Mobile Computing and the Anonymous User

Computer security is based on the authenticated user, also referred to as the “named user” in order to achieve accountability for user actions and to mediate access to resources. The lack of an authenticated user means the resources of the device are available to whoever has physical access to the device. Where a device can be accessed remotely, physical access is not even necessary.

The familiar logon procedure, where a user typically supplies a user id and a password to gain access to a system, is more formally referred as identification and authentication. The authentication step is always based on something the user has, knows, or is, so a password, a card or a biometric signature can all be used to achieve authentication, with a password being the common solution.

Web sites often allow unauthenticated users as a means to enable easy access to non-sensitive information or services. Mobile computing operating systems have adopted the web site approach, allowing easy access but relying on the user not to store sensitive information on the device. If the user ignores the issue, any sensitive information stored, processed or transmitted by the device is unprotected. Note, some mobile devices encrypt their communications, which does provide a degree of protection during transmission.

As a replacement for personal computers, the lack of security in many tablets is a significant issue if use of the unsecured tablet involves anything sensitive. Users should give serious thought to the potential consequences resulting from compromise of the information used on a unsecured tablet.

Mobile apps present an additional layer of uncertainty as what an app does with user provided data may not be apparent to the user. Users should be aware that apps can store data long after it is supplied with that data accessible to individuals unknown to the user.

Certainly device theft is an issue, as device theft can also be data theft and may be motivated by data theft. User awareness of the implications of these issues would require a degree of education that is likely unrealistic to expect.

As corporations gravitate to mobile devices for employee use, the corporate security teams should be expected to understand and address issues associated with employee use involving any corporate information assets and especially sensitive assets.