In a new report, Smartphones: Information Security Risks, Opportunities, and Recommendations for Users, ENISA identifies a number of security risks posed by smartphones.
With the number of smartphones exploding, so are the attendant risks of using them. These risks, according to ENISA, include: data leakage through unprotected memory, decommissioning without removing sensitive data, unintentional data disclosure through improper privacy settings, phishing attacks, spyware installed on smartphones, network spoofing that enables an attacker to intercept smartphone calls, surveillance of users through GPS, diallerware that steals money by means of malware, financial malware designed to steal personal financial information, and network resource overload leading to network unavailability.
“Smartphones are a goldmine of sensitive and personal information – it’s vital to understand how to maintain our control over this data. We’ve designed our recommendations to plug into a typical security policy”, said ENISA researcher Giles Hogben and co-author of the report.
ENISA offers a number of recommendations for consumers, employees, and high-level executives to improve security on their smartphones. Consumers should configure the smartphone so it automatically locks after a few minutes; before installing apps, check their reputation; scrutinize permission requests when using or installing smartphone apps or services; and when disposing or recycling the smartphone, wipe all data and settings.
For employees, the agency recommends: before decommissioning or recycling the smartphone, apply thorough decommissioning procedures; if the smartphone has access to the corporate network, then define and enforce an app whitelist; and use encryption for smartphone memory and removable media.
High-level executives should not store sensitive data locally and only allow online access to sensitive data from a smartphone using a non-caching app; for highly confidential usage, executives should use additional call and SMS encryption software for end-to-end confidentiality; and they should periodically wipe and reload the smartphone using secure deletion.