University of California, Riverside

Security



Mobile Security


February 4th, 2015 - Security Update

Microsoft has released an updated Outlook mobile app for Apple iOS and Android devices. These apps, which are rebranded from a recently acquired company, Acompli, significantly change the e-mail model used by the previous Outlook apps. Even though Microsoft claims credentials and e-mail content are securely protected and encrypted, this new connection model raises security and privacy concerns. 

For more information, read The New Mobile App Security Concerns.

Mobile Security

Smartphones and tablets help increase productivity and communication. These devices are becoming more integrated with work and personal lives. Though they are extremely useful, they come with the risk of data loss and information theft, and therefore should be accounted for properly.

Risks and Threats to Watch Out For

  • phishing
  • malware
  • social media integration & permissions
  • GPS locators
  • Near Field communication (bluetooth)
  • third party applications
  • using public hotspots

Understanding the Risks and Threats

It is a common mistake to believe smartphones and tablets are safe and secure because they have not yet experienced any security breaches. Only recently have smartphones been used to store important data that is worth stealing. Anti-malware software is often used on computers to protect important information stored or sent through the computer. If the same functions are being done on a smartphone or tablet, then the same precautions should transfer. It is expected that a rise in malware targeting phones and tablets, specifically, will happen in the next few years. There are many different operating systems and different anti-malware strategies for each one.

What you can do:

  • OS updates are integral to safeguard against vulnerabilities and security risks, don't skip patches
  • Tempting as it may be, jailbreaking a phone can open up more security risks and vulnerabilities
  • Use strong passwords; if a password can be used for an app, enter one; possibly a different one than the phone unlock password
  • Use encryption technology
  • Make sure configuration of security features are optimal and in place
  • Use the screen lock feature (auto-lock and passcode lock)
  • Use mobile security software such as Sophos' Mobile Control (SMC)
  • Only use wireless connections you know to be safe and secure (WiFi Protected Access - WPA, when possible)
  • Disable Bluetooth when not in use
  • Use SSL to access e-mail
  • Enable browser security

Lost or Stolen Devices

Lost or stolen devices are a big risk that lies in responsibility of the user. Personal and business data stored on smartphones and tablets can be stolen along with the smartphone or tablet itself and mean identity and/or financial theft.

One precaution to defend data is with the screen lock. A pin, or swipe pattern, can be created to use as an access password. With no password set, the phone is unlocked and the data can be accessed by anyone with the physical device. For example, criminals with access to non secure devices can use the owner's account to make unauthorized purchases using mobile apps.

According to the 2010 annual U.S. Cost of a Data Breach study, 35 percent of U.S. organizations reported that a lost or stolen mobile device caused a data security breach. Increasingly, employees use their Androids, iPhones, iPads, and other personal mobile devices for work and blend their unprotected devices with business data. This introduces even greater risk to an organization’s data, network, and reputation.

Luckily, there are apps for most smartphones with GPS capabilities to track and even wipe the data from a phone remotely via computer.

If it happens, what should you do?

  • Remote wipe your data
  • iPhone users can log in to their Moble Me  account and in the cloud, select "Find My iPhone". Doing so will locate the phone and give options to Lock or Wipe. 
    • Before this happens, use "Find my iPhone" free app. There is an app called "If Found" to show contact details and the iHound app that alerts the iPhone owner via e-mail that the iPhone has been plugged into a ccomputer.  
  • Notify, if stolen, or check, if lost, local police stations, like the UCR Police Station
  • Contact Computing and Communications if using your phone for organizational purposes (such as Exchange sync)
  • Change all your passwords for any email accounts and apps that logged passwords (including your campus CAS password!)

Smartphone Securities

iPhone Security

Always update iPhone operating system software, known as the iOS, to the latest version. Whenever flaws are found in the operating system, updates and patches will fix and protect devices from potential hijacks. iOS apps take advantage of the sandboxing abilities of Apple iOS. Sandboxed apps protect user data and ensure apps don't interact with other apps installed on the device.

Avoid connecting to free WiFi hotspots, unless the connection is from a secure source. There are many rogue wifi access points which can access everything you do while you're connected. Try sticking to your home wifi, UCR WPA, and 3/4G connections.

