The growth in popularity of mobile communication devices, such as smart phones, tablets, laptops and the like, has reached very high levels in the past decade. Since the use of the mobile devices is so widespread, there are now new malicious software programs (i.e., malware) that specifically target mobile devices. These programs usually aim to steal confidential information by acquiring control over mobile devices, which is often done via use of the malicious software that receives privileges of a super-user, allowing unauthorized remote access to the mobile device, or steal money by sending unauthorized paid messages or making calls to the phone numbers registered to the perpetrators. According to the data collected by Kaspersky Lab, the number of malicious software programs that are oriented towards mobile devices has grew more than six times in the year 2011 alone.
In addition, due to their portable nature, mobile devices are vulnerable to theft and loss, which increases the risk of an attacker to gain access the information stored on the device.
At the same time, there has been an increased tendency by employees to use mobile devices, such as notebooks and smartphones, to access corporate network. For instance, many companies favor the concept known as “Bring Your Own Device” (BYOD), which allows the employees to use their own mobile devices for work in the corporate intranet. Obviously, the increased use of mobile devices for access to the corporate information, coupled with the increase of threats to mobile devices caused by malware and potential loss of mobile devices by employees, creates additional information security risks to the company.
To address security concerns, mobile devices usually support various management protocols that allow remote management of such devices by administrative servers. The management protocols typically used to perform various administrative tasks, such as, for instance, establishing security policies on the device, such as setting a certain length and complexity requirements for password for accessing functionality of the mobile device, specifying the number of attempts of entering an incorrect password before the device is blocked or disabled, setting up rules for blocking or disabling devices in case an unauthorized access to the device is detected. In addition, management protocol may be used to remotely disable the device and/or delete all confidential and personal information from the device's memory in case the device is lost or stolen.
The management protocols supported by a mobile device usually depend on the device's operating system. For instance, Apple's iPhone operating system iOS version 4.0 and higher supports Exchange ActiveSync (EAS) and Mobile Device Management (iOS MDM) protocols. However, these protocols support different sets of functions. For instance, the EAS protocol has a function of establishing a limit on how long the e-mail messages can be kept for synchronization and a function for encoding the device, neither of which exist in the iOS MDM protocol. Meanwhile, the iOS MDM protocol has functions for remote blocking of the device and resetting of the password, which are absent in the EAS protocol. The Table 1 below shows the comparison of available functions in both aforementioned protocols.
TABLE 1IOSFunctionsMDMEASThe requirement of using password for the device++Setting a minimal length for the password++Setting a maximal number of attempts to enter an++incorrect passwordThe requirement of using both letters and numbers in++the passwordSetting the amount of time for inactivity++Forbiddance of using a simple password++Setting a number of days for the password use (password++expiration in days)Activation of history of the passwords' entry++Setting a minimal number of complex symbols in the++passwordThe requirement of manual synchronization while in++roaming modeThe permission request for camera use++The permission request for the use of web browser++Setting the length of time the e-mail messages can be+kept for synchronizationThe requirement for encoding the device+The remote deletion of device data (wipe)++The remote locking of the device+The password reset+Setting the restriction on applications'+installationsSetting the restriction on capturing screen shots+Setting the restriction on voice dialing in the blocked+modeSetting the restriction on in-application purchases+Setting the restriction on the number of the encrypted+backups created in the iTunesSetting the restriction on the use of certain audio-+recordings in the iTunesThe permission request to give ratings to movies, TV+programs, and applicationsSetting the restriction on changing of the security+preferences in the web browser “Safari”Setting the restriction on the use of “YouTube”+Setting the restriction on the use of “iTunes” store+Setting the restriction on the use of “The Apps Store”+Collecting information on the installed applications+Collecting information on the profile installed with+expiry datesCollecting information on the installed network+Collecting information on the device++/−Collecting information on the configuration and profile+Automatic detection of the “Exchange” server+Symbol “+” indicates that a function is present, and symbol “+/−” indicates that function is optional
Although EAS and iOS MDM protocols support many different functions, these protocols also have many functions in common. For example, both protocols set a maximal number of attempts to enter an incorrect password and set a minimal number of complex symbols in the password on mobile device. However, different protocols may use different mechanisms to perform the same functions by, e.g., requiring different number of message exchanges or encryption of exchanged data. As such, one protocol may be more efficient or secure then another protocol in performing certain functions, while another protocol may be more effective in performing other functions. When a mobile device supports several protocols, the administrative server or the device selects one of the protocols for performing all of the functions supported by this protocol. However, it is desirable to selectively choose one protocol for performing some functions and another protocol for performing other functions