Veteran mobile security expert Dameon D. Welch Abernathy provides insights into some of the risks associated with common mobile apps and recommendations for how to handle mobile security to keep the workplace secure. In this era of BYOD and blurred borders between work and home, PhoneBoy touches on enterprise data, while also shedding light on how mobile games like Pokemon Go can give attackers a list of where the user has been.
Read the full story….
Talking Mobile Security with PhoneBoy
Dameon D. Welch-Abernathy, AKA “PhoneBoy,” is a cyber security evangelist with more than two decades of experience. Oh—and in case you’re wondering—his moniker came from a stint as a call screener on a radio show. Below is a Q&A session that we captured from a live streaming Periscope session.
PhoneBoy Introduction: Seventeen years ago I joined Nokia in the security appliance business. I got a chance to play with smartphones you saw in Europe like the Symbian OS, but didn’t see any in the U.S. until Apple came out with the iPhone. Back then I saw that these were little computers. The cameras, connectivity, and processor power weren’t nearly as good as today, but the same concerns were there. You had something of your life on this phone. Of course now it has gotten worse. You can do banking on your phone. You get email on your phone. You’ve got private pictures there. (Does anybody actually use the phone function?) Meanwhile, many people out there use mobile devices to access corporate data. But you don’t want a corporation’s mobile device management (MDM) to take over your phone, which sometimes happens.
The best way to handle mobile security is to put enterprise data in an encrypted container without MDM. Having advanced threat prevention on mobile devices is good, too. It gives you peace of mind that nothing bad gets on your phone. MDMs have some benefits; but they are intrusive and they’re just not security devices.
Q. What do you think about sending email over TOR (The Onion Router)?
A. I don’t know that hiding your IP address is going to buy you a lot because there is a lot of metadata in email headers. At some point the email has to exit to the Internet and be in plaintext. There is enough metadata around to figure things out.
Q. What about Pokemon Go?
A. The service provider is keeping track of your location data, but that isn’t a big deal. On Android, there is a lot of stuff sitting around in plaintext that is a dossier of everywhere you’ve been. If somebody gets your phone, they can put together everywhere you’ve been and who you were talking with.
Q. If I get apps from Apple app store, shouldn’t they be free of malicious apps?
A. Generally speaking yes, but sometimes things slip through. Apple does review every app. The hackers are really good at trying to get around this stuff.
Q. My company asked me to install AirWatch on my iPhone. What am I exposing myself to?
A. They can see a lot of the stuff you’ve got on your phone. I have a couple of phones on a Meraki MDM. It can see all the apps on my phones. It could potentially wipe the pass code. It depends what’s on the profile.
Q. Are businesses taking mobile security more seriously than last year?
A. I think we need an Armageddon-like event before businesses take security more seriously.
Geek out and see more of what Phone Boy is up to at Phoneboy.org.