Do you know where your mobile data is?
This week’s high-profile hack is celebrity pictures stolen from iPhone accounts in the Apple cloud. Such overexposure highlights one of the first rules of digital security: If you don’t want to see a photo posted all over the web, don’t take it.
But it also highlights another rule, one that is applicable to agencies whose workers are using mobile devices: If you want to protect digital data, you need to know what data is being collected and where it goes. This is especially important with smartphones and tablets that increasingly rely on the cloud for data backup, raising questions about privacy and security.
This service is great if your phone is stolen, if you drop your tablet into the swimming pool, or you just upgrade to a new model and want to keep your settings and data. The problem is that backups can happen without users being aware, and not all clouds are secure.
The celebrity iPhone hacks apparently occurred because of a flaw in the device that allowed someone to guess passwords and access data in the account. But the vector and exploit used are not important here. What is important is that data can be exposed when it is moved to the cloud in an unmanaged way.
When it comes to embarrassing photos, everyone is responsible for his or her own security. But if you are using a device for work, you also are responsible to your agency to see that work-related data, even something as prosaic as geolocation, is properly secured. And you can’t do that if you don’t know what is being backed up. Most, if not all agencies, block automatic commercial cloud backups from agency-issued devices and from managed personal devices. But that still leaves a large number of personal devices used informally on the job on which personal and government data are mixed.
Data from iPhones, iPads and iPod touch is backed up on iCloud, which provides 5 GB of storage to users. According to Apple, “iCloud automatically backs up your device over Wi-Fi every day while it’s turned on, locked and connected to a power source.”
Android offers a data backup service with remote cloud storage that provides a restore point for application data and settings. This is application specific, however, and not all Android devices include the backup transport function.
This backup is limited, according to Android. “You cannot read or write backup data on demand and cannot access it in any way other than through the APIs provided by the Backup Manager.” Android also warns, “because the cloud storage and transport service can differ from device to device, Android makes no guarantees about the security of your data while using backup. You should always be cautious about using backup to store sensitive data, such as usernames and passwords.”
Windows Phone 8.1 lets users opt-in to data backup. Users can turn the service on and choose how the phone backs up apps, settings, texts, photos and videos to the cloud.
The bottom line is that agencies and employees should be aware of the backup policy and mechanism of the mobile devices being used on the job and actively manage these options to ensure that sensitive data is not being moved somewhere where it could be exposed.
Posted by William Jackson on Sep 05, 2014 at 11:15 AM