Mobile Security

the_Grinch

Attempting to plan my future and where I would like to see myself in the coming years. Mobile is slowly, but surely exploding. Everyone at someone point will probably have a smartphone and in less developed nations that will be the main point of access to the internet. So the question is how does one begin to specialize in mobile security? In researching, there isn't much certification wise and I'm thinking most companies don't have a specialized team dedicated just to mobile devices. I think this is even more true given the move to BYOD. I wouldn't mind working on the exploitation side of the house, but I guess I'm trying to gauge if there are other positions in the market beyond just hunting for bugs or exploits.

Obviously, forensics is a big possibility, but I think that is being lumped in with regular computer forensics (as they are fairly related). Just looking for some opinions.

jasong318

Don't know anything about certifications for the area, but you could always just start messing around with projects out there. Android is pretty easy to get started with. One project is the 'Smartphone Pentest Framework', download the code, take it apart, and see what's going on. This page has a good write up on the security related issues with permissions in Android. Good luck and let us know what else you find!

ptilsen

In terms of regular IT infrastructure, ie administration and securing mobile devices, I see no future there. Mobility had a place in the enterprise well before virtualization. BES was widespread years ago, before ActiveSync devices started to eliminate its need. I don't see mobile as exploding in terms of enterprise or small/medium business acceptance. It has been there for a long time, and technology is only making it easier to implement and secure, not harder.

Don't get me wrong, setting up MDM in some form or another will always be an aspect of systems administration, but it's not that complicated. As with most aspects of systems administration, you're generally implementing established, documented software. Some companies might have MDM administration teams, but not many.

Outside of that, forensics, pentesting, and other security fields are certainly roles to consider.

the_Grinch

Thanks for the info guys! Definitely going to look into those resources jasong! I know SecurityTube has an iOS certification (SecurityTube iOS Security Expert « SecurityTube Trainings) so I might look into that. My assumption is he'll come out with an Android one as well?

ptilsen - thanks for the heads up. I'll focus more on the forensics/pentesting/etc side of the house.

JDMurray

Mobile devices use operatings systems (Android, BeOS, IOS, Linux, etc.), wireless communications (cellular, 802.11, Bluetooth, ZigBee, etc.), and (most commonly) IPv4 networking. I would start with certifications that concentrate in those areas.

wes allen

You might also look into Identification, Authentication, and Authorization type technologies. Stuff like 802.1x, biometrics, two factor tokens (SecurID, google authenticator), etc are starting to become more widespread as people spend more time away from secure internal physical networks. I think Novel has some pretty cool technologies in that area.