Encrypting Cell Phones

Cell Phone Security: Encryption

With the increasing use of mobile devices such as smartphones comes accompanying risks, such as the potential for sensitive data loss via stolen or lost devices or via unauthorized access. One way to protect smartphone data is with encryption. Encrypting data can help users avoid identity theft and the loss of sensitive data. Encryption can also help institutions meet compliance guidelines for state and federal regulations, as well as mitigate financial risk. As with encryption for other devices, products are available that range from built-in operating system capabilities to those provided by third-party vendors.

Best Practices for General Cell Phone Security

Be aware of the possibility of theft. Cell phones are small and easily misplaced or lost. If an individual steals your cell phone, it may be only a matter of time before even the best secured device is compromised.

Be aware of the risks of “Social Engineering”. If you are making a phone call that involves sensitive information, for example, a credit card number, be sure that no one can overhear you and use the information fraudulently or commit identity theft.

Contact your cell phone provider as soon as your cell phone is lost or you think it’s been hacked. If the cell phone has been provided by your department, contact your Information Security Liaison. If you don’t know who your Information Security contact the Information Security Office (security@unc.edu, 919 445-9393). At a minimum, if your cell phone is lost or stolen you’ll want to discontinue service immediately before the thief can run up a big bill.

Password protect your phone. Use a strong password (minimum of 8 charactes, with a mixture of numbers, symbols, and upper and lower case letters).

Turn off Bluetooth, unless you need it. Disabling the Bluetooth service will significantly decrease a hacker’s opportunity to wirelessly hack into your phone.

Obtain and install anti-virus software, if it’s available for your model, and keep it updated. New malware is created every day, so it’s important to have anti-virus software on your cell phone.

Don’t accept files and text messages from individuals you do not know. You wouldn’t download an attachment to an email you received from a stranger to your desktop or laptop computer. For the same reason you want to be very careful about opening unsolicited files and text messages on your cell phone.

Obtain and install encryption software for your cell phone, if available.

Considerations in Selecting Encryption Software for your Cell Phone

Cost: not many native encryption options are available, and most of the free or low-cost alternatives are intended for individual use, and not as an enterprise solution. If an individual option is chosen, there is likely to be no way to centrally manage such a resource. Conversely, enterprise-scale options are likely to be expensive.

Support: most enterprises choose to support one smartphone operating system, such as the BlackBerry OS, but may have certain users that use different devices like the Apple iPhone or Android phone. An encryption product that is available for multiple platforms is preferable to one that is only available for one type of device.

Ability to manage devices centrally: as noted by Dave Shackleford, “the ability to centrally manage policies for smartphone encryption, as well as monitor the status of each phone’s encryption in real time, is often a necessity for enterprises with numerous devices”. As well, there may be compliance requirements for logging and reporting. Finally, managing encryption keys is most often a part of an enterprise-level product.

Encryption for Android, Blackberry, and iOS Devices (including iPhones)

Android

Versions of Android prior to 3.0 did not support full disk encryption.  The new Android smartphones from version 3+ do support encryption out-of-the-box.

To Enable Encryption:

1. Set Lock Screen Security (instructions depend on your manufacturer)

2. Go to Settings > Security > Encrypt Device

The encryption process can take an hour so please be patient.

Individuals or units with Android users, who in turn will be storing or accessing sensitive data belonging to the University, either on or via their Android phone, should consult with the Information Security Office (security@unc.edu, 919 445-9393) to determine how best to secure these devices.

iOS Devices (including the iPhone)

As of iOS 4.x through iOS 7.x which includes the iPhone 3GS, iPhone 4, iPhone 5, iPad, and iPod Touch (3rd generation or later), Apple devices supported key security features such as hardware encryption. These devices offer a built-in whole disk encryption utility. With data protection enabled, the hardware encryption keys can be secured with the user’s password.

To use the whole disk encryption utility, first verify that data protection is enabled:

1. Tap Settings.

2. Tap General.

3. Tap Passcode Lock.

4. Verify that “Data protection is enabled” is displayed at the bottom of the screen.

In the event that data protection is not enabled, you can enable it as follows.

1. Tap Settings.

2. Tap General.

3. Tap Passcode Lock.

4. Tap in a passcode.

5. Tap in the same passcode.

In addition, Apple publishes Understanding data protection, which explains how to enable and verify data protection on iOS 4 or later devices.

Blackberry

Blackberry phones, as of version 4.2 of the Blackberry OS and later, can encrypt data on the device. Users have the option to encrypt emails, contacts, browser cache, and other data. Note that if user contacts are encrypted, incoming caller ID will not be available.

Follow this procedure to encrypt data on the device.

1. Click Options.

2. Click Security Options.

3. Click General Settings.

4. Set Content Protection to Enabled.

You can also encrypt SD cards by proceeding as follows.

1. Click Options.

2. Click Media Card (note that in some OS versions, you must first click Advanced Options, then click Media Card).

3. Set Encryption Mode to either Device, Security Password, or Security Password & Device.

Blackberry also publishes a Guide to Mobile Security.

Third Party Vendors for Encrypting Cell Phones

TextSecure (Whisper Systems)

CellCrypt

GSMK CryptoPhones

Navastream

PhoneCrypt