Home > Blogs > Mobile Devices: Security Implications and Countermeasures (Part 2 of 5)

Mobile Devices: Security Implications and Countermeasures (Part 2 of 5)

The use of mobile devices has exploded in a relatively short time and is one of the most promising business sectors in IT. Can you imagine a world without mobile phones?

The Economist, itself offering a mobile edition of the newspaper, in a recent "technology quarterly" included the use of mobile devices for various purposes among the IT related sectors that are most likely to have a significant expansion in near future, the other important one being cloud computing. Cloud computing and mobile devices have one thing in common: the physical place tend to be ever less important, work and other activities can take place independently from the location.

All this can be welcomed as very good news, but we don't have to neglect security implications of this widespread use of mobile devices.

First of all, you can make use of the hardware security devices that are available for your mobile device, such as locks, alarms and tracking systems. Some of them, particularly tracking systems, can be expensive: make the appropriate considerations about costs and benefits.

Now we're going to focus more on software protection. Risks for mobile devices can be divided into two main categories:

(1) theft of the device and the static data it contains;
(2) theft of data which are exchanged during communications or other network attacks.

A mobile device is "mobile", that is people take it with them when they travel and, travelling or inside an office, it can be stolen more easily than a desktop PC or a server. It is "mobile" also for the thief. Besides, carrying the device outside the office further increases the probability of theft, as it is exposed to more people and so more potential thieves.
When such a device is stolen, there is a direct damage that depends on the cost of the device itself, but what happen to the data it contains? If data are important and secret, the fact that they are stolen together with the physical device can cause a damage that is far greater than the loss of the physical object. Therefore, you must pay attention to every privacy implication of a loss of your data. To prevent such a loss, it is vital to encrypt important data on any mobile device.

If you use a laptop, consider the possibility of encrypting all or part of your file system. If you install Linux, for example, this operation is easy, at least with the latest versions of the most popular distributions. With Fedora, Red Hat Enterprise or Red Hat Enterprise clones (CentOS, StartCom, etc.), you can decide to encrypt any partition you want at installation time. See for example


where you can get some advice about what to encrypt: /home contains users' personal data, so that it is essential to protect it, but it makes sense to encrypt also other partitions like swap, /var and /tmp, as they can contain users' data that have been temporarily saved there. You'll have to choose a passphrase, associated to the encryption, and then, at every system boot, you'll have to re enter it.

The “Ubuntu family” of distributions lets you easily create a private directory inside your home directory, where you can place private data, including those related to your email client and your browser (addresses, important messages, usernames and passwords, ...):

    https://help.ubuntu.com/community/EncryptedPrivateDirectory .

The simple "trick", in order to put there everything you want from your home directory, is to replace it with a soft link to what you have moved. For example, to put email configuration data inside the "Private" directory:

    mv ~/.evolution ~/Private
    ln -s ~/Private/.evolution ~/.evolution

The analogue is valid for your browser or another email client. The private directory is automatically mounted when the user logs in.

That is not to say it is impossible to encrypt partitions or single directories on other distributions, just what I described is something you can do very easily, without being necessarily an expert, while other operations can sometimes require more steps, becoming more complicated.

The Ubuntu family of distributions includes a distribution for devices that are smaller than a notebook, in particular the very interesting “Ubuntu MID edition” (http://www.ubuntu.com/products/mobile), but I never tried it and I didn't find anything on the Web saying you can apply ecryptfs to it like you do with the main Ubuntu distribution.

I used encryption in the way I described on both Fedora and Ubuntu and I was satisfied, absolutely without much loss in performance (anyway a laptop is not meant to have extreme hard disk performance, usually: it is not a server).

The more widespread “Windows family” of operating systems allows you to encrypt the file system too, but pay attention to which edition you have, for example Vista Home Edition supports file system encryption only partially:

  • http://articles.techrepublic.com.com/5100-10878_11-6162949.html
  • http://en.wikipedia.org/wiki/Encrypting_File_System
  • http://windowshelp.microsoft.com/Windows/en-US/Help/e895bd18-36e5-4229-8424-dff307b155c21033.mspx

Besides, you can find third party software for hard disk encryption in Windows, even open source programs like FreeOTFE (http://www.freeotfe.org), while BestCrypt (http://www.jetico.com/bcrypt8.htm) and  is an example of commercial program.

I found something for Mac too:


Considering smaller devices, having the possibility of encrypting your file system can be less obvious, but if you choose the right device you can do it.

Let's consider handheld PCs. As regards Windows CE operating system, you can see


and also look for available third party software. SecuBox for Pocket PC (http://www.aikosolutions.com/products/secubox-for-pocket-pc) is an option for a pocket PC. Another example are Nokia advanced mobile phones like Smartphone and Communicator, which allow you to encrypt information thanks to Pointsec for Symbian OS, as you can see in the document


(I recommend you to read it, if you use or plan to use such a device). This is just an example where you can find security related documentation for such kinds of devices, it's absolutely not aimed at asserting that Nokia products are superior to other ones, you will find security features for the  brand of mobile device you're interested in, just pay attention to these aspects and look for the appropriate documentation.

Another interesting document by Nokia, that can be worth reading for introductory purposes, is the one you find here:

http://www.webbuyersguide.com/resource/white-paper/11326/Mobile-Device-Security-The-Eight-Areas-of-Risk .

Part 2 of 5 extracted from an original article written by Shon Harris entitled:

Mobile Device Security

Read Part 1 - Mobile Devices – Definition And Security Issues

Logical Security regularly publishes white papers on topics vital to the security industry. Visit our CISSP Education Resources section to obtain valuable information and perspective on security practices.

Become an InformIT Member

Take advantage of special member promotions, everyday discounts, quick access to saved content, and more! Join Today.