and portable devices. 

This digital era might as well be known as the era of mobility. With over 50% of business computing devices being of the mobile variety, coupled with the growth of Internet-of-things (IoT), mobile devices are now posing new challenges to enterprise network security.

Mobile device security encompasses the ability to hinder and prevent unauthorized user access, especially to an enterprise network from mobile devices. 

With nearly every employee possessing a mobile device, organizations need to be cognizant of the fact that this is a huge attack vector for criminals with malign intentions.

Alongside the concerns posed by mobile devices are those presented by the proliferation of Internet-of-Things (IoT), which almost harbor the same threats to enterprise security. Since endpoints in an organization ought to have the same levels of protection, IoT devices are an additional burden of concern that have to be accorded the same level of attention that mobile devices garner. 

This article hopes to provide a holistic, coherent enterprise security plan, which has mobile security at its centerpiece.

⭐️ Why is Mobile Device Security Important?

Just consider the following statistics:

  • Kaspersky labs reports that on more than 1 million user devices, it discovered almost 3.5 million pieces of malware
  • An attack is launched every 39 seconds, rounding off to an average of 2,244 times each single day
  • More than 50% of devices used in the workplace are mobile
  • Vulnerabilities in mobile devices have increased by 42%
  • Malware attacking mobile devices a likely to increase by 50% compared to the previous year
  • In 2018 alone, 75,000 mobile apps had vulnerabilities that Android had to fix
  • A software development kit (SDK) integrated in mobile applications was discovered to have stolen 111 million contact information in China
  • Hidden mobile apps are especially, representing up to 50% of telemetry and transmission to remote endpoints
  • About 3 to 4 employees per 100 using their device to access inappropriate content. 
  • Up to 80% of corporate owned mobile devices transmit data on WiFi networks
  • 66% and 55% of enterprises and SMBs respectively provide company supported and owned mobile devices
  • Approximately 4.3% of company-issued mobile devices are stolen or lost each year.
  • It is estimated that large enterprises have more than 2,000 unsafe mobile device apps are installed on them by their employees
  • 86% – that is the percentage of employees that access company emails through their mobile devices
  • 70 million smartphones are lost each year
  • 60% of mobile device vulnerability derives from the client side
  • 89% of vulnerabilities can be exploited without physical access to the mobile device
  • 56% of vulnerabilities can be accessed without any sort of administrator access

How Vulnerable are Mobile Devices?

This almost comes off as a redundant question. With as much as half of an organization’s computing devices now consisting of portable devices, mobile devices present peculiar challenges with regard to network security. 

Now, businesses need to account for the different locations and uses of these devices as well. Especially since mobile usage in organizations has now surpassed those of desktop PCs, malicious hackers are now focusing their attention more and more on mobile devices.

Both IT departments and executive suite-level players like CIOs are fixated, for good reason, on thwarting potential threats to companies’ devices such as phishing scams, spyware, unsecured WIFI networks, data leakage. These days, most of the preoccupation centers around malicious mobile apps, or the theft or misplacement of employee mobile devices which might contain proprietary company secrets.

According to Dr. Rebecca Wynn, who heads information security for Matrix Medical Network, most enterprise security teams have gotten a fair handle on things with regard to enterprise mobility and mitigating external exposure that comes with attacks such as man-in-the-middle and  malware.

However, Wynn says that data is harder to manage and protect on mobile devices because “the use of private, public apps, and company-branded apps which can leak employee and customer data in ways enterprise security doesn’t have visibility.”

A way to counteract this incident is for organizations to formulate internal policies, and sufficiently educate their employees on the potential dangers that their mobile devices pose to the organization’s interest. 

The Mobile Device as a Security Threat

Millennials might find it difficult to imagine, but mobile devices didn’t use to be as ubiquitous as they are today, and were nearly unheard of as a business threat. Before broadband and wireless technology exploded onto the scene, employees with stand-alone desktop computers were limited to Ethernet cables as their primary gateway access to either LAN or WAN corporate networks. 

Consumer devices like the iPhone changed this calculus and ushered in the age of the mobile technology, and by extension, the mobile worker to the extent that virtually all employees now regard using a mobile device at their office as a given.

Consumers are now performing more and more daily actions from their smartphone. Everything from email to trading stocks through an app can be facilitated with mobile devices. With an increased mobile device capability, comes an increased vulnerability.

Another precipitating factor has been the mutating networking environment that has been occurring for some years now, opening a Pandora’s box of new threats of malware and computer viruses. 

