Securing 4G smartphones

Because smartphones have typically had both limited storage and connection speeds, they traditionally haven't been as vulnerable  to some of the security threats that have long plagued PCs.

But with the advent of super-powered smartphones and 4G mobile networks, this might be changing. Today's high-end smartphones have storage capacities in the 32GB range and processing speeds that go 1GHz or higher. And once 4G technologies such as WiMAX and LTE become more widely available, smartphones will have average connection speeds of 3Gbps or higher, giving them speeds that approach the average U.S. wireline broadband speed.

Three things we'd like to see from the new Motorola Droid

But like all good things, this increase in speed and power comes with greater risks. Sanjay Beri, the vice president and general manager of Juniper's Access and Acceleration business unit, says that the money-stealing malware that appeared on Symbian-based phones last year is sadly a sign of things to come in the era of 4G.

"4G makes the situation more accelerated," he says. "And what will really accelerate the growth of mobile malware and spyware will be the volume of traffic that people will be able to use. Data usage will increase and there are going to be more places that will get infected."

This increased mobile data usage is only expected to intensify in the enterprise as more executives could try to use their favorite devices for both work and personal use. Mike Siegel, a senior director of product management at McAfee, says this will put a particular strain on IT departments' abilities to protect data across multiple operating systems and applications."We have senior executives now who are pushing on IT to support Android or iPhone," he says. "With iPhone and Android, you have a propagation of applications that have connections back to sensitive corporate data in the cloud. So these devices now are very much a data leakage vulnerability."

What is to be done?

So given this world of increased vulnerabilities over the mobile Internet, what is a savvy IT department to do? Let's start with securing data, which Siegel says shouldn't be all that different from securing data over today's 3G networks. The most obvious capability that any enterprise smartphone needs is remote wipe that will allow IT departments to delete all data on the device if it is lost. While BlackBerry devices and the iPhone both have remote wipe capabilities already installed, Android-based devices do not have any native remote wipe applications as of yet. In other words, any IT department looking to bring Android devices such as the HTC EVO 4G and the Motorola Droid onto its corporate network will have its work cut out for it, since it will have to install several pieces of software to make the phone enterprise-ready.

Next on the list are native encryption capabilities that will make it possible to send encrypted data over the Web and native application control capabilities that make it possible for IT departments to define what apps are and aren't allowed on company phones. And finally, Siegel says that it's important to manage all access to the network through compliance rules that are on par with network access control (NAC) technologies that grant users access to networks based not on their IP addresses, but on a combination of their identities, endpoints and behaviors.

When it comes to protecting against malware and viruses, Beri says that it would be foolish for any IT department to allow a device onto its network without at least an SSL VPN installed that offers application-layer secure access over the Web.

"The basic rule should be that nobody gets on the network from any device unless they're authenticated," Beri explains. "So you'll need a multi-factor strong authentication system and then you'll need a strong VPN that's capable of implementing policies on a wide array of devices."

Beri says that having a strong SSL VPN capable of working across multiple platforms will save IT departments headaches since they won't have to worry about creating multiple security infrastructures for different mobile devices. Once you have a strong VPN installed, Beri says that it's then a good idea to give it granular access privileges that will give users different access depending on the device they're using. So for example, if the VPN sees that the user is connecting to the network through a company laptop it might give them access to more sensitive information and applications than if they were connecting over their smartphone.

Lastly, companies with smartphones that run over 4G networks will eventually have to install antimalware and antivirus protection onto devices on the network. Beri notes that this is still a relatively emerging area, since software companies are working hard to meet the challenge of developing effective antimalware programs that don't completely eat up the smartphone's battery power. Tommy Perniciaro, a solutions architect for security consultant Accuvant, says that in a world of open-source application development companies will have to be very vigilant in what their users are allowed to download."Norton came out with a mobile enterprise suite that goes and searches all apps that have already been installed for any type of malware," Perniciaro says, referring to Norton's 2010 Internet Security  that scans applications for their reputations as safe or unsafe. "With some of the applications people are downloading, they don't know what's being grabbed out of their phones."

Matt Bossom, a program manager of technology solutions at Accuvant, expects to see these sorts of problems crop up most on Android phones, where Google typically allows any and all applications onto its store and then only removes them after receiving customer complaints.

"I think there are a lot of issues that have been posed by Android," he says. "Google's not doing nearly as much of a check on these apps as they should so we're going to be seeing lot more malware."

In the end, as Beri has pointed out, the technology to secure 4G smartphones is still developing and smartphone users have so far been fortunate enough not to be exposed to a massive virus outbreak that PCs are routinely subjected to. But as 4G becomes more widespread the risks will increase and it seems that smartphone security could very well develop on a trial-and-error basis.

"Because of battery and memory limits you can't just take traditional security vendors and have them apply their system to phones," Beri says. "I think over next year you'll see a lot more progress than what we have today."

Read more about wide area network in Network World's Wide Area Network section.

This story, "Securing 4G smartphones" was originally published by Network World.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies