Mobile Device Security Checklist v1.

3
Procedures Description Status Notes
1. Develop and validate Use Cases for In order to evaluate protections and practices, a clear
Mobile Devices (Smartphones and understanding of what users are expecting from the
Tablets) devices needs to be established.
2. Perform a risk assessment to The risk assessment can help the organization identify
understand the value of the information and determine the value of their information and
and assets that need protection. devices, thus allowing the organization to allocate the
appropriate level of resources for protection of those
devices and information. The use cases will help add
information on relevant risk scenarios.

3. Review and update policies where needed.

Procedural and security policies are the foundation on
which other countermeasures—the operational and
technical ones—are rationalized and implemented.
Documented policy allows an organization to define
acceptable implementations and uses for devices.

4. Update training, ensure users A training and awareness program helps users to
complete it, and sign agreement. establish good security practices in the interest of
preventing intrusions or information loss. Collecting an
acknowledgement/agreement to follow requirements.

5. Consider Coprporate Owned PersonallyFor

Enabled
Corporate
(COPE)
owned devices ask if they are locked
down or will they be personal use enabled (COPE.)
Evaluate COPE versus BYOD.
[Link]
YOD-vs-COPE-Why-corporate-device-ownership-
could-make-a-comeback

6. Select Device operation model Data can be sandboxed or stored in the device native
containers, or a hybrid.
A discussion on Sandbox Environments:
[Link]
nts
Sandboxing 101:
[Link]
sandboxing-101
To sandbox or not:
[Link]
management/mdm-to-sandbox-or-not-to-sandbox/d/d-
id/1101060?

7. Select and implement device Device management solutions are important for
management solution centrally managing the device settings and auditing
use to ensure they are operating within acceptable risk
levels.
[Link]
_tools_Features_and_functions_compared

8. Select configuration profile Security Settings must be set. Either by reviewing all
possible settings against the policy decisions above, or
by selecting a published baseline which is then
tweaked to match corporate policy.
9. Validate Minimum Security Settings Review and consider suggested minimum security
settings. As devices capabilities evolve and their
operating systems update, these should be revisited.

10. Lifecycle Processes Procurement to Disposal process need to be

developed
11. Select and deploy AV solution Not all mobile devices support AV/Malware
protection/scanners. Select appropriate alternative.
[Link]
[Link]/
12. Application Deployment Determine how applications are going to be deployed
to the devices.
13. Audit configuration & Forensic Capabilities
Audit configuration and software to ensure device
continues to operate within acceptable risk boundaries.
Develop or hire forensic capabilities to handle
problems when they arise.
14. Synchronize devices with their Synchronization of handheld devices with their
corresponding PCs regularly. corresponding PCs ensures data availability. Consider
restrictions on cloud backup and backups to non-
corporate owned systems
15. Consider Bring Your Own Device (BYOD)
BYOD is requested more and more and evolving as an
alternative to corporate funded devices for workers. If
after consideration of COPE; BYOD is still needed;
BYOD requires you to revisit decisions made about
corporate devices above.
Policies
Procedures Description Status Notes
1. Use of the Camera Taking photographs and emailing or posting to sites
with a large audience are trivial. Sensitive items or
information can be easily captured. Allowing limited
operation of camera may be optional, and will turn this
into an administrative control.
2. Use of Voice Recording Sensitive conversations may be inappropriate for
recording. It may be appropriate to remove devices
from the vicinity of sensitive, trademarked or restricted
information being discussed.
3. Application Purchases Develop the model for putting applications on the
device. Not all needed applications are free. Will
application purchases be reimbursed or will corporate
applications be provided through volume purchase or
corporate application store? Costs to reimburse single
appliction purchases may exceed the purchase,
consider implementation options to minimize this.

4. Incidental Use Documenting the boundaries/restrictions for use is

important. E.g. installing personal applications or
content, use for non-corporate purposes, use by non-
corporate users. Data and Voice overage cost
reconciliation. Proving corporate versus personal use
of data plan may be problematic. Some MDM solutions
require mandatory carrier codes that have monthly
cost.

5. Foreign Travel Taking devices to other countries introduces risks.

Such confiscation and compromise. Practices, such as
a loaner pool, forensic examination before and after,
and review of device for export restriction isses prior to
trip need to be evalutated.
6. Encryption at Rest Some devices have the ability to encrypt information at
rest which adds additional protections to the data on
the device. Backups can be encrypted to further
protect them.
7. In App Purchases Some applications allow upgrades or just-in-time
purchases. These are typically not necessary for
business applications.
8. Autoconnect to preferred Wi-Fi SSID Care must be given to how the devices connect to Wi-
Fi networks. A trusted network can be impersonated.
Consider stance use of hotspots which are easily
impersonated.
9. Use Restrictions There may be locations where use of these devices is
inappropriate and device use may be restricted.
10. Bluetooth What devices may the devices be paired with? Are
there restrictions on the types of data that are shared
when paired? Consider prohibition of Bluetooth versus
prohibition of certain Bluetooth accessories.

11. VPN Use Are these devices permitted to use the corporate VPN?
Does connection to the corporate VPN permit
inappropriate data infiltration or exfiltration.
12. Password Devices should have a strong password that is
commensurate with the data protected. Consider
strength and complexity to limit the effectiveness of
access to data due to physical device protection.
Assess risk of requiring a unique password for mobile
[Link] should be either recoverable or
centrally resettable.
13. Lost or stolen device reporting As with any portable device, a label should be on the
device indicating how it can be returned to the rightful
owner. Users should know who to contact when a
device is lost or stolen.
14. Secure Device when not in use Devices should be stored securely when unattended,
preferably in locked rooms or cabinets. Their small size
and portability lends them to both being lost and
stolen.
15. Device Connection Connecting the device, physically or wirelessly, to non-
corporate systems for synchronization or backup adds
a risk of loss of corporate data or configuration
information. Use cases may drive a need to permit
connection to non-corporate devices. Restrictions
needed to be clearly stated.

16. File Sharing/Network/Cloud Synchronization of data to non-corporate data storage

solutions can put corporate data outside appropriate
control boundaries. Establishing the restrictions for
protection of corporate information. Providing or
selecting a corporate solution minimizes risks.

17. Location Services Location Services are needed for navigation

applications. They can also be used to reveal the
location of staff members. Operational Security trade-
off must be determined
18. Minimize sensitive data, delete when Because of the portability of handheld devices and
not needed. greater threat to loss and theft, sensitive information
stored on the device should be off-loaded to the PC
and deleted form the handheld device, if possible.
19. Transmission of sensitive information Establish protection requirements for transmitting
sensitive corporate data over the Internet or public
data carriers. E.g. VPN or S/MIME
20. Lost or Stolen Mobile Device When users report lost, stolen or recovered devices, a
response and responsibilities. pre-existing process needs to be followed regarding
wpe, potential loss of data, carrier notification, and
consideration of reintroduction of potentially
compromised device to corporate infrastructure.
Lifecycle
Procedures Description Status Notes
1. Device Reuse Procedure Devices need to be cleared of all information from the
prior user before being issued to a new user. It may be
less expensive to always purchase new devices.

2. Device Software Update Keeping the OS patched ensures the latest security
patches are installed. New versions of the OS must be
vetted for security posture and supportability.
3. Device Disposal Procedure Devices need to be properly disposed of. Corporate
data needs to be cleared and devices properly
disposed of or recycled. Disposition process should be
audited
4. New Device Procedure New devices need to operate within established
security guidelines and help desk support must be
established. New Devices need to be validated before
being made available for users to request
5. Procurement/Enrollment/Provisioning Centralized procurement and provisioning allows
Procedure consistent delivery of approved devices in a
known/managed configuration.
Suggested Base Security Settings
Procedures Description Status Notes
1. Security Settings Required Lock or secure security settings so users cannot delete
or change mandatory settings
2. Password Lock Strong Password Required, at least 6 characters,
numbers and letters. Disallow simple passwords.
3. Password Auto-Lock Lock device after timeout
4. Password Change interval and history Password must be changed regularly if they are used
for more than just this device. Consider a history of five
or more passwords to reduce reuse.
5. Auto Wipe Device wipes after a number of unsuccessful password
attempts. Device wipes after interval of not checking in
with management server.
6. Desktop Backup has password and Protecting the device backup with a password and
encryption encryption at rest protects that information from
unauthorized access.
7. Enable Remote Wipe, Lock and Remotely locking, wiping and location of mobile
Locate devices can aid in data protection and device recovery.

8. Enable Device Encryption Encrypt data at rest where technically feasible.

Sensitive data and application data files should be
encrypted with the appropriate encryption techniques.
Sandbox solutions often add a layer of
protection/encryption to better protect information.
9. Corporate VPN Configuration and Configure Corporate VPN information. Use certificates
monitoring or other non-user creatable configuration to prevent
replication to unauthorized device. Monitor mobile
devices accessing sensitive resources within your
organization using available logging resources.

10. Disable cloud data storage/backup Storing of corporate data outside control boundary can
result in data exposure or loss. Provide corporate
solution for information synchronization.
11. Disable Developer Debug Access Mitigate a common mobile device security bypass
technique by ensuring developer debug access is
disabled.
Applications
Procedures Description Status Notes
1. Application Approval Not all applications are benign or work appropriate.
Process for approval, particularly if compensation is
requested, needs to be established.
2. Application Purchas Account Do users need a separate account for application store
for corporate devices or can they use their personal
account. If using their personal account are they
allowed to install other applications purchased with that
account?
3. Application Store/Source Allow Applications from "anywhere", Corporate "App
Store" or Vendor? E.g. RIM, iTunes, Google Play
4. Application Development Are you developing applications? If so, formal Mobile
App coding and testing standards need to be
established and formal processes followed
5. Application Security Evaluate mobile applications in use to manipulate
corporate data. Develop strategy for approved and
banned applications. Consider limitations of device
management solution.
6. Application Vulnerability Analysis and Forensics.
If appropriate, run applications through security
scanner to understand limitations and weaknesses.
Disallow problem applications where appropriate.
Corporate Owned, Personally Enabled (COPE)
Procedures Description Status Notes
1. Develop and validate Use Cases COPE is often an acceptable alternative to BYOD. The
personal use of Corporate Devices primary advantage is these are still Corporate Owned
devices, and can meet corporate standards, while
enabling personal uses that drive BYOD. In order to
evaluate protections and practices, a clear
understanding of what users are expecting from the
devices needs to be established.

2. Perform a risk assessment to Protecting corporate information on a device which has

understand the value of the information personal information and applications has to be
and assets that need protection. considered. Unlike BYOD, the corporate management
and device configuation practices are still in effect.
While this may not warrent a separate risk
assessment, it does introduce new risks, such as a
personal address book mixed with a corporate one,
personal email and applications/games.

3. Jailbroken or Hacked devices Corporate practices should still be in effect.

Understand that appliations for personal use may be
on the device and raise the risk of unintended
compromise. What action will be taken when one of
these devices is detected?
4. Application Purchase Account Do users need a separate account for application store
for corporate application purchases or can they use
their personal account. Will application purchases be
reimbursed or will corporate applications be provided
through volume purchase or corporate application
store? Costs to reimburse single appliction purchases
may exceed the purchase, consider grouping to
minimize this.

5. Device use restrictions The application mix on a COPE device may differ from
traditional deivces. Are there locations or scenarios the
devices are not permitted or are treated differently from
traditonal corporate devices?
6. Information restrictions Are there restrictions on the type or location of
corporate data stored on the device?
7. Revisit other Mobile Device Policies Consider which Mobile Device policies apply, and
which should be changed for COPE. (For example any
prohibitions on personal data or applications, teather or
hotspot limitations may need to be revisited.)

8. Select Device operation model Consider separation of Corporate and Personal data.
Data can be sandboxed or stored in the device native
containers, or a hybrid. Are these devices only
permitted to access VDI solution? A discussion on
Sandbox Environments:
[Link]
nts

9. Security Policy and Management Are the devices going to have the same security policy
as traditional corporate devices or a sub-set intended
to only protect corporate data? How much of the
device are you expecting to manage/control?
Bring Your Own Device (BYOD)
Procedures Description Status Notes
1. Develop and validate Use Cases for In order to evaluate protections and practices, a clear
personally owned devices. understanding of what users are expecting from the
devices needs to be established.
2. Perform a risk assessment to Protecting corporate information on a personally
understand the value of the information owned device can be very different, depending on the
and assets that need protection. use cases outlined above. This changes the scope of
device management and information co-located in the
device and warrants a separate or updated risk
assessment.

3. Jailbroken or Hacked devices Personally owned devices are more likely to be hacked
or jailbroken. What action will be taken when one of
these devices is detected?
4. Application Purchase Account Do users need a separate account for application store
for corporate application purchases or can they use
their personal account. Will application purchases be
reimbursed or will corporate applications be provided
through volume purchase or corporate application
store? Costs to reimburse single appliction purchases
may exceed the purchase, consider grouping to
minimize this.

5. Device use restrictions Are there locations or scenarios the devices are not
permitted or are treated differently from corporate
devices?
6. Information restrictions Are there restrictions on the type or location of
corporate data stored on the device?
7. Revisit other Mobile Device Policies Consider which Mobile Device policies apply, and
which should be changed for BYOD.
8. Select Device operation model Data can be sandboxed or stored in the device native
containers, or a hybrid. Are these devices only
permitted to access VDI solution? A discussion on
Sandbox Environments:
[Link]
nts
Sandboxing 101:
[Link]
sandboxing-101
To sandbox or not:
[Link]
management/mdm-to-sandbox-or-not-to-sandbox/d/d-
id/1101060?

9. Security Policy and Management Are the devices going to have the same security policy
as corporate devices or a sub-set intended to only
protect corporate data? How much of the device are
you expecting to manage/control?
10. Reimbursement Reimbursement or stipend programs, if used, should
reflect the actual costs incurred by the employee.
Cellular voice and data plans continue to provide more
services for a smaller amount, so flat rate
implementations will need review regularly.
Reference Material
Hand-held Communications - Security Features Checklist
[Link]
[Link]
[Link]
[Link]

MDM Solutions and Sandboxing comparison

[Link]
[Link]
[Link]
[Link]

Mobile Device Security Software Comparison

[Link]

Android vs. iOS: security Comparison

[Link]
[Link]

BYOD and COPE Comparison

[Link]

Mobile Device Baseline Configurations:

DISA STIGS: [Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]

CIS Benchmarks
[Link]

Australian Defense Signals Directorate iOS Hardening guide

[Link]

Forensic Capability
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]

Authors & Contributors

Lee Neely
Bradley Markides
David Mold
Ed Skoudis
Joshua Wright