What are mobile devices?

Handheld or notebook-sized devices that can be used to store or send information, or connect to the Internet. Examples include smartphones, PDAs, tablets, etc.

Why should they be protected?

Every day, mobile devices are lost, stolen, and infected.Assume for a moment that your mobile device has been stolen. What would you do?

• What stored data was stolen? (think about both work and non-work)
• What stored passwords were stolen?
• What other accounts and services might have been compromised? (Dropbox, shopping, credit cards, bank accounts, work accounts, Facebook, …)
• Did you lose your only copy of anything important?

Mobile devices are computers, too.

These devices can store important business and personal information, and may be used to access University systems, email, banking information, work and personal accounts. Where this is the case, they need to be protected like any other computer.

Lost or stolen devices used for work:

Important: Report the loss or theft of devices used for work to the InCHIP IT (info below) so we can help identify and address potential compromised accounts or data, including compromised restricted data, which requires additional action on the part of the University. See the lost/stolen device checklist below for additional steps to take.

---

Protecting mobile devices:

A good rule of thumb is not to store anything you’re not willing to lose or share with the world. This said, following are some steps you can take to help protect information on these devices. Some of these steps may require additional configuration/setting changes:

• Password-protect your mobile device with a complex password, and be sure your device requires a password to start up or resume activity — but still don’t store anything you’re not willing to lose.
• Set it to automatically lock after a short period of inactivity.
• Keep it with you or lock it up securely before you step away — even just for a second. See Physical Security for more information.
• Don’t store sensitive information. Encrypt your device or sensitive contents if you do. See below for a special note about restricted data.
• Don’t store passwords unless they’re encrypted.
• Run current, up-to-date versions of the operating system and applications. Remember to sync often so you get available updates. Always install updates when your carrier tells you they are available.
• Beware of phishing: Don’t open files, click links, or call numbers in unsolicited emails, text messages or IMs (instant messages).
• Mobile devices can be just as susceptible to viruses as desktop and laptop computers. Use anti-virus/anti-malware software, if it is available for your device, and set it to auto-update as frequently as the settings will allow.
• If your mobile device has built-in firewall or access control functionality, these features should be activated. Default settings are typically acceptable for most people.
• Avoid using auto-complete features that remember user names or passwords.
• Turn off unnecessary services:
  • Disable or remove applications (apps) and plug-ins that you don’t actively use
  • Disable Bluetooth, wireless & IrDA (infrared) when you’re not actively using them
  • Turn off GPS and geotagging when you’re not actively using them. These can allow your location to be tracked without your knowledge.
  • Periodically go through the device’s list of allowed wireless services and delete ones no longer needed (usually found under network, wireless, or airport settings)
• Set devices to “ask” before joining wireless networks (see below for more information about wireless).
• If your device has a web browser, set the browser to block pop-ups. For added privacy, also set the browser to limit the cookies it accepts. For example, some devices let you set the browser to accept cookies only from sites you visit.
  • Additional browser security recommendations are available at [Web Browser Secure Settings], though not all features are available on mobile browsers.
• Securely delete all contents before discarding, exchanging, selling or donating the device.
• All devices connecting to UConn’s network or services must meet InCHIP IT security requirements.

---

Prevention in case of theft or loss:

• Back up or sync your data regularly.
• Set your device to erase itself after repeated failed log-on attempts.
• Enable remote wipe.
• Enable location tracking, keeping in mind the privacy implications.
  Related articles:
  • Your smartphone is tracking you, and you said it was okay (BGR Media)
  • Your phone, yourself: When is tracking too much? (USA Today)
• Set the device to display a “call if found” phone number.

---

Checklist for lost or stolen mobile devices:

• Immediately report lost or stolen devices to the police: Report to UConn Police for campus incidents and local police for off-campus incidents (phone is best)
  • If you used the device for work, notify your supervisor and also report it to InCHIP IT (info below) so they can help identify and address potential compromised accounts or data
• For phones, notify your cellular carrier — see if they can deactivate the device.
• Change all passwords stored or used on the device, including email, Dropbox, banking, etc.
• Notify credit card companies and banks if you used the device for shopping or banking.
• Try to track its location, if possible.
• Try remote wipe if sensitive data or passwords were stored.

---

A special note about sensitive data:

• Don’t work with sensitive information on a mobile device unless you can ensure the device meets InCHIP IT minimum security requirements.
• Restricted datastored on mobile devices should be encrypted. This includes email, text messages, instant messages, documents, removable storage cards/devices, etc.
  • NOTE: Electronic protected health information (ePHI or “HIPAA data”) MUST be encrypted on portable devices and may not be stored at all on non-University devices.
• Encrypt passwords that provide access to restricted data. Even better, encrypt all stored passwords.
• Make sure you have a secure (encrypted) connection before working with sensitive data.
  • Use known, encrypted networks, such as UCONN-SECURE and eduraom and InCHIP VPN (virtual private network), available to UConn students, researchers, faculty, and staff.
  • Make sure web pages have https (not http) in the web address (URL). The “s” stands for “secure” and tells you that the information you enter is being encrypted as it is sent. Look for this before logging into anything.
  • Coffee shop/hotel/airport-type wireless is not encrypted.
  • If you’re not sure, assume it’s not secure.

---

A special note about wireless, eduroam, and Campus VPN:

UCONN-SECURE:

UCONN-SECURE is a secure wireless service faculty, staff, and students may use while at any UConn campus. University issued devices are configured for UConn wireless service. If your device is not configured for UConn wireless service you will need to set up WPA2-Encryption and accept a certificate. Instructions by operating system are provided below.

eduroam:

This worldwide wireless service is comprised of a consortium of academic institutions.  The purpose is to facilitate network access among visitors between participating institutions by extending the network to allow visitors to use the login credential issued by their home institution.  This alleviates the need for visitors to obtain guest access or for hosting institutions to issue temporary guest access to visitors who have the credentials to access the eduroam network.