In case you lose your iPhone, you will want to ensure all your personal stored information, like Emails and pictures, as well as the potential usage of your phone's call credit and even your iTunes account, are well protected.

To set a password (i.e. PIN)
  1. Tap on 'Settings", then Tap "General'
  2. Ensure "Passcode Lock" is "On"
  3. Next tap "Passcode Lock"
  4. Now enter your passcode
  5. At the bottom, there is an "Erase Data" field. Enabled means after 10 failed attempts at entering the passcode, iPhone information will be wiped.  This is not only a good feature but essential for iPhone Security.
  6. Set the "Auto-Lock" to an appropriate time frame for when to lock the phone for a password
Data Protection with Encryption

Another advantage of using the password PIN (since iOSv4) is for a strong whole device encryption of data. The encryption of the data on the phone is done by hardware of the iPhone and is protected by the PIN. When not using the pin, data encryption is not protected.

  • When on the "Passcode Lock" screen, scroll down to check if your device is protected. Protected devices will show the phrase, "Data Protection is Enabled" at the bottom of this screen. The PIN must be turned on to see this.
  • If users don't see the phrase on the bottom of the screen when a PIN is enabled, an upgrade of the phone from iOSv3 to v4 without a complete device wipe and restore was done.

Android Security

Android applications run in an Application Sandbox that limits access to sensitive information or data with set permissions. To fully benefit from the security protections in Android, it is important to only download and install software from known sources.

As an open platform, Android allows users to visit any website and load software from any developer onto a device. As with a home PC, be aware of who is providing the software and make sound judgements when deciding whether to grant the application the capabilities it requests.

Just recently, security research firm Lookout found that applications on Android are generally less likely than those for the iPhone to be capable of accessing a person's contact list or retrieving their location. It also found that nearly twice as many iPhone apps can access the user's contact data.

Avoid connecting to free WiFi hotspots, unless the connection is from a secure source. There are many rogue wifi access points which can access everything you do while you're connected. Try sticking to your home wifi, UCR WPA, and 3/4G connections.

To set a password
  1. From the home screen, press "Menu", "Settings", "Location & Security"
  2. Under Screen Unlock there will be many options for setting passwords
  3. To set screen time-out, go back to "Settings" and click "Display"

Blackberry Security

Avoid connecting to free WiFi hotspots, unless the connection is from a secure source, there are many rogue wifi access points which can access everything you do while you're connected. Try sticking to your home wifi, UCR WPA, and 3/4G connections.

BlackBerry Protect is a free app designed to rescue irreplaceable data from your BlackBerry Smartphone. BlackBerry Protect can help find your lost BlackBerry smartphone, and keep the information on it secure. It can also offer peace of mind for small businesses and families, with the ability to protect multiple smartphones. Back up contacts, text messages, calendar and bookmarks wirelessly. You can GPS your lost Blackberry then lock and display a message while you retrieve it, or make it ring at full volume remotely if you think you are close by.

To set a password
  1. From the home screen, click "Options", "Security Options", "General Settings"
  2. Options to enable, set, or change the password are given, as well as to set the security time-out options

To use BlackBerry® Protect™, theBlackBerry Protect application must be installed on your BlackBerry smartphone.

  1. On the Home screen or in the Downloads folder, click the BlackBerry Protect icon.
  2. If required, to accept the terms of the license agreement, click I Agree.
  3. Click Continue.
  4. Complete the instructions on the screen.

Windows Phone 7 Security

Avoid connecting to free WiFi hotspots, unless the connection is from a secure source, there are many rogue wifi access points which can access everything you do while you're connected. Try sticking to your home wifi, UCR WPA, and 3/4G connections.

To set a password
  1. Open "Settings"
  2. Select "Lock and Wallpaper"
  3. Set or change the password and set the screen time-out

More Information 

General Campus Information

University of California, Riverside
900 University Ave.
Riverside, CA 92521
Tel: (951) 827-1012

Department Information

Computing & Communications
Computing & Communications Bldg.

Tel: (951) 827-4741
Fax: (951) 827-4541
E-mail: helpdesk@ucr.edu

Footer