CompTIA A+ Exam 220-902 sub-objective 3.5 – Compare and contrast various methods for securing mobile devices

Back to the main 902 ExamNotes page

Detailed (and official) description of CompTIA A+ sub-objective 3.5

3.5 Compare and contrast various methods for securing mobile devices

Screen locks
Fingerprint lock
Face lock
Swipe lock
Passcode lock

Remote wipes
Locator applications
Remote backup applications
Failed login attempts restrictions
Antivirus/Antimalware
Patching/OS updates
Biometric authentication
Full device encryption
Multifactor authentication
Authenticator applications
Trusted sources vs. untrusted sources
Firewalls
Policies and procedures
BYOD vs. corporate owned
Profile security requirements

Welcome to ExamNotes by CertBlaster! This edition will examine A+ 220-902 objective 3.5 that covers mobile device security while comparing and contrasting the use of systems and features to enhance the device security. Let’s get started!

Screen locks

Energy saving and security are combined when deploying screen lock technology. Previously this topic was covered as it related to workstations. Mobile devices are more prone to being compromised or lost. In either case they need to have stricter access requirements including biometric and behavioral security features. Here we will explore the additional properties offered by screen locks on mobile devices.

Fingerprint lock

Increasingly Smartphones are being produced with biometric security features like a fingerprint scanner. The user configures the device by supplying a sample during the initial setup or later in the Settings under lock screen and choosing Fingerprint. This setting will require a passcode to prevent unauthorized changes. Next you will supply the fingerprint by tapping the home button for the capacitive type reader until there enough samples to satisfy the software with enough samples to allow slightly off center finger placement. Then when enabled it compares the electrical impulses generated by contact areas of the ridges of your fingerprint and non-contact areas of the spaces between the ridges.  Optical reader technology uses high resolution imaging to capture your fingerprint. Once captured it is analyzed for the fine details of your fingerprint’s lines and features and stored for comparison. This type of reader can be undermined by an accurate high resolution image or even a correct 3D replica of the fingerprint on a fake fingertip.

photo of a fingerprint
Fingerprint

While not specified in your A+ exam objectives, other biometric authentication methods also include iris/retinal scanners and voice recognition.

Face lock

The face lock relies on your appearance captured by the devices on board camera to grant or deny access based on the stored capture. Facial recognition software uses the geometry of key facial features to build a digital mathematical rendering of values represented by the features. It uses values like the distance between your eyes or the width of your nose. Distinguishing facial features are measured like your cheekbones for example. The software has come a long way and now can reliably compare an image to its database and provide a match. The software is less likely to be fooled by changes that would cause a human to fail to identify a face, for example hair color, length or even a beard.

Swipe lock

Swipe lock technology stores a user defined swipe pattern that will allow device access. The pattern could be as simple as a straight swipe in any direction or it could be a pattern. Typically it is recommended that your swipe pattern be followed by a second form of authentication. Use either a passcode or facial recognition to fully access the device.

Passcode lock

A passcode is an acceptable security method and it is best to use one that is at least 6 nonconsecutive or adjacent numbers. This method is always stronger when used with other methods described above in as part of multifactor authentication.

Remote wipes

If the event of a lost or stolen your mobile device the capability to remotely delete all of the data on the device is extremely important to the device security. In most cases the security measures given above will be sufficient to secure your data. When you are sure the device cannot be recovered or you think the security measures will not withstand a breach, you have no choice but to clear all personal data from the device. This operation will return the device to its factory settings. The remote wipe program we are using does not have the capability to clear data from SD cards that may be installed on the device. Some apps are capable of this feature and if there is a risk you should select your remote software accordingly.

screenshot of Remote wipe
Remote wipe

Locator applications

If you have misplaced a device all mobile operating systems support a degree of interactive device location. The Android Device Manager for the Android OS uses Google Maps and the location information last reported by the device to provide the last known location. In some cases this may be sufficient to find the device by simply activating the ringer.  This particular application allows you to Ring the device, lock it or remotely wipe your personal data returning the device to its out of the box configuration. Realize though that either the remote wipe or the locator apps will not work if the service is powered off or has its SIM card removed.

