In Part 1 of this series, we introduced common mobile device capabilities.
In Part 2 of this series, we described security threats, and OS defenses
Here in Part 3, we explore after-market products that can be re-sold or used as a platform for offering secure mobile networking services.
Today's Windows Mobile, Symbian, Palm, and BlackBerry-based devices incorporate a number of built-in security measures, from power-on PINs and secure web browsers to crypto libraries and privilege levels.
These measures provide basic defenses against threats like misuse of a lost device, wireless eavesdropping, and system file tampering. But that still leaves plenty of room for after-market solutions that add required functionality or enable IT control over otherwise unmanaged mobile devices.
Basic device locks can be strengthened by policy enforcement programs that ensure PINs or passwords meet minimum security standards for length, complexity, uniqueness, and freshness. Some of these programs can also disable or hard-reset a mobile device during a password-guessing attack, or let users safely recover a forgotten PIN without requiring a return trip to the office or a help desk call.
For example, TealLock (see above) defines Quick, Full, and Emergency passwords. Users get just one try at entering their short password. If they fail, the longer full password is required. If a user forgets his full password, the emergency password can be used to unlock the device.
Alternatively, PINs or passwords can be replaced with authentication methods that make mobile devices easier to use legitimately and/or harder for a thief to compromise. For example, VoiceSecureIt lets a user unlock her Palm PDA or smartphone by speaking a defined "voiceprint phrase" instead of typing a PIN. One of several alternatives implemented by SafeGuard PDA is X.509 certificate logon using an MMC card (i.e., logon fails if the PDA is stolen without the user's MMC card).
Compared to laptops, PDAs and smartphones are used more frequently for shorter tasks, requiring these mobile devices to be instantaneously available. Access controls that get in the way tend to get disabled; this is why most OS-supplied PINs go unused.
To balance usability and security, some mobile security programs let you control access more selectivelyfor example, requiring a user password to read e-mail, an administrator password to install software, but no password at all to answer phone calls. Instead of locking the device itself, these access controls may actually unlock encrypted data associated with the application (e.g., phone book, mailbox, registry).
This article was first published on ISPPlanet.com.