With this trend, IT departments were compelled to grapple with viruses that infected smartphones, like Cabir, the first virus that infected a mobile device in 2004. Hence, a new host of vulnerabilities followed the iPhone and smartphones onto the scene.

Compounding things, the current era is now plagued with threats and vulnerabilities related to Internet-of-Things (IoT). This development has challenged and burdened organizations along with their IT departments with a host of new endpoints that need to be secured.

According to following graph, an estimated 21.5 billion IoT devices are anticipated by the year 2025.

Source: IoT Design Pro

Some organizations are approaching this issue by taking out these IoT devices from the central network and putting them in their own secluded virtual LAN with separating firewalls. The objective of these measures is to reduce the security incidents emanating from IoT devices. 

Furthermore, they might disable certain functions that are infrequently used in IoT devices, say faxing on a wireless printer, to reduce opportunities for attacks. However, this action might not work for mobile devices since they need full network access to operate. 

To counteract emerging mobile threats, software solutions have been designed for the enterprise space to confront and address these types of attacks. Most noteworthy among them is the Mobile Application Management (MAM). Others are the Mobile Device Management (MDM), Enterprise Mobility Management (EMM), and Unified Endpoint Management (UEM). 

The Benefits of Mobile Device Security

One of the main benefits of mobile devices is also what makes them dangerous: their ease of use. The director of enterprise mobility and connected devices at VDC Research, Eric Klein, highlights this fact by pointing out that because they are so convenient to use and communicate with, many employees “aren’t necessarily trained well on how to safely interact with applications and corporate data.” 

While a portion of users will presumably be careful and conscientious in managing their interactions with business apps on their phones, Klein nonetheless believes that many will “walk around with phones that don’t have password protection on, so that makes the problem even worse.”

Effective mobile device management and security provide the following advantages:

  • Security policy enforcement
  • Regulatory compliance
  • Controlling device updates remotely
  • More application control
  • Automatic data backup and device registration
  • Permitting the allowance and use of “bring your own device” BOYD

How Mobile Device Security Works

Executing mobile security effectively requires a wholesale, multilayered investment in enterprise solutions. There are several overarching elements, though every company should find what fits best with its network. 

For starters, these are some of the mobile device security practices that companies should incorporate:

📝 Establish, Enforce, and Disseminate Clear Guidelines

Like most company policies, mobile device rules are only as reliable as the organization’s effectiveness in communicating them clearly to employees. These policies on mobile device security should incorporate clear rules as to the following:

  • What devices are allowed to be used in the organization
  • What operating systems are permitted on those devices
  • What the organization’s employees are allowed or forbidden to access 
  • The data and information the company can or cannot access on a personal phone
  • Whether or not the IT department can remotely wipe a device
  • Password rules such as its requirements and the frequency of updating passwords

Being able to wipe data remotely is one of the most effective means of securing stolen devices, but it isn’t without controversy. This strategy allows organizations to remotely erase all the data on corporately issued mobile devices in case of theft or misplacement. However, employees are concerned that this approach will also wipe off all their personal data on the mobile device. 

💪 Enforce Strong Password Protection

Strong passwords are the first line of defense against unauthorized access of mobile devices. However, a host of vulnerabilities are unleashed by workers using weak or similar passwords for their mobile, email, and other work-related accounts. The remedy is to enforce employees to create strong passwords with definite guidelines such as requiring they have a minimum of 8 characters, which are unique and different for each account.

🔒 Leverage the Use of Biometrics

While strong passwords are a good thing to enforce, however, they aren’t an antidote or powerful enough deterrence against breaches. In fact, they still occur despite the use of two-factor authentication. 

To bolster security, some companies are relying on more than traditional methods, and going the route of biometrics. Biometrics use biological characteristics that can be quantified and measured such as the fingerprint, the face, iris recognition, and the voice of the person to authenticate an individual. 

There are several benefits to using biometrics that outweighs passwords: you can forget your password, but you can’t forget your face. Second, it gives enterprises more accountability in knowing the people who access their assets, in addition to providing an active log of those users.

Smartphone apps now come equipped with several authentication methods that can be easily set up for this purpose. 

⚠️ Be Cautious of Apps

One of the quickest rising threats to mobile devices is the installation of malicious apps. When employees who have access to the corporate network from their devices inadvertently download malicious apps, they provide a gateway for hackers to gain access to the organization’s network and data.

The following graph shows the number of detected malicious packages installed on mobile devices worldwide, from Q4 2015 – Q1 2020:

Some apps are specifically designed by hackers just to exploit unsuspecting users. Google discovered up to 700,000 malicious apps in its Google Play Store, which represented a 70% increase from the previous year. 