Here is the Android Device Manager locating a misplaced device on the map and ringing the phone.

screenshot of map showing Device locator ring
Device locator ring

Remote backup applications

Here again each mobile operating system supports backups to the cloud. This is in the form of iTunes and iCloud of Apple devices, OneDrive for Microsoft and Google Drive on Android. Access to these storage locations are controlled for the most part by email specific logins. For example you would create User@live,com for a Microsoft account, User@gmail.com on Android and your personal email (and a new password) will create an Apple ID to access Apple services like iTunes and iCloud Drive, other free backup and storage locations include Dropbox and others. You will find that all free backup services have either feature or size limitations or both. iCloud is geared toward storage, while iTunes handles backups and synchronization. All files and folders added to the local home directory of these apps. Note that all files added to the Dropbox folder shown are encrypted and sync’d automatically and immediately. Once the sync is complete the files will be placed in encrypted storage online in two locations, then locally and on any shared devices. Here’s a look at Dropbox upload featuring the alt menu featuring the sharing option that allows the specific items to be shared to other parties. Local content that has been sync’d is displayed with a green checkmark in the local folder items in sync process are shown with a blue circular icon.

screenshot of Dropbox
Dropbox sharing online
Screenshot of icons showing Sync confirmed upload in process
Sync confirmed upload in process

Failed login attempts restrictions

Primarily the mobile devices can be configured to lock after a specified number of login attempts. This is usually a temporary condition providing you with the time necessary to remember your password. In the conventional PC environment it is common to see login restrictions like the number of failed attempts that are allowed before the account locks. The number of attempts allowed can be reset, but it is important to know that on an iPhone for example, after an excessive number of attempts the device will permanently lock and erase all data. In most cases the access can be restored by using the primary account and password data. Providing, of course, that the device has not been erased.

Antivirus/Antimalware

So you think your Smartphone or tablet is immune to malware and virus infection because to operating system is not commonly a target. Guess again. While a virus is a rare or non-existent occurrence in the Android environment, malware propagates freely. Remember the distinction between virus and malware definitions. A virus’ main objective is to replicate itself by piggybacking in or on a seemingly benevolent file. The virus will replicate according to its programming when the host file is opened. Malware on the other hand describes all malicious content including viruses. The objective of most malware is twofold first is secrecy. The longer the malware can exist the more effective it is by virtue of the second point here. Secondly the majority of malware will generally not harm the host there may be a performance impact due to malware’s activity but the bulk of malware programs will gather personal data, credit cards, login data, keystrokes, etcetera without disabling the device. Ransomware is the exception here in that its first operation is to lock and often encrypt the local data.  So what is your defense? Install a free or paid version of a trusted antivirus/antimalware suite. Select a widely known and respected package, check the reviews and most importantly be absolutely certain you are getting the program from the correct source (see below underTrusted sources vs. untrusted sources”. Then keep the detection definitions up to date. One of the differences between the free and paid versions of antimalware programs can be seen in the Malwarebytes program. The free version requires you to update the definitions manually while the paid version does this automatically. Manual updates require discipline on the user end and can lead to conditions that would allow newly discovered threats to go undefended.  Evil does not take days off! Here is a popular program that would provide protection but may or may not currently because the databases are not up to date.

Screenshot of old antimalware definition database
Outdated antimalware definition database

Patching/OS updates

A patch modifies the existing software to add security features or operational improvements also known as bug fixes. Critical patches are known as hotfixes. A Service Pack refers to a group of patches and hotfixes compiled into a single download and install as a cumulative update. OS updates are, as the name implies,

In the mobile environment the programming on the device is being constantly tested for vulnerabilities. As important as it is to keep your device virus and malware protection up to date, it is equally important to allow your mobile OS to patch and update its software. As we covered earlier in the 220-902, hardware requires some form of software to operate properly. This could be embedded firmware or software drivers. In the case of firmware, by nature, it is more likely that it will be exploited as opposed to being altered. A widely used technique to trick you into installing malware employs a fake download site loaded with malware infected drivers.

