This study underscores the fact that the use of publicly available Wi-Fi hotspots should be approached with caution and care should be taken to ensure that confidential or private data is adequately encrypted, when it becomes necessary to access such data. Where possible, smartphone users should seek out and identify applications that provide adequate encryption technologies to protect confidential or private information. At this point, such applications do exist, but are scarce. When selecting applications to handle sensitive communications, users should search for applications that provide end-to-end encryption between the client application and the end server. Additionally, when dealing with applications that provide access to financial institutions or other sensitive information, the same precautions should be taken to ensure those communications are encrypted end-to-end. When such applications are not readily available, users must ensure they take necessary precautions to ensure they are only accessing sensitive information over, either, the service provider's internet connection provided from their data plan or from a trusted, secure Wi-Fi network, where available.
Additionally, personal smartphone users and enterprises providing (or allowing) smartphone access into their environments for productivity should ensure that security software is installed that provides firewall and anti-virus capabilities, at the least. Users and enterprises must begin to treat their smartphone devices with the same care that they do when using their PC's or laptops. The threats, while not as extensive at this point, are quite similar and costly when successful attacks occur. Moreover, as always, as vulnerability/exploit research continues to occur against smartphone devices, so to will the number of exploits that translate into successful attacks against smartphone users.
2. From the SMobile Systems paper on SMS-based attacks:
There is another prominent threat that every mobile user is vulnerable and is hardly discussed i.e. SMS spamming. Currently, neither mobile devices nor their carriers offer substantive support or features that could regulate the flow of incoming SMS messages, out of the box. This is likely the reason why SMS continues to receive the attention of attackers as a viable attack vector, which garners the service so much research attention. Note: The above article just mentions one way of spamming user. However, I am working on a new article that will discuss that spamming process can be automated by using a tool (that I wrote as a POC) that can send unlimited SMS spam to a number of users at once.
Yinal Ozkan, Principal Architect, CISM, CISA, CISSP, INTEGRALIS
1. No unmanaged mobile devices -- central management is a mandate. Unmanaged devices should not have access to corporate data.
2. Managed devices should be managed over the air. Remote policy pushes over the carrier network must work (Over-the-air programming (OTA)). End user profiles should be encrypted with no options for local modification.
3. Central logging should enforce a policy with the following items (it is possible to increase policy items): mobile data encryption, lock timeout settings (screen-saver lockout); uthentication/Password policy; PIN (Blackberry) SMS and IM, Bluetooth policy (ok or not); remote wipe; OTA; allowed applications; policy for social media ( Facebook, Twitter, Foursquare, location-based services; and a policy for cameras.