There are two ways that companies can try to circumvent this threat. The first is by educating and instructing employees on the dangers to which they expose the organization through their mobile app downloads. The other is to prohibit employees from downloading certain applications on their devices.

👨‍💻 Be Wary of Public WiFi

Most people have the erroneous assumption that the public networks they connect to are safe. Unfortunately, public WiFi is one of the most abundant attack vectors for mobile devices. In fact, hackers even go as far as creating fake WiFi networks, giving them innocuous names such as “Coffee Shop” for the sole purpose of trapping unsuspecting users. 

The data on a mobile is only as secure as the network through it is transmitted. As a result, companies need to highlight the dangers of public WIFI networks to their employees, educating them on how they pose a significant threat by emphasizing how attackers can easily breach their devices on unsecured networks to steal the data.

An alarming number of adults continue to believe public WiFi is safe:

Source: allconnect.com

While a smart defense is to encourage the right behavior, it is almost impossible for companies to implement the prohibition of the use of open WiFi unless on company premises. One feasible way to do so is for companies to use compel employees to log in through Virtual Private Networks (VPNs) to access corporate applications.

📱 Utilize Mobile Device Encryption

Modern mobile devices, especially smartphones, come equipped with built-in encryption features that can even enable users to enter a password to encrypt their device. Encryption converts data into unintelligible code that can only be accessed by the user, thereby preventing theft and unauthorized access.

The Different Types of Mobile Device Security

The Tokenist infographic showing what are the six main types of mobile device security
These are the six main types of mobile device security.

These security tools help to complement the internal device policies designed to protect against unauthorized mobile access

  • Email security: Through phishing and social engineering attacks, email is the most popular avenue of choice for hackers to spread malware and ransomware. Businesses can protect themselves from this attack with advanced email security to detect, block, and analyze threats faster. Most of these tools are also capable of preventing data loss by protecting information in transition with encryption.
  • Endpoint protection: Attack pathways for security threats are created by the connection of mobile phones, laptops, tablets and other wireless devices to corporate networks. Endpoint protection focuses on these remotely bridged devices by making sure users follow the appropriate security standards, and alerting security teams in real-time when a threat emerges but before it does extensive damage.
  • Enterprise mobile management (EMM) platform: This platform helps IT departments to monitor and gather real-time insights so they capture potential threats.
  • VPN: Virtual Private Networks are an ideal security feature for the mobile world in which we live. They operate by extending a private network across a public one, thereby allowing users to communicate data on public or even shared networks; behaving as if these were directly connected to the private network. VPNs also encrypt data so that remote users can communicate with their branch offices in a secure manner.
  • Secure web gateway: This type of protection goes a long way in boosting cloud security because it enables an attack coming from one location to be identified and prevented from being perpetuated or simulated at other branches. Secure web gateways provide online security for the company by enforcing the organization’s policies and defending against online threats such as malware and phishing in real-time.
  • Cloud access security broker (CASB): the CASB sits in the middle and between the cloud service consumers and cloud service providers to enforce governance policies, compliance, security for cloud applications. The advantage that the CASB provides for organizations is that it enables them to extend their on-premise security control to the cloud. These tools like Salesforce and Dropbox act as a gateway between an organization’s on-premise infrastructure and the cloud applications and can identify malicious cloud based-applications. They can, therefore, prevent data breaches, especially if they are equipped with a cloud data loss prevention (DLP) engine.

What is Application Security (appsec)?

Application security — which is frequently referred to as “appsec” — involves the security protocol implemented in various applications to prevent hacking and the theft of information. These protocols are designed prior to the app coming to life, in the design of the app, but also after the app has been launched. Frequently, bugs or security vulnerabilities are not recognized until after the app is deployed.

There are numerous components to appsec. This crucial aspect of protection does not merely apply to software, but hardware as well. In fact, appsec applies to any component of an application that may result in compromised security. 

What’s an Example of Hardware Application Security?

When considering the world wide web as an example, routers are utilized to conceal — and protect the identification of — a mobile device’s internet protocol (IP) address. Thus, routers constitute an example of hardware implemented in appsec.

What’s the Difference Between Appsec and Mobile Device Security?

It’s important here to emphasize that we’re dealing with two very different, though partly overlapping, broad terms. Each of them have a number of implications.

Application security can refer to the security which protects any kind of application. Today, there are many: web applications and mobile applications are the two most common.