Biometric authentication

As referenced earlier in this article multifactor authentication is becoming more accessible to the average user. Once iris/retinal scanners and facial recognition authentication was in the corporate realm. Now it can be integrated into the majority of mobile devices then carried in your pocket, in particular iris/retinal scan and facial recognition.

Full device encryption

Encryption is a highly effective security measure for files, folders even volumes. Encrypted content is digital junk without the decryption key. This enhanced security comes with a system performance penalty. The solution to this performance impact is whole device encryption which encrypts everything decreasing any internal operational performance lag.

Multifactor authentication

The combination of more than one authentication method is called multifactor authentication. Smartphones or other mobile devices can play an integral part in this process. Multifactor methods are frequently used by financial institutions to prevent unauthorized access and intrusion. Some multifactor authentication implementations use an email /password combination to initiate a callback or text back passphrase delivery. This will be in the form of a one-time passphrase (OTP) delivered to the mobile device then used as the second element of authentication. Also where the mobile device connectivity cannot be assured the multifactor method can have an email/password combined with facial recognition to provide the necessary security level.

Authenticator applications

As a rule, the more sophisticated the authentication method, the less likely it is to be included in your standard mobile device configuration. This is due to the need for minimal software loads on standard device implementations. The additional apps are installed as needed. The authentication apps are widely available. For individual security a highly rated freeware app like the Google authenticator or Microsoft Authenticator will be sufficient. In the business environment the app most be able to be implemented across platforms. It will need to be tested in the environment to reveal any weaknesses. Here is a look at some of the free highly rated authenticator apps.

screenshot of Authenticator Apps
Authenticator Apps

Trusted sources vs. untrusted sources

Software drivers and other apps can easily be corrupted to allow malware to operate. You should study any system errors and verify the source of all errors and warnings. Once you are satisfied, always start with the manufacturer’s recommended website when updating any elements of your system. This is Google Play for Android, Apple’s App Store for iOS and the Microsoft Store for Windows based devices. Use the device settings where possible to block or restrict unknown or untrusted sites. It is necessary to examine the actual sources of everything you install on your machine. Given the possibility of misdirected web traffic look at the URLs carefully. It’s essential to understand the importance of using trusted sites to obtain your software. Further know the consequences of installing untrusted content up to and including identity theft and complete device failures.

Firewalls

On a mobile device some features of the firewall are configured during individual app installations. Each app requests specific permissions to install. Review these permissions for their relationship to the app operation and whether or not you wish to grant it. For example a weather app that requests location information for its installation is more justifiable than a text to speech app that needs your camera. This feature requirement is usually an all or nothing selection. Ultimately if you do not agree to all permissions the app requests it will not install. There are many apps to inspect and install but only one set of personal banking credentials to be compromised. Err on the side of caution.

Policies and procedures

BYOD vs. corporate owned

The term BYOD (Bring your Own Device) describes a corporate policy that allows an employee to use their own device in the corporate environment. This includes evaluation by the company IT department to be sure the device meets the corporate security requirements regarding software, patches, antimalware, firewall, VPN, login requirements and encryption. Any software installation needed to meet the BYOD policy are referred to as on-boarding. Corporate owned devices are configured to meet these same requirements.

Profile security requirements

The profile security requirements described above may have additional apps such as cloud backup capability. This policy will be clearly outlined and enforced. The policy will also include provisions for wiping the data from lost/stolen devices or employees that have been dismissed.

That’s all for 220-902 objective 3.5. If you have been following these posts consecutively You are getting near the end, Good luck on the test!

Back to the main 902 ExamNotes page

Leave a Reply

Your email address will not be published. Required fields are marked *

On Facebook

Share This
Real Time Web Analytics