Mobile apps are powerful, but don't forget security

Earlier this year, an innocuous moving van pulled up to the gates of the Marine Corps base at Quantico, Va., and the occupants said they were there to do some work.

But an alert sounded when Marine guards used a handheld computer to scan the workers’ IDs. They were MS-13 criminal gang members who were wanted by law enforcement authorities.

They did not make it past the base gates and were arrested, said Nelson Ludlow, director and chief executive officer of Intellicheck Mobilisa, the company that provided the handheld devices.

Many government facilities used to have no way to check IDs against databases of potential bad guys, Ludlow said. The use of handhelds to check IDs at government installations is part of a larger trend to adopt mobile devices, he added.

In many cases, handhelds can run applications that used to reside on desktop computers. In other cases, the handhelds deliver capabilities that did not exist previously.

As government use of handheld devices has vastly expanded in recent years, the security risks have also blossomed, many experts say.

Malware, spyware and viruses, long the scourge of PCs and office servers, now also target handhelds. And those attacks are on the rise, experts say. So federal agencies need to be aware of the risks and take steps to protect sensitive data and communications.

In addition to those traditional security issues, handhelds also can easily be lost or stolen, unlike desktop computers.

“So you have to have the ability to ensure all that data that you’ve got on there is protected all the time,” Ludlow said.

The devices used at Quantico are password protected, the data is encrypted, and each database field is also encrypted, he said.

One of the biggest challenges associated with handhelds is that the technology is relatively new compared to that on desktop computers.

When Joe Hagin arrived at the White House in 2001 as deputy chief of staff for operations, nobody at 1600 Pennsylvania Avenue had an official BlackBerry wireless communications device. At the time, the handheld messaging devices were widely used on Capitol Hill, but security agencies were opposed to White House officials using them.

Then came the 2001 terrorist attacks, and suddenly the value of the devices snapped into sharp focus: White House officials, using standard cell phones, had substantial communications problems that day. Those working on Capitol Hill were in far better shape with their BlackBerrys.

“We had to make a cost/benefit decision of the security risks of using BlackBerrys but at the same time being able to communicate in an emergency,” Hagin said. “We obviously decided it was worth it.”

During Hagin’s seven and a half years with the Bush administration, security measures for BlackBerrys were often primitive. On foreign trips, White House staff members’ BlackBerrys were disabled and collected on board Air Force One for the duration of overseas visits, he recalled.

“I look at this as being kind of equivalent to where PCs were in the mid to late ’90s,” Hagin said. “Today, you wouldn’t dream of having a PC or laptop without security software on it. Now we are carrying around computers on our belts that are relatively naked.”

Today there are many more options. For example, security officials at the state-run Technical College System of Georgia use a service to keep tabs on the dozens of BlackBerrys that employees use, said Steven Ferguson, a senior network engineer at the college system.

Georgia law requires that gambling and pornography be blocked on any state-owned device that can access the Internet. Meeting the mandate for mobile devices is more difficult than for traditional office computers, Ferguson said, because handhelds usually are connected to a public network, not a hardened, controlled private network.

So the college system uses a software-as-a-service tool from Purewire that acts like a proxy gateway, allowing officials to enforce policies and filter all the traffic going in and out of the handheld devices.

Agencies should apply the same rules for standard computers to handheld devices, said Randy Siegel, a Microsoft enterprise mobile strategist who works on federal government projects.

For example, Customs and Border Protection and the Transportation Security Administration require handheld devices and software to adhere to cryptographic standards, such as Federal Information Processing Standard 140-2.

Handhelds also can be subject to mandates such as Homeland Security Presidential Directive 12, which, among other things, calls for two-factor identification to log on to government computer systems, such as a smart card and a password. 

The Air Force Communications Agency requires mobile users to access their devices with Common Access Cards. The solution involves installing a Bluetooth wireless card reader on all mobile devices. The connection established between users’ handheld devices and smart cards allows them to digitally sign or encrypt e-mail messages and log on to secure Web sites.

Nevertheless, as agencies install more applications on handhelds, such as Google Maps and mobile office applications that provide access to Word and spreadsheet documents, the devices are becoming increasingly vulnerable.

“We are seeing people use these the exact way they use PCs and laptops,” said Dan Hoffman, chief technology officer at SMobile Systems. And that is why they also need to be secured the same way.