【第一版】(英語版)
Contents
1. corporate networks Illicit access Access to a corporate Limit accessible corporate systems Separate system without necessity networks SSID access points etc or authorization to take Acquire an access log out data VPN Masquerade An unauthorized user Impose a user authentication Mobile User accesses to a corporate Acquire an access log networks or network public Masquerade An unauthorized Device Impose a Device authentication Wi Fi Device is connected with a Acquire an access log corporate network Equipment Due to a network Prepare redundancy trouble equipment trouble a Secure alternative measures service is down Unable to precede a business operation Attack The vulnerability of Upgrade equipment etc to take measures against vulnerability network equipment is vulnerability attacked for illicit access Acquire an access log Telecom Communication Unable to communicate Have a diversity of telecom carriers to use carrier restriction by or delay in Prepare to be able to use other services for closed telecom carrier communications due to example public Wi Fi network telecom carrier s restrictions Telecom carrier s subscription line trouble Unable to communicate due to telecom carrier s line trouble S 8 SaaS ASP services subscribed by an organization Usage Owing to the convenience of smartphones SaaS ASP is expected to be further used in organizations When using the SaaS AS2. and VoIP based calls using Wi Fi Smartphones can also be used for house phones Using smartphones as house phones is an effective mean for cost reduction smooth communications anywhere and efficient office desk utilizations etc but threats surrounding VoIP need to be aware of and appropriate measures should be taken The following are the threats and countermeasures for the VoIP based calls using Wi Fi case that requires the highest attention among the 3 channels In addition to the following Threats and Countermeasures refer to Corporate Network Usage in Section 5 7 Page 11 Table 8 Threats and Countermeasures Phone Usage Threats Wiretapping Descriptions Risks The communications over a phone are wiretapped and leaked to third parties Countermeasures or requirements When using VoIP encrypt the communication channel Illicit uses Phone numbers are illicitly scammed Zombie and information Correctly configure the equipment and services of IP PBX servers leakage Illicit access An IP PBX server becomes zombie Enhance the security of environments in adding and hacked passwords etc to IP PBX servers Authenticate a Device Private uses increase and productivity decrease Non business phone use causes cost Produce a procedure manual Refer to the Appendix Acquire communication histories 5 3 E Mail Usage Multiple mail accounts for smartphone mails can be
3. 6 1 2 Pinch Use fingers on a touch panel to expand and shrink 23 6 2 4 Kitting To configure necessary settings of a Device by an administrator so that a user can readily use it 24 6 3 2 SMS Abbreviation of Short Message Service The service to send and receive short messages with a telephone number as the address 32 A 3 5 5 Short URL Short URL to match the requirements of SNS etc on their number of characters in accessing to websites Page 26 Appendix A A 1 Check Sheet for Countermeasures per Characteristics Chapter number Classification Level of recommendation m Strongly recommended Recommended 42 Threats from the view point of characteristics Threats Countermeasures or requirements bevel ot g recommendation Theft or loss of Set a lock on a Device m devices Force to delete data when failing to unlock Encrypt the data area of a phone and external memory media a Disable the saving function for user ID and password D Periodically back up data B Theft of SIM card Contact a telecom carrier to suspend use Damage by Periodically back up the data on phones D dropping or Wear a strap etc to prevent falling D submersion Use water proof and shock resistant devices D Peeping Place a peeping screen protector etc D False recognition Give users a heads up on careful operations Many of the panels use the capacitance system and are m
4. Account data and view histories etc Use separate applications and others for private and business 5 6 Connect with Network Restrict using tethering 5 9 Application Usage Warning for downloading and installing Urging to use reliable markets etc Warning for use Data saving areas and the extent of the effect caused by a publication etc Specify the manners and rules for use Judging public order and morals Additional items for BYOD Data classification In case of using a same application for private and business 5 10 Camera Usage Specify the scope of use Select a data saving area Device Cloud or external media Warning for portrait rights Check the URL that is shown after a barcode read connection Additional items for BYOD Move business data to a designated saving area Delete promptly from a Device Microphone Usage Specify the scope of use Select a data saving area Device Cloud or external media Warning for copyrights etc Additional items for BYOD Move business data to a designated saving area Delete promptly from a Device Location Information Usage Specify the scope of use Warning that location information may be disclosed externally Acquire location information in accordance with an organizational policy NFC Usage How to contact and handle in case of a theft and a loss Specify alternative measures in case of a breakdown For an office access and a payment lseg a terrestria
5. Limit accessible equipment with a Device o Disable Bluetooth if it s not used o Automatic activation Check the applications to use Bluetooth a of Bluetooth Infrared Incorrect operation Produce a procedure manual Refer to the Appendix Communications Lack of knowledge Usage 5 11 Media Data Usage Theft loss and Produce a procedure manual Refer to the Appendix breakdown external Prepare alternative means USB storage and a storage service a storage for businesses Encrypt the data domain of smartphones and external memory o media Remove external Produce a procedure manual Refer to the Appendix storage An organization lends an external storage o Encrypt data o Paste a security seal a Mixed with private Let users sign a pledge Refer to the Appendix data BYOD Prohibit use Upon user s departure from a company or end of use let users certify that they have deleted data 5 12 Backup Synchronize Incorrect operation Produce a procedure manual Refer to the Appendix Lack of knowledge Check the behaviors of an application Data saving area etc o Use a backup tool o Coexistence of Let users sign a pledge Refer to the Appendix business data in Protect backup data in a private storage area For example backup data privately owned PCs Cloud and external memory media etc BYOD Apply encryptions in data backup Including privately held o PCs Page 30 A 3 Ex
6. Produce a corporate policy and apply web filtering to limit Acquire a view history In case of BYOD the privacy of individuals may possibly be infringed Sort out data For example account data and view history etc Separate applications for private and business Phishing Due to the smaller display space user may happen to access to phishing sites without recognizing illicit URLs Produce a procedure manual Refer to the Appendix Protect with Web filtering Page 13 5 6 Connect with Network In order to use networks with smartphones firstly access a target service via subscribed mobile networks or Wi Fi Depending on the routing and the services threats and countermeasures need to be studied Some of the smartphone models support tethering As the tethering has the characteristics as described in the Communication styles and Networks in the Section 3 3 the use is not recommended unless otherwise specifically required Mobile networks may not be used due to network failures or at outside coverage areas alternative connectivity for example Wi Fi may need to be prepared The following are the threats and countermeasures at a gate of networks from smartphones Refer to Corporate Network Usage in the section 5 7 for the threats in using corporate Wi Fi networks Network connected to In time for disasters Table 12 Threats and Countermeasures Connect with Network Threats
