Can High-Security Workers Keep Their Mobile Devices (and Themselves) Safe?

Celebrating its 30th anniversary in 2022, the smartphone has come a long way from the large, unwieldy item IBM introduced to the public in 1994 as the Simon Personal Communicator. Today, nearly four out of five Americans own a smartphone, according to the Pew Research Center, using it to do everything from accessing the internet to connecting through emails, texts, video calls and social networking apps.  

Without a doubt, smartphones have become highly effective tools for increasing productivity and an often irresistible means for killing time. Unfortunately, smartphone security has not kept pace with traditional computer security, making them particularly attractive targets for increasingly sophisticated attacks. Today, mobile security experts cite everything from connection hijacking to authentication attacks and hostile enterprise-signed mobile applications as possible threats. 

While a cyber-fattack can victimize any user who entrusts sensitive data to their smartphone, it is – or at least should be – a particular concern for workers in high-security settings. Individuals working in defense, intelligence and the military must protect the data contained on their smartphones and themselves from exposure to potential adversaries.

In an April 2021 story in The Wall Street Journal, reporter Byron Tau describes the “significant challenge for the U.S. armed forces: how to protect service members, intelligence officers and security personnel in an age where highly revealing commercial data being generated by mobile phones and other digital services is bought and sold in bulk, and available for purchase by America’s adversaries.”

While existing mobile enterprise tools can reduce smartphone vulnerabilities, they cannot completely prevent them. Enterprise tools such as mobile device management, mobile threat detection and virtual mobile infrastructure can mitigate layers of privacy issues above the smartphone’s operating system (OS). Unfortunately, they can do little to address the issues within the OS itself, which typically revolve around the monetization efforts baked in by OEM vendors. If the OS has vulnerabilities, the data contained on the device – and potentially the users themselves – are compromised. 

"While existing mobile enterprise tools can reduce smartphone vulnerabilities, they cannot completely prevent them"

Custom-built government phone solutions, such as the SME PED, have also failed to deliver comprehensive security. This has left federal agencies with little choice but to either completely prohibit employees from using commercial smartphones or simply accept the fact that security risks are likely to be present. Bottom line: if workers are unable to access the services and apps they lean on to be productive, they’ll simply resort to carrying their own personal phones, defeating the whole idea of a device approved and issued by the government.

Given continued vulnerabilities and escalating threats, what can high-security settings do to ensure both the productivity and the safety of their employees’ smartphones?

Rather than attempting to customize a phone, which experience demonstrates is not feasible, it makes more sense for high-security employers to modify the worker’s own devices to meet their specific needs while keeping the functionality and features that made the phones attractive and productive initially. While such modifications are likely to vary somewhat from one employer to the next, they typically focus on overriding built-in data collection capabilities, controlling user location and activity tracking, limiting advertising tracking codes and disabling Wi-Fi and Bluetooth. 

To handle these modifications, employee smartphones can be altered to include a geo-fenced, policy-controlled setting capable of locking down all radios, cameras and microphones. Activating this setting will prevent social media, maps, and other leaky apps from communicating without the user’s knowledge while providing both verifiable control over access to device interfaces and the ability to manage all containers (not simply the work container) on employee devices.

The secure mode setting will also allow employees to use their smartphones near or inside designated secure facilities. By shifting to this setting, devices can be permitted in designated sites where they can connect safely to the internal wired network. Again, this enables the phone to function as intended while securing all data it captures or reveals.

Beyond the secure setting, the original smartphone OS must be replaced with a management server that allows the employer’s IT administrators to control most aspects of the OS, including update management and distribution. This will prevent any OEM-generated, over-the-air software updates from being made while making it extremely difficult for outside forces to access the platform.

Finally, centralized policy management is essential to control all employee devices and distribute policy updates and deployments. Using a QR code that defines both the containers and the employer’s security policies will enable new devices to be provisioned quickly.

Properly executed, the secure mode setting, management server and centralized policy management allow high-security organizations and their workers to keep up with changing operational requirements without recalling user devices or requiring awkward procedures in the field. With these safeguards in place, high-security organizations will find themselves in a much stronger position to monitor and control all of the devices being used by their employees.

What’s Hot on Infosecurity Magazine?