Web applications, also referred to as webapps, feature code that is stored on a server. Any time a user utilizes the code, they ultimately send a request to the server from their device (could be a desktop, laptop, or even a mobile device through a browser). The server then sends a response, which is rendered on the user’s device. No code is stored on the device itself.

With a mobile application, most of the code is downloaded and stored on the device itself (think iOS and Android). These are two primary components of appsec. The security aspect of appsec then comes into play when we consider protecting and safeguarding the app — and all data it encompasses.

Mobile device security includes all aspects of security regarding a mobile device. Just like appsec, this includes both software and hardware. Ultimately, mobile device security includes all security protocols used to protect data that is either stored on, sent from, or received by a mobile device. This can even include the physical security of the mobile device.

In this sense, it is easy to see how appsec and mobile device security have a lot in common, but don’t necessarily refer to the same thing.

How Do You Test Security on an Application?

There are generally six types of security tests that are used to measure the security of an application. There are as follows:

Ethical (white hat) hacking: These are harmless hackers that will identify security threats and vulnerabilities without any malicious intent. Their aim isn’t to steal information or cause harm; it’s rather to identify gaps in security that need to be fixed.

Scanning: Scans measure the various networks in an automated fashion, to show potential vulnerabilities. Most modern scanning software also provide recommendations on how to amend the vulnerabilities discovered.

Risk assessment: These are tests which aim to identify vulnerabilities, usually throughout an organization. As a result, these frequently involve assessing physical procedures including the ways in which devices or servers are locked and secured — from both a physical and network perspective.

Auditing: Security audits can be both manually performed or conducted automatically. They frequently examine code in an attempt to identify unnecessary security risks.

Posture validation: The process of posture validation involves the implementation of posture data, which features its own unique rules, to measure the performance and potential vulnerability of data on an endpoint.

Penetration testing: This aims to protect an application from external attacks. It essentially replicates an external attack by a hacker, to measure the performance of the application’s defense.

What are the Three Phases Involved in Security Testing?

The Tokenist infographic showing the three phases of security testing

As outlined above, penetration testing is one method of measuring the security — and potential vulnerability — contained within a mobile application. Penetration testing consists of three primary phases:

  1. The Pre-Attack Phase: This involves acquiring as much information about the network as possible without signaling any warning of an upcoming attack.
  2. The Attack Phase: The actual attack carried out on the target.
  3. The Post-Attack Phase: The goal here is to return the mobile application’s status to that of its pre-attack phase.

Tips for Cell Phone Security

There are a number of measures you can take — without being a security expert — to protect your cell phone and your data. Here are a few major ways you can increase cell phone security:

  • Implement a password to access your phone and always lock your phone when not using it.
  • Use a secure password — not your birthdate, 1234, or something that could be guessed.
  • Ensure the software on your mobile device is always up-to-date.
  • Refrain from WiFi that is not password protected.
  • Do not jailbreak your cell phone.
  • Keep data encrypted.
  • Install anti-virus software and ensure it remains updated.
  • Be cautious of downloads.

What Type of Storage is Used on Mobile Devices?

In order to understand the store used in mobile devices, we must first understand storage. There are two types of memory: volatile memory and non-volatile memory.

Volatile memory is the memory that is lost whenever the mobile device is powered off. More often than not, this takes the form of Random Access Memory, or RAM.

Non-volatile memory is the memory that is retained on a mobile device even after it’s powered off. In technical terms, this means that non-volatile memory is that which survives a device reboot. Non-volatility memory typically takes the form of ROM or Flash-RAM.

In short, mobile devices use both volatile and non-volatile memory to store data. While volatile memory is primarily used to power applications, non-volatile memory is usually where the most sensitive data is stored.

Conclusion

With their abundance and ubiquity, securing mobile devices isn’t a simple or easy task. But it is warranted because the stakes of data breaches and theft are high, and therefore should be a top priority for organizations.

Adequate and effective mobile device security allows organizations to remotely manage devices and users who access their network, allowing them to disable unauthorized applications and users. 

In order to combat rising and increasingly sophisticated cyberattacks, it is advised that companies constantly audit the mobile solutions they have and implement better solutions once they become available.

All reviews, research, news and assessments of any kind on The Tokenist are compiled using a strict editorial review process by our editorial team. Neither our writers nor our editors receive direct compensation of any kind to publish information on tokenist.com. Our company, Tokenist Media LLC, is community supported and may receive a small commission when you purchase products or services through links on our website. Click here for a full list of our partners and an in-depth explanation on how we get paid.

Cookies & Privacy

The Tokenist uses cookies to provide you with a great experience and enables you to enjoy all the functionality of the site.