This document discusses how to secure corporate information on iOS and Android devices. It outlines 9 key areas to focus on: 1) unattended device control 2) password complexity 3) encryption 4) remote lock 5) remote wipe 6) detection of jailbroken/rooted devices 7) hardware/software inventory 8) restricting device features 9) using policies to enable desired features. For each area, it describes considerations and options for securing iOS and Android devices. It emphasizes the importance of device health monitoring, password/encryption enforcement, remote wipe capabilities, and using mobile device management software to consistently manage mobile endpoints.
5. 1
Unattended
control
(akaPIN/Password)
iOS
Options
PIN
Password
Touch ID
When to kick in
Single threshold
Brute force defense
Optional erase after 10
entries
Increasing delay
Android
Options
PIN
Password
Pattern
Face
When to kick in
More sophisticated
Brute force defense
Optional erase after X
entries
Increasing delay
Auto account wipe
6. 2
Password
complexity
iOS
Allow simple value
Require alphanumeric value
Minimum passcode length
Minimum number of complex
characters
Maximum passcode age
Passcode history
Auto-lock timeout
Grace period for device lock
Maximum number of failed
attempts
AllowTouch ID
Android
Password enabled
Minimum password length
Alphanumeric password required
Complex password required
Minimum letters required in password
Minimum lowercase letters required in password
Minimum non-letter characters required in
password
Minimum numerical digits required in password
Minimum symbols required in password
Minimum uppercase letters required in
password
Password expiration timeout
Password history restriction
Maximum failed password attempts
Maximum inactivity time lock
7. 3
Encryption
iOS
This is complicated
2 levels or encryption
First level encrypts all
storage
But only for purpose of
quickly wiping – doesn’t
protect data
2nd level encrypts data of
supporting applications
Such as email
Unclear whether jailbreaking
can defeat encryption
Android
Based on tried and tested
Linux dm-crypt
Encryption ultimately based
on passcode
Only encrypts /data partition
Some devices offer SD card
encryption
This is not your PC’s
BitLocker
8. 4
Remote lock
iOS
Protect lost phones in hopes
of recovering
Unlikely to defend against
jailbreaking
Android
Same purpose
Unclear how secure
9. 5
Remote wipe
iOS
Wipes encryption key used
to encrypted entire device
Fast and effective
To defeat, must jailbreak
before wipe instruction
received
Android
Does a fast erase and not a
secure erase of the SD card
10. 6
Jailbroken/
rooted
detection
iOS
Important to detect because
jailbroken devices can run
software from any source
Android
Rooted
Unlocked boot loader
Custom recovery
USB debugging enabled
(allows ADB)
11. 7
Hardware/
software
inventory
Health
iOS
Important because different
devices have different
vulnerabilities and jailbreak
options
Android
Important because different
devices have different
vulnerabilities and security
compliance
Android security features
vary by version
But more importantly by
brand because of
fragmentation
Encryption fails on multi-
user devices
12. 8
Device feature
restrictions
iOS
App installs, camera use,
screen capture, iTunes store
usage, in app purchases
Force encrypted backups
JavaScript
AllowTouch ID
Supervised restrictions
Other store usage, allow
app removal
Android
Require storage encryption
Disable camera
14. Bottom line
Key requirements
Stay up on device health and inventory
Enforce password and encryption
Discourage older devices
Remote wipe
Hone procedure
Use carrots
Mobile Device Management
Another security solution to manage?
Mobile devices are just another type of endpoint
Manage iOS and Android devices along withWindows endpoints on the
same pane of glass
16. Unifies workflows and technologies to deliver enhanced capabilities in the management of
endpoint operations, security and compliance
Lumension Platform Benefits
16
Endpoint Operations Endpoint Security
Device Control
Asset
Management
Software
Management
Power
Management
Configuration
Management
Mobile Device
Management
Reporting
Data Encryption
Antivirus/Spyware
Patch
Management Application
Control
Firewall
Management
Mobile Devices
Desktops
Laptops
Servers
17. Lumension MDM Capabilities Overview
17
L.E.M.S.S. Integration Device Management Device & Data Security
Integrated Management iOS / Android Enrollment via
App
Remote Lock
Localized Console & Apps AD Authentication Remote Wipe
Per-device Licensing Device Administration
(Delete/Disable/Offline)
Password Enablement
(Enforcement / Clearing)
Role-based Access Control
(RBAC)
Check-in Interval:
Configurable and On-Demand
Password Complexity
Configuration
Manage Mobile Endpoints Hardware Inventory Device Encryption
Enforcement
iOS and Android Support Managed Devices
Dashboard / Reporting
Device Feature Restrictions
Consistent Policy Workflow Root/Jailbreak Detection
(Device Health)
Exchange Configuration (iOS)
Over the Air Management Action Traceability Wi-Fi Configuration
18. Free Device Scanner tool – discover all the
devices being used in your network
~/Resources/Security-Tools
More on BYOD issues and solutions in the
Lumension Optimal Security blog at
blog.lumension.com/tag/byod
More Information at www.lumension.com
1
8
More information on the Lumension MDM at
~/mobile-device-management-software
Get the 2013 BYOD Survey Report at
~/more-info/BYOD-and-Mobile-Security