EU Security Agency Highlights Smartphone Risks

The European agency ENISA has warned of the possible security risks posed by the humble smartphone

The European Network and Information Security Agency (ENISA) has published a new report (PDF) in which it warns of the possible security threats posed by the smartphone.

ENISA is an agency of the European Union and its new report identifies the top security risks of smartphone use, as well as offering some practical security advice for businesses, consumers and governments.

The ENISA report comes after analyst house Gartner revealed in early November that worldwide mobile phone sales had grown by 35 percent in the third quarter. However that was nothing compared to the 96 percent rise in smartphone sales during the same period, with 80 million smartphones sold in that period alone.

Never Leave Your Side

The problem with smartphones, according to ENISA, is that they usually reside within metres of their owners 24 hours a day. These devices offer a “rich cocktail of features including an array of sensors, multiple radio and network interfaces, as well as gigabytes of storage and powerful processors.” They can also act as as contactless wallet, a camera/videophone, a barcode reader, an email client, or a way of accessing social networks.

“Given the growing importance of smartphones for EU businesses, governments and citizens, we consider it essential to assess their security and privacy implications.” said Professor Dr. Udo Helmbrecht, Executive Director of ENISA.

The ENISA warning mirrors the conclusion of analyst house Ovum last month, when it highlighted the security concerns posed by smartphones. Ovum had discovered that nine out of ten of its interviewees had already equipped their workforces with smartphones, or had imminent plans to do so.

The Risks

The ENISA report meanwhile cited the following smartphone risks that people need to be aware of:

  • Data leakage: a stolen or lost phone with unprotected memory allows an attacker to access the data on it.
  • Improper decommissioning: the phone is disposed of or transferred to another user without removing sensitive data, allowing an attacker to access the data on it.
  • Unintentional data disclosure: most apps have privacy settings but many users are unaware (or do not recall) that the data is being transmitted, let alone know of the existence of the settings to prevent this.

The report also warns of the dangers posed by phishing, spyware, network spoofing attacks, surveillance, diallerware, financial malware, and finally network congestion.

But users should not believe it is all doom and gloom, as the smartphone does also offer some advantages thanks to the fact that backup is often very well integrated into smartphone platforms, making it easy to recover data if the phone is lost or stolen.

Recommendations

And ENISA also offered a number of recommendations for both users and businesses.

“Smartphones are a goldmine of sensitive and personal information – it’s vital to understand how to maintain our control over this data. We’ve designed our recommendations to plug into a typical security policy” said Dr. Giles Hogben, co-author of the report.

It said that consumers should configure their smartphone in such a way that it locks automatically after some minutes. They should be wary of installing smartphone apps or services and never install any software onto the device unless it is from a trusted source. Consumers should also scrutinise permission requests when using or installing smartphone apps or services, and they must wipe all the data and settings from the smartphone before disposing of or recycling their phone.

Businesses meanwhile are advised to apply a thorough decommissioning procedure to all smartphones, including memory wipe processes. They should also enforce an app whitelist if any sensitive corporate data is handled, or if the corporate network is accessible to the smartphone.

Of course, encryption for the smartphone memory and removable media is also recommended and sensitive data should not be stored locally. Also, businesses should only allow online access to sensitive data from a smartphone using a non-caching app. ENISA also recommends that smartphones should be  periodically wiped (using secure deletion) and reloaded with a specially prepared and tested disk image.

A video clip that outlines some of the reports key findings is available here.