Over the last few years, the mobile devices in our lives have become much more complex and powerful, and as a result, more attractive as targets for malware authors.   The iPhones, Androids, and Blackberries in our pockets (and the pockets of company executives) have more raw computing capabilities than the desktop machines of a few years ago (and the servers of a few years before that) and they run web browsers capable of running javascript or flash (hmm... haven't we seen issues with both of those technologies on other platforms?), plus they have built-in GPS capabilities that allow for tracking of our movements, and nearly constant access to the internet to potentially share that information (or any other data on the device) with "the bad guys."  Unfortunately, defensive capabilities have not kept pace.  To make matters worse, because of their size, these new mobile devices are small enough that they are also much easier to misplace (or steal).  For this reason, it is probably even more important to that the human being involved be even more vigilant than ever.  In the following discussion, I also make a somewhat artificial distinction between personal and corporate use of mobile devices.

Corporate usage

For corporate mobile devices, I would urge a few measures (where possible)

• Encryption - if the capability exists on the platform you are using, whole device encryption could provide some minimal protection to corporate (or personal) data on the device should it be lost or stolen.
• Remote Wipe - the ability to remotely kill or wipe a device that has been lost or stolen should be enabled if it exists.
• VPN - where possible, VPN back through the corporate environment (understanding all the issues discussed in yesterday's diaries apply here, too).  This allows one to take advantage of proxies, firewalls, e-mail filtering of the corporate network.  When possible, use the mobile device as a thin client to access data in the corporate network or in "the cloud" rather than keeping potentially sensitive data on the mobile device itself.

Personal usage

For personal devices, the biggest thing is to remember that the defenses on these mobile devices are even slimmer than on our home PCs and laptops.

•  Fight the urge to do things like banking, that might reveal information that could be used for identity theft, from your mobile device.
•  Don't click on links sent via IM, Facebook, SMS

General usage

In general, there are a few things that should probably be done all the time to protect yourself and your personal and corporate information (and they may increase your battery life, too).

• Turn off the GPS and data (3G/4G/wifi) capabilities when you aren't actually using them.
• If anti-virus software exists for your platform install it.  It probably won't protect you from much, but if it stops even one attack, that's better than nothing.
• If at all possible, don't mix corporate and personal use on the same mobile device.

I've been starting to think about mobile malware lately, and frankly, it worries me.  So, what are you doing to secure your mobile devices (both corporate and personal)?

---------------
Jim Clausing, jclausing --at-- isc [dot] sans (dot) org
GIAC GSE #26