7. access channels to corporate networks Direct connection with corporate Wi Fi networks Use mobile networks or public Wi Fi and connect with VPN Use dedicated line services offered by telecom carriers For each of the channels countermeasures are required and an authorizing party as well requires their measures Page 14 Access Table 13 Threats and Countermeasures Corporate Network Usage Threats Descriptions Risks Countermeasures or requirements channels Corporate Masquerade An unauthorized user Impose a user authentication Wi Fi User access to a corporate In case of Wi Fi a Device authentication and a Network network user authentication cannot be made concurrently and therefore a prioritization depending on threats is required In case of a user authentication only an access from an authorized Device cannot be prevented Acquire an access log Masquerade An unauthorized Device Impose a Device authentication Device is connected to a In case of Wi Fi elimination of unauthorized corporate network Devices tends to be a major objective and in such case the system side for access imposes a user authentication Acquire an access log Wiretapping The information during Encrypt communications the access is wiretapped Use stronger encryptions and leaked to third Protect important data Encryption password parties etc Illicit uses Non business use via Acquire an access log
8. accesses to an Activate a lock function office and payments 5 10 5 1seg a terrestrial TV broadcasting programs on mobile phones Usage Some smartphones support a 1seg receiving functionality capable of receiving TV programs and data broadcasting programs Table 20 Threats and Countermeasures 1seg Usage Threat Descriptions Risk Countermeasures or requirements Private uses Private uses during business hinder Produce a procedure manual For example clarifying business operations the scope of use and limiting use during business hours Limited uses during business 5 10 6 Bluetooth Usage Bluetooth is the standard to be used for relatively near range inter equipment communications From several meters to several 10 meters In between pre configured Paring equipment connections can be easily established Bluetooth is now being used for connections with headphones and PCs Table 21 Threats and Countermeasures Bluetooth Usage Threats Descriptions Risks Countermeasures or requirements Illicit access llicitly connected with a Device Limit accessible equipment with a Device and the data there are read out Disable Bluetooth Illicit use Auser connects with a PC that is not Produce a procedure manual Refer to the Appendix authorized by an organization for connection and sneaks the data on Let users sign a pledge Refer to the Appendix Limit accessible equipment with a Devi
9. application The application permitted in the organization is decided Prevent an inadvertent access authorization upon installing applications Obtain the latest information on applications Illegal behaviors unintended behaviors reliable information etc Private uses Private uses during business hinder business operations Limited uses during business Private uses improper contents Non business phone use causes cost Produce a procedure manual Refer to the Appendix Produce a corporate policy and use filters to limit Acquire a use history Mixture with private data BYOD increase and productivity decrease Higher criminal chances G With the mixture of business data and private data countermeasures against leakages get complex since the private data becomes subject to forced deletion upon leakage Difficult to delete data upon completion of business uses Produce a procedure manual Refer to the Appendix Let users sign a pledge Refer to the Appendix Sort out data In case of using an identical application for private and business Upon user s departure from a company or end of use let users certify that they have deleted data Page 16 5 10 Device functionalities Usage The Device functionalities herein mean the hardware functionalities equipped in devices Noteworthy functionalities among those in Devices are one for an entran
10. application data in a Device and an external memory medium for example a SD card can be encrypted but in such case as well the authentication of a device lock may be cracked to enable the data view Therefore a countermeasure in time for losses is essential We strongly recommend not using in principle smartphones as a data medium Table 23 Threats and Countermeasures Media Data Usage Threat Descriptions Risks Countermeasures or requirements Theft loss and Data dissipation and information Produce a procedure manual Refer to the Appendix breakdown leakage occurs due to theft loss Prepare alternative means USB storage and a storage and breakdown Due to higher service for businesses portability than that of PC etc Encrypt the data domain of smartphones and external memory medium Remove In case inserted memory Produce a procedure manual Refer to the Appendix external medium is inadvertently An organization lends external medium medium removed or is stolen to cause Encrypt data leakage of the recorded data Paste a security seal Mixed with With the mixture of business Let users sign a pledge Refer to the Appendix private data data and private data Prohibit use BYOD countermeasures against Upon user s departure from a company or end of use let leakages get complex since the users certify that they have deleted data private data becomes subject to forced deletion upon lea
11. e mail address depend on the type of ownership and the purposes of use In case of BYOD it is common for a user to have acquired e mail addresses and therefore an organizational registration upon use may need to be considered In case of acquiring a mail address for a corporate owned Device an e mail address naming guideline may better be produced in advance for smother operation and management 6 2 7 Introduce an Application The methods for introducing applications depend of types of ownership and the purposes of use In case a user introduces security related applications on their own an administrator needs to be able to be able to check the status of introducing application In case of BYOD broad ranges of OSs and Devices are expected we must make sure that the applications to be used are compatible with the target OSs and Devices 6 2 8 Trainings Implementation Training is required irrespective of the types of ownership and the purposes of use Presently users do not have accurate and enough knowledge on smartphones Therefore the training for an introduction is quite important Please periodically provide trainings in order to enhance user s security awareness regarding the subjects of the characteristics of smartphones as described in the Guideline the cautions for use cases and others Page 23 6 2 9 Distribute Devices The distribution of devices relates only to a corporate owned case For both of the cases of a device s
12. expansion optimization and operation of existing facilities The descriptions in this Chapter may also be used for warning in temporarily authorizing to use smartphones for emergencies for example natural disasters Additionally we describe the important point of view about BYOD 6 1 Plan During the planning stage of smartphones introduction the objectives for business uses need to be clarified and assumed use cases need to be identified On the basis you may refer to the Threats and Countermeasures from use case perspectives in the Chapter 5 and decide to accept with the risks in mind When authorizing BYOD a prior agreement with a user regarding observing security policies is important for an operation A pledge should be prepared at this stage 6 1 1 Set Out an Internal Rule To set out an internal rule is necessary irrespective of the types of ownership and the objectives of use Please determine the scope of smartphone use check the threats and countermeasures of use cases and produce the rules and procedures for use The procedures indicate the documents of compiled internal rules Regarding the rules for illicit uses and incident occurrences pledge may need to be produced and or updated to meet the requirements of smartphones Especially in view of the characteristics of smartphones the rules to cope with thefts and losses need to be set out 6 1 2 Set out a User Manual To set out a user manual is required for busines
13. of Devices and Types of OS eene nennen nnn nnn nnn nnne nnne 7 3 2 Applications and Procurement ccccccecseeecececececececeaeneaeaeaeneneceneaeaeneceaecececeaecececececaeaeaeaeaeaeaeaeaeaea 7 3 3 Communication styles and Networks 0 0 0 0 ccccccscscsecccececececececeneneneceneaececenececeneaecececesecececesaeaeaeaeaeaeaea 8 3 4 Differences from Existing PC Security eee erred rrt HEROS ERR EE THER FEES YERBA cada sage vented 8 Characteristics and Considerations of Smartphones ccccccsssscccensseccccnseccceassecesansesceeaseeeeees 9 4 1 Characteristi63 erae rr ete teo nee o eere open et e aAA laoree ERE TR d at abe en DR Eae Fat eene g e ERE RD dag 9 4 2 Threats and Countermeasures from the Characteristic Perspectives 9 4 3 4 E t re considerations esien e eive cipe erret ber e REID PR TOR I EAE o eb COREL ea pea pese qoe p ER ARD S 10 Threats and Countermeasures from Use Case Perspectives sssccccccccesesssescccccceceessseseeceeeees 11 Sols sPhotie address book Usap Eresin ee erede tret rete pe ier eee deve bemc iru AEE e Fe aree Le OPER Le E EROR cs 11 5 27 Phone USA Ce ez oe oetete some eel E a pee er UE RETE ONCE EF PREMIER 11 5 3 E Mail Usage RR DGIer HR NIE s e iR eise He te ee iei e iret ied eere 12 SY EE CIS I CRBECCI CARO 12 53s BrtOwser USageu sete rte tod EE A eames caus lunges rever eeepc s etre Pevelbsevi tede Ta va dU 13 5 65 Connect with Network 2 pde ron hebr Go rien
14. security of environments in adding passwords etc D to IP PBX servers Authenticate a Device Private uses Produce a procedure manual Refer to the Appendix Acquire communication histories a 3 3 E mail Usage Illicit use Produce a procedure manual Refer to the Appendix Let users sign a pledge Refer to the Appendix Use the mails for example web mails that do not leave data to o Devices Encrypt a main body and attachment o Incorrect operations Produce a procedure manual Refer to the Appendix Let users sign a pledge Refer to the Appendix Prohibit a file attachment and instead provide alternative o means Encrypt a main body and attachment o Retain data in a server and save the originals o Private mails are Let users sign a pledge Refer to the Appendix mixed BYOD Sort out data Use separate applications for private and D business Upon user s departure from a company or end of use let users certify that they have deleted data Page 27 5 4 Schedule Usage Incorrect operations Produce a procedure manual Refer to the Appendix Lack of knowledge Check the behaviors of an application e g data saving area a data publication scope etc Nominate a dedicated data storage area for data o Prevent users from selecting a saving area o Private uses Let users sign a pledge Refer to the Appendix
15. smartphones in large volumes periodical small scale additions or the replacement for losses or breakdowns need to be taken into consideration and a lower work load and an error free implementation are the biggest challenges 6 2 1 Start using Procedures The procedures for Start using can be different depending on the types of ownership and the purposes of use Irrespective of the types of ownership however they are required for business uses For a Device control it is recommended to produce a ledger to correlate a user and a device etc In case of authorizing BYOD setting out the terms and conditions for checking and acceptance applications agreeing on a pledge and showing terms of use are important Page 22 6 2 2 Procure or Place Attachments The attachments that should be procured or placed for smartphones depend on the types of ownership and the purposes of use We recommend using a measure to prevent falling for a corporate owned phone We recommend adopting countermeasures against peeping and illicit uses irrespective the types of ownership and the purposes of use 6 2 3 Acquire User Account The account acquisition methods for an initial setting depend on the types of ownership and the method of use Incase of BYOD it is common for a user to have acquired an account and therefore an organizational registration upon use may need to be considered In case of acquiring an account for a corporate owned Device an account nam
16. transmitted Microphone Usage recordings as much as possible Page 17 Recorded In order to prevent leakage of recording a key point is to stop unwanted Table 17 Threats and Countermeasures Microphone Usage Threat Descriptions Risks Countermeasures or requirements Lack of Use at and carry to prohibited areas Produce a procedure manual Refer to the Appendix knowledge violate the security rules of business partners etc and cause illicit data leakage Incorrect As the result of selecting a wrong Produce a procedure manual Refer to the Appendix operations data saving area information 1s Lack of accidentally publicized knowledge Malware With a malicious application Prevent an inadvertent access authorization upon recording functionality is illicitly installing applications used Mixture with With the mixture of business data Let users sign a pledge Refer to the Appendix private data and private data countermeasures Move business data to a dedicated storage area BYOD against leakages get complex since Quickly delete them from a Device the private data becomes subject to Upon user s departure from a company or end of use forced deletion upon leakage let users certify that they have deleted data Difficult to delete data upon completion of business uses 5 10 3 Location Information Usage Many of the smartphones have GPS functionalities enabling us to find out w
17. used on one Device Since smartphones are always connected with the network of telecom carriers a company is not able to access the e mails that are directly transferred via the network of telecom carriers even after securely receiving the e mails through VPN connection to a corporate network Furthermore e mails may include an attachment that is important for business transactions and the attachment is normally downloaded to a Device That requires us to take necessary measures to prevent information leakage In addition to the following threats and countermeasures refer to Corporate Network Usage in the Section 5 7 or SaaS ASP services subscribed by an organization Usage Table9 Threats and Countermeasures E mail Usage Threats Illicit uses Descriptions Risks A text and attachment can be easily transferred leading to information leakage Countermeasures or requirements Produce a procedure manual Refer to the Appendix Let users sign a pledge Refer to the Appendix Use the mails for example web mails that do not leave data to Devices Encrypt a text and attachment Incorrect Data losses due to the deletion by Produce a procedure manual Refer to the Appendix operations incorrect operations Let users sign a pledge Refer to the Appendix Information leakage due to Prohibit file attachments and instead provide erroneous transmission alternative means Encrypt a text and
18. BYOD Sort our data Separate applications and separate accounts etc D for private and business Upon user s departure from a company or end of use let users certify that they have deleted data 3 9 Browser Usage Illicit use Produce a procedure manual Refer to the Appendix Do not leave cache n Protect with Web filtering n Wiretapping Encrypt communications for corporate access Malware Obtain applications from reliable markets n Private uses Produce a procedure manual Refer to the Appendix improper contents Produce a corporate policy and apply WEB filtering to limit a Acquire a view history In case of BYOD the privacy of o individuals may possibly be infringed Sort out data For example account data and view history etc o Separate applications for private and business Phishing Produce a procedure manual Refer to the Appendix Protect with Web filtering o 5 6 Connect with Illicit access Use the SSID that cannot easily assume an organization name Network and a model type Use robust encryption methods as much as possible Wi Fi router Use complex passwords tethering Illicit use Ban uses at corporate offices router Monitor to make sure that a tethering function is not activated a functionality Connect with Wiretapping Use reliable services Do not use unidentified access points Network Limit available access points a Public Wi Fi Connected with Communication In time for
19. Descriptions Risks Countermeasures or requirements Wi Fi router tethering Router function Illicit access Illicitly used by third parties and traffic increases Use the SSID that cannot be easily recognized an organization name and a model type Use robust encryption methods as much as possible Use complex passwords Illicit uses A direct connection with Internet from a corporate PC causing information leakage Ban uses at corporate offices Monitor to make sure that a tethering function is not activated Public Wi Fi Wiretapping The information during the Use reliable services Do not use access is wiretapped and unidentified access points leaked to third parties Limit available access points Connected to a disguised access point and passwords etc are stolen Mobile phone Communication Difficult to connect In time for possible communication lines restrictions by restrictions by telecom carriers prepare telecom carriers multiple means for connections Telecom carrier s connection line fault Unable to communicate Prepare Wi Fi connectivity Illicit uses Non business data communication use causes cost increase and productivity decrease Let users sign a pledge Refer to the Appendix 5 7 Corporate Network Usage In order to use corporate internal systems we need to connect with corporate networks There are 3 ways as the
20. For private use only Ownership Company owned Q O Out of Scope Privately owned Out of Scope O BYOD Out of Scope Out of Scope items are not handled in the Guideline Page 3 1 5 Structure of the Guideline In Chapters 2 3 and 4 that constitute the first half of the Guideline the advantages functionality and characteristics of smartphones are described for your better understanding of the smartphone features In Chapters 5 and 6 that constitute the latter half of the Guideline the security issues of smartphones are described in terms of usage scenarios and device life cycles to alert the managers of the threats and their countermeasures Threats and Countermeasures of each Chapter focus on differences between smartphones and PCs and encompass issues irrespective of occurrence frequencies with multilateral possibilities in mind It does not mean therefore that all of the described measures need to be addressed but with the awareness of those threats the measures may rather be selectively used in accordance with the purposes of actual smartphone uses In the Table corporate owned cases and privately owned cases are commonly described The lines stipulated as BYOD however are specific to the cases for smartphones that are privately owned The Appendix is the summary of the threats and countermeasures in the Chapter 4 and 5 The check sheet for countermeasures per property usage scenario can be used for studying re
21. P services subscribed by an organization we are provided with an access right for example anID When connected with Internet we could access with any Devices including PCs irrespective in or outside an office With the higher convenience the threats and measures need to be thoroughly studied In using SaaS ASP services it is necessary to be aware of SaaS ASP service specific threats for example legal Page 15 restrictions and service troubles Table 14 Threats and Countermeasures SaaS ASP services subscribed by an organization Usage Access channel Corporate Wi Fi network Mobile network Wi Fi Router etc Threat Descriptions Risks Illicit use Access to organization subscribed SaaS ASP services from outside of office to cause external information leakage Countermeasures or requirements Acquire an access log on a service provider side Impose a restriction on accessible networks and acquire an access log internally Masquerade Services are used by an unauthorized user Collaborate with an internal authentication system Check access logs 5 9 Application Usage In downloading applications we need to be aware that the reliability of applications depends on markets Refer to the Applications and Procurement in the Section 3 2 Users may not be able to judge easily whether they should store an application externally or locally to their Devices depending on applicat
22. Security Guideline for using Smartphones and Tablets Advantages for work style innovation Version 1 December 1 2011 Japan Smartphone Security Forum JSSEC Smartphone Utilization Committee Guideline Working Group Document control number JSSEC R GL20111201 3E m Drafted by Smartphone Utilization Committee Guideline Working Group Task force Leader Ayako Matsushita Alps System Integration Co Ltd Members Hiroaki Aihara Netmarks Inc Natsuki Asai ITC Networks Corporation Shinichiro Kataoka Toppan Printing Co Ltd Yuji Kitamura Cybertrust Japan Co Ltd Etsuo Goto Toyota Motor Corporation Ryohei Takahashi NTT Communications Corporation Toshio Nishihara Cisco Systems G K Toshio Makino NextGen Inc Shogo Matsumoto Infosec Corporation Listed in the order of the Japanese syllabary mEditor Mitsuhiko Maruyama Deloitte Tohmatsu Risk Services Co Ltd mPublished by Japan Smartphone Security Forum JSSEC Keiichiro Kyoma Director Smartphone Utilization Committee Hitachi Systems Ltd Neither JSSEC nor the editors extend any sort of guarantee warranty liability and or compensation arising from direct indirect or consequential damages in using any or the whole part of the Guideline The Guideline may be used at your own risks The product and service names in the Guideline are the trademarks or registered trademarks of their respective companies 7X In your reference to the Guideline for internal comp
23. YOD is worthwhile to study The environment surrounding smartphones is rapidly changing Please study the characteristics as described in the Guideline always acquire the latest information and implement the most appropriate and valid security measures An intellectual productivity improvement is the need of the present time Let s challenge for innovations and utilize a smartphone as a good tool to enhance organizational power We sincerely wish that the Guideline can be of help in decision making Page 25 8 Glossary 7 3 1 Software keyboard The function to show a keyboard on a touch panel screen and enter characters etc with software processing 7 3 2 Market The selling sites of applications that user download The popular markets include App Store of Apple inc and Android Market of Google Inc 8 3 3 Mobile network 3G network etc that telecom carriers offer 8 3 3 Public Wi Fi The Public wireless LAN services that can access to Internet from various types of equipment via public Wi Fi access points 9 4 2 SIM card Abbreviation of Subscriber Identity Module Card The IC cards that are issued by each telecom carrier and record the subscriber data of mobile phone numbers etc and phone address books data 4 2 Malware Malicious software and program 10 4 2 Access authorization When installing an application a user is shown the list of functionalities t
24. ample of Items Described in a Procedure Chapter Use case Important point number 5 1 Phone address book Usage Select a data saving area Device Cloud or external media safety Designate the scope for data publication synchronization additional items for BYOD Data classifications Separate saving areas for private and business 52 Phone Usage heads up for manners etc for business hour uses 5 3 E mail Usage Comply with the rules regarding mail transfer prohibition a file attachment and synchronization etc Warning against wrong transmission Check an address and whether with or without an attachment before transmission Warning in case of using an attachment Communications in case of wrong transmissions Additional items for BYOD Data classifications Use separate applications for private and business 5 4 Schedule Usage Designate the scope of data disclosure Encode data in order to prevent unauthorized people from deciphering easily Additional items for BYOD Data classifications Use separate applications accounts and others for private and business 3 5 Browser Usage Disable the saving function for use ID and password Cache Warning of internet access An access to the sites that are not authorized by an organization Check whether a URL is correct and warning against an easy connection to a short URL Additional items for BYOD Data classifications
25. and conditions for and warranties subscriber is the user himself or herself an approval Specify the Clarify the purposes and Set out the rules for the purposes of purposes of use scope for use smartphone use and the scope of use and let users comply with those Management An approval by a user An agreement to acquire the data for Since a smartphone is always o for acquiring certain smartphone use in order to prevent carried careful drafting of an data of the person byan illicit uses and malware damages agreement is necessary in paying an organization attention to a privacy infringement in case of acquiring location information Both of systematic data acquisitions and information checking by an administrator are included An approval by an An agreement by an individual foran Present recommendable o individual for an organization to change settings limit configurations on OS and an organizational control functionalities and delete data application Specify how to address In case of imposing troubles controls and OS updates Protect back up data In case that business data are stored in o a smartphone urge a strict management and control when backing up data to a privately owned PC Reporting Reporting when specific An agreement to report immediately Report in accordance with the rules events occur on losses thefts and whether there set out by an organization For contain confidential data or personal example breakdo
26. any documents etc observe the Copyright laws Specify the sources in such references X The English version of this data is for use in Japan Priority is given to the Japanese version X Inthis document Smartphones represents the general description of Smartphone Document control number JSSEC R GL20111201 3E Table of contents 1 6 Ioni ge M M 3 IET GuidelineW sage s e re d ERI YR ERE RE ROS E EVE rv est 3 12s Objectives of the Guideline issa ire t ee teet a e leve vh HL ELI Ee uen eee 3 1 3 Target Readers of the Guideline esses eene nennen mene nennen eene 3 1 4 Scopeof the Guideline eode eco iiini cn Feel entes iesu tope ee eae yes etn tese eoe ep es ao tope 3 WS Structureof the Guideline iore ere in Eini EE RE orna San SERE e DE ERR E Lee d HE ee ea BER RN RR A dud 4 Advantages in Using and Utilizing Smartphones eeeeeeeeseseeeeeeeeee eene e enne eene ennt 5 2 1 Aims and Reasons for using Smartphones eese eene nemen nennen nennen 5 2 2 Examples for the Utilization and its Effects cccccceceeeeeeeeeeeeeeneeeeeeeeeeeeeeeseeeceseeeeeseeeeeqeeeeeeeneeeeeees 5 2 3 Circumstances Surrounding Smartphones eese eene nennen meme enne enn 5 Mechanism and Overview of Smartphone c cceseeesseeeseeeeeeseeeseeeseeeeteeeeeeeeeeeeeeeeeeeeeeeeeeeeseeeeees 7 3 1 Characteristics
27. ational countermeasures or to accept risks 6 4 Discarding It is important to completely delete the business data in a device and in an external memory medium various devices setting information account information and used applications The discarding includes device return due to breakdown device replace due to buying a new one and device transfer as secondhand to others Any of these cases require deleting business data device setting data applications and cache data including the authentication data for external services Especially upon completion of BY OD uses the above actions need to be definitely taken Page 24 7 1 Balance between the Purposes of Use and Security The purposes of using smartphones vary depending on organizations The most important factor is taking a balance between the purposes of use and security Please scrutinize the security requirements in meeting your objectives and selectively use and implement countermeasures that fit organizational needs Smartphones have superior characteristics as a communication tool It supports the creativity and motivation of users and contains the huge potentiality for business renovation Studies to exercise the benefits of smartphone use manage assets and manage human resources need to be made The Guideline encompasses the threats To meet all of the requirements as described may be difficult and may not be recommended You may need to understand the threats a
28. attachment Retain data in a server and save the originals Mixture with With the mixture of business data Let users sign a pledge Refer to the Appendix private date BYOD and private data countermeasures against leakages get complex since the private data becomes subject to forced deletion upon leakage Difficult to delete data upon completion of business uses Sort out data Use separate applications for private and business Upon user s departure from a company or end of use let users certify that they have deleted data S 4 Schedule Usage Smartphones are easy to carry to use as a datebook The schedule function is often used In addition to the schedule management of individuals the schedule sharing function among an organization helps enhance the efficiencies of work Real time views and updates of schedule on Cloud or on corporate networks can be possible and furthermore some services offer managing private and official schedules in one calendar In such case depending on whether data is stored on the Device side or an external service side threats and countermeasures differ In addition to the following threats and countermeasures refer to Corporate Network Usage in the Section 5 7 or SaaS ASP services subscribed by an organization Usage in the Section 5 8 Page 12 Threats Incorrect operations Lack of knowledge Table 10 Threats and Countermeasures Schedule Usag
29. ce the Device out of the office Disable Bluetooth Malware Malware that can be infected via Limit accessible equipment with a Device Bluetooth communication channels Disable Bluetooth exists Automatic Auser accidentally activates Check the applications to use Bluetooth activation of Bluetooth to connect Bluetooth Even after ending an application Bluetooth itself continues to be active causing other threats 5 10 7 Infrared Communications Usage Infrared communications have been used for conventional mobile phones using the standard for conventional mobile phones using the standard for connectivity of equipment with short ranges e g small measurements They can be used for some of smartphones They are used for transferring data relatively in a short time period for example sending and receiving phone address books data Table 22 Threats and Countermeasures Infrared Communications Usage Threats Descriptions Risk Countermeasures or requirements Incorrect unintended data leakage Produce a procedure manual Refer to the Appendix operations Lack of knowledge Page 19 5 11 Media Data Usage A smartphone can also facilitate as large capacity USB storage With the functionality a smartphone can become a transport media for other data enabling leaks of high volumes data The severity of losses could be deemed as equivalent to that of PCs Depending on a device and an
30. ce for acquiring data and an exit for sending information The functionality for an exit for sending information has been addressed so far in the Data Communications From software point of views E Mails Browsers and Applications are also exits therefore it is not covered in this report Camera and Microphone are typical entrances for acquiring data p yp q g as new models are released 5 10 1 Many smartphones include a camera for still pictures and videos Camera Usage Such functionalities tend to increase further Picture data can be easily transferrable In order to prevent leakage of pictures a key point is to stop unwanted picture shooting as much as possible Threats Illicit use Descriptions Risks Table 16 Threats and Countermeasures Camera Usage Use at and carry to prohibited areas violate the security rules of business partners etc and cause illicit data leakage Countermeasures or requirements Paste a security seal etc to avoid using Disable camera functions Incorrect As the result of selecting a wrong Produce a procedure manual Refer to the Appendix operations data saving area information is Lack of accidentally publicized knowledge Incorrect Unintended camera activation Paste a security seal etc to avoid using operations causes unintended shooting Disable camera functions Lack of With a use of functionalities too Produce a procedur
31. ce will promote further business efficiencies while continuous study on the countermeasures would be required Page 10 5 Threats and Countermeasures from Use Case Perspectives In this Chapter the threats and countermeasures are described from the perspectives of smartphone users Smartphones itself is hereinafter called Device In case of smartphones all functionalities including voice calls are executed by applications When we look at the threats from use cases an identification of data saving areas is important Therefore in the use cases of the Guideline mail data saved to a Device and browser mainly accessing external data in which data saving area can be easily identified and applications of which data saving area cannot be easily identified are separately described 5 1 Phone address book Usage The phone address books of smartphones have the functionalities to work as interfaces for phones e mails SNS and instant messages as well as to record use histories In order to offer such functionalities they contain not only names and phone numbers but also various other personal data for example multiple e mail addresses and SNS accounts etc A phone address book data saving area can be freely selected from a Device an external memory medium and an externalservice External services offer shared basis plans as well The saving areas are hard to be found by users and saving data to unintended areas or automatic sy
32. cquisition by an illicit uses and malware damages necessary in paying an attention to a organization In case of privacy infringement in case of data acquisition and acquiring location information monitoring Both of systematic data acquisitions and information checking by an administrator are included An approval by an An agreement by an individual for an OS and application updates are individual for an organization to change settings limit controlled by an organization organizational control functionalities and delete data Systematic controls administrator s In case of imposing setting changes and an instruction to controls and OS updates a user for settings are included Protect back up data An agreement to prohibit back up to o individual owned PCs in order to protect confidential information Report Report when certain An agreement to report immediately Report in accordance with the rules events occur on losses thefts and whether there set out by an organization For contain confidential data or personal example damaged breakdown data in order to assess the effect of an fault theft and loss etc incident Prohibited Modification of a An agreement not to modify in order matters terminal OS and an to prevent security threats application Violation of the terms of An agreement not to use against the D use for terminal vendors intent of suppliers and telecom carriers Install and use of An agreement not
33. e Descriptions Risks When the range of scope for data publication is wrongly designated unintended data is publicized Since there is a case where a local schedule is synchronized with the schedule on Cloud it may impose a threat for automatically publicizing the schedule Countermeasures or requirements Produce a procedure manual Refer to the Appendix Check the behaviors of an application e g data saving area data publication scope etc Designate a safe data storage area for business data Prevent users from selecting a saving area Private uses BYOD With the mixture of business data and private data countermeasures against leakages get complex since the private data becomes subject to forced deletion upon leakage Difficult to delete data upon completion of business uses Let users sign a pledge Refer to the Appendix Sort out data Separate applications and separate accounts etc for private and business Upon user s departure from the company or end of use let users certify that they have deleted data 5 5 Browser Usage Smartphones unlike the conventional mobile phones support full browsers contributing to the benefit of business When employees use PCs an access control and an access log acquisition can be made in case of their accesses to non business related sites or improper sites However in the case of smartphones the network of telecom carriers are directly used and
34. e manual Refer to the Appendix knowledge easily unintended data are acquired Violate the portrait rights of others or use a camera at prohibited areas Phishing The site connected using a bar code Produce a procedure manual Refer to the Appendix reader may be a phishing site Malware With a malicious application Do not inadvertently authorize an access when camera functionality is illicitly used installing an application Disable camera functions Picture data leak Exif Shooting data for example location information etc and camera model type etc the picture meta data of shooting with smartphones accidentally leak Suspend functionality of getting location information when shooting When publicizing pictures to outside delete Exif Data properties and attributes Mixed with private data BYOD With the mixture of business data and private data countermeasures against leakages get complex since the private data becomes subject to forced deletion upon leakage Difficult to delete data upon completion of business uses Let users sign a pledge Refer to the Appendix Move business data to a dedicated storage area Quickly delete them from a Device Upon user s departure from a company or end of use let users certify that they have deleted data 5 10 2 A microphone is embedded to a smartphone to be used for call recordings and a voice recorder data can be easily
35. ement with Apple and received their certificates Distribute and charge via App Store Android Google Android market Google does not screen the applications The utilizations are Telecom carrier operated at users discretion market Telecom carriers etc Register applications depending on their own criteria Each has a distribution and billing model BlackBerry App World Register the third party applications screened by RIM Distribute and charge via App World Windows Phone Marketplace Register the third party applications screened by Microsoft Distribute and charge via Marketplace 3 3 Communication styles and Networks Smartphones can use voice communications and data communications Packet communications For network access either mobile networks or Wi Fi etc can be used Their bandwidths and supported areas differ respectively To connect with Internet via mobile networks using the Wi Fi router functionalities of smartphones is called tethering Since tethering result in creating more outlets as their access points to Internet from organizations the use requires caution Table 4 Line types and Connection methods Network Characteristics Available connection destinations Mobile Voice and data communications supported Base stations Data and voice for telecom networks Wider coverage areas carriers Slower in speed than Wi Fi The connection authentications are handled by telecom carr
36. en phones are lost could include not only the internal data in the lost devices but also the data stored at external services Furthermore the convenience of saving passwords etc could pose a risk for information leakage Users can download applications on their smartphones Since unreliable markets may contain applications to include malware make sure to select reliable markets Page 9 Table 6 Threats and Countermeasures Characteristics of smartphones Threats Descriptions Risks Countermeasures or requirements Theft or loss of The stored data on device lost Set a lock on device devices Data leakage may include as faras Force to delete data when failing lock release external services Encrypt the data domain of devices Disable the saving function for user ID and password Periodically back up the data SIM card theft Phone numbers and phone ID Call a telecom carrier to suspend the use numbers etc may be misused Damage by Data losses Periodically back up the data on phones dropping or Wear a strap etc to prevent falling submersion Use water proof and shock resistant devices Peeping The data may be leaked Place a peeping screen protector etc False Operation mistakes can be more Give users a heads up on careful operations recognition derived from the reaction ranges Many of the panels use the capacitance system and are and speeds of touch panels more susceptible to s
37. epare redundancy D Secure alternative measures n Page 28 etc Attack vulnerability Upgrade equipment etc to take measures against vulnerability o Acquire an access log o Corporate Network Communication Diversify telecom carriers to use a Usage restriction by Prepared to be able to use other services for example public a telecom carrier Wi Fi Telecom carrier s Telecom carrier s closed network subscription line trouble 5 8 SaaS ASP services Illicit use Acquire an access log on a service provider side o subscribed by an Impose a restriction on accessible networks and acquire an o organization usage access log internally Corporate Wi Fi network Mobile Masquerade Collaborate with an internal authentication system o network and public Check access logs n Wi Fi router etc 5 9 Application Usage Unauthorized Produce a procedure manual Refer to the Appendix operation limited Check the behaviors of an application e g data saving area o knowledge data publication scope etc Appoint a dedicated data saving area for business o Prevent users from selecting a saving area o Wiretapping Encrypt communications for corporate access Malware Obtain applications from reliable markets m The application permitted in the organization is decided n Do not inadvertently authorize an access when installing an n application Obtain the
38. er than conventional phones and support a software keyboard making them thinner and lighter than PCs There are many different types of smartphones with various OSs and users need to make a best choice out of them The following is a list of the main OSs and characteristics of smartphones in the Japanese market Table2 OS and Characteristics Types of OSs OS supplier Characteristics iOS iPhone iPad Apple Inc Vertically integrated across the OS devices and application markets Operated only on iPhone and iPad Easy to apply latest versions Android Google Inc Horizontally specialized across the OS devices and application markets Rich choices of devices available Open source based OS Each device vendor customizes the OS for their own device Even for an identical OS version Android is not the same it depends on the device also BlackBerry OS Research In Basically vertically integrated for the OS device and application markets Motion High security functionalities are supported by BES and BIS servers Limited Operated only BlackBerry QWERTY key is supported in the major models Hereinafter RIM Windows Phone 7 Microsoft Horizontally specialized for the OS and devices Devices selectable Corporation Designed to be collaborative with the existing Microsoft assets Support the Hereinafter management functionalities for example METRO UI and Exchange etc MS 3 2 Applications and Procurement Unlike e
39. etting by a user and kitting by corporate managing the relationship between an asset and a user is important Especially in case of kitting personal data are registered to a device and therefore the device must be delivered to a legitimate user 6 3 Operation At an operation phase of smartphones appropriate management must be imposed for safer use of smartphones at business In order to achieve this objective we may need to periodically monitor on whether a device is properly used and is properly configured and restricted for minimizing expected risks Procedures should be set out in advance regarding the actions toward incidents for example losses and thefts and the ways to apply updates in addressing the vulnerability of the OS 6 3 1 Acquire and Monitor Device Information Acquiring and monitoring device information is required for business uses irrespective of the types of ownership and the purposes of use The information on the hardware of a smartphone OS and applications to be used applied Device settings and functionality restrictions and whether or not the OS has been modified should be periodically acquired to monitor the status of a device With a constant monitoring on the use status of smartphones administrators can make sure that the smartphones are not illicitly used and check the vulnerability of the OS Modifying the OS could become the biggest threat for the security of smartphones and such modifications must be mo
40. eun e eee ae ES RETE eseni e RET 22 oT E e E S a EEA E E EEE eile ack Shak ec gshade cosh E essa Poole tke beet E E 22 6 11 Set O tam Internal Rule oot are e esee a etr a E EEE ee rae ee OENES 22 6 1 2 Setouta User Manual eene db ote can VESA a TATAARIN TEA VERa E ES 22 6 32 Prepare a Support System cr ee ee ete EENET EEEN AA EE ELO OER ese 22 6 2 Introducing Smartphones c ccccscsscececececeeececececeaeaeceneaeaeceaecececeneaeceaenecececececaaaeaeaeaeaeaeaeaeaeaeaeaea 22 6 2 1 Start using Procedures 0 scccccisedcecatyetabcatesdscedssvtecsaussdsecacsesedcalesdscenssetussanswesedestesdecessgesents uses 22 6 22 Procure or Place Attachments neitoa eres rerni ineine eae EE a EE Eaa E a a aA EE Rn e DERAS 23 6 2 3 Acquire User Account 2e ree ertet e EE EEEREN EETA ERER E 23 6 2 4 Initial Setting of Device 5 eoe III een E AE E E E E aerae eaei 23 6 2 5 Activate a Device Lock Functionality eese eene nennen nemen nene 23 6 2 6 Acquiring E Mail Accounts eessssssesesessseeeeeeeeee nennen nennen tenete nene tenete nennen ener 23 6 2 7 Introduce an Applic tion eerte reete er eoe ene en EAEE site eere ae Ea eu se ano terae eae ene atus 23 6 22 87 Trainings Implementation iret D n tre EE ertet ere Ier EAEE rand e EE ue ASEOS E toss EE pde 23 6 2 0 Distributes Devices 5e deett eerte cepere ete EE T ede ter Ee dede eee eee eua 24 6 3 Operationic eee Ia cR NEN
41. here we are The capability to identify where a user or a device is located 1s useful in knowing the safety of a person in emergency or in finding a lost Device Table 18 Threats and Countermeasures Location Information Usage Threat Descriptions Risks Countermeasures or requirements Incorrect With a use of functionalities too Produce a procedure manual Refer to the Appendix operations easily unintended data are Lack of publicized knowledge Wiretapping Let others known our location Suspend a location information functionality if it s not accidentally necessary Malware An application acquires the location Do not inadvertently authorize an access when information of a smartphone and installing an application the information is illicitly used 5 10 4 NFC Usage Some smartphones have a NFC functionality Smartphones can be used as a device for an access control to offices and for payment NFC Near Field Communication Page 18 Table 19 Threats and Countermeasures NFC Usage Threat Descriptions Risks Countermeasures or requirements Skimming The data inside a Device are read Usea lock function when not in use out leading to information leakage Puta cover on a chip portion Masquerade An illicitly acquired Device can Produce a procedure manual How to contact and easily be used to impersonate the handle in case of a theft and a loss owner enabling illicit
42. iers Wi Fi Data communications only Public Wi Fi Hotels and hot spots etc Limited area coverage Wi Fi router Faster in speed than mobile networks Home Wi Fi The connection authentications are Corporate networks Wi Fi proprietary Either by individuals or by Tethering Use other smartphones service providers Threats and countermeasures need to be studied on the basis of understanding in the differences in access to corporate networks and access to contracted SaaS ASP In addition to the above usages short range communications for example Bluetooth Usage and Infrared Communications Usage require to study its threats and countermeasures Refer to the each item in the chapter 5 for further details 3 4 Differences from Existing PC Security Smartphones are still at an early stage and the standardizations for their functionalities and security implementations by the OS vendors the device vendors and the telecom carriers have made little progress In terms of the management and control for business uses smartphones are still premature in some aspects and with the limited measures to imposed across the board those issues will need to be taken into considerations in use Furthermore there are frequent version updates that result in mixture of old and new devices to create further complexity in management Since PCs are much more standardized it 1s hard to impose the security syste
43. ing guideline may better be produced in advance for a smother operation and management 6 2 4 Initial Setting of a Device The initial setting methods of Devices depend on the types of ownership and the purposes of use In case of corporate owned smartphones there are two possibilities the initial setting of device is done by the company or done by the user s self services In case of BYOD the latter situation takes precedence In setting a device initially device settings and functionality restrictions should be in line with a security policy Depending on OS differences or version differences for an OS device settings and functionality restrictions may have limitations In addition there is a case in which almost all of the settings can be automatically set or a case in which some manual interventions are required in setting For some of OSs device settings compliant with a security policy could be revised or deleted by a user When organizational control is essential separate measures should be required 6 2 5 Activate a Device Lock Functionality Setting device lock functionality is necessary irrespective of the types of ownership and the purpose of use The names and the functionalities of the lock depend on devices and OSs When using smartphones make sure to activate lock functionality for example limiting number of error entries in accordance with a security policy 6 2 6 Acquiring E Mail Accounts The methods to acquire an
44. ions Investigate the behaviors of applications and take necessary measures authorization to start an application can be valid for continued version upgrade installations Access Careful attention is required in order to prevent users from causing unintended data leakage In case of using utilizing the applications that are independently developed by a company or an organization separate measures in meeting the characteristics of the applications are required In addition to the following threats and countermeasures refer to Corporate Network Usage in the Section 5 7 or SaaS ASP services subscribed by an organization Usage in the Section 5 8 Table 15 Threats and Countermeasures Application Usage Threats Descriptions Risks Countermeasures or requirements Incorrect As the result of selecting a wrong Produce a procedure manual Refer to the Appendix operations data saving area information is Check the behaviors of an application e g data Lack of accidentally publicized saving area data publication scope etc knowledge Accidentally save data to an area to Appoint a dedicated data saving area for business cause information leakage Prevent users from selecting a saving area Wiretapping The content of the communication is Encrypt communications for corporate access wiretapped by the third party and information leaks Malware Illicitly used by a malicious Obtain applications from reliable markets
45. kage Difficult to delete data upon completion of business uses TIn addition to the above it may serve as a medium for malware on PCs 5 12 Backup Synchronize We can backup Synchronize data on a PC or to Cloud Thus backup data must be subject to security control Table 24 Threats and Threats Descriptions Risks Incorrect Without awareness on how to operations synchronize data and where to save Lack of data data is accidentally overwritten knowledge or dissipated etc Countermeasures Backup Synchronize Countermeasures or requirements Produce a procedure manual Refer to the Appendix Check the behaviors of an application Data saving area etc Use a backup tool Coexistence of business data in backup data BYOD Backup data including business data may leak from a privately owned PC Let users sign a pledge Refer to the Appendix Protect backup data in a private storage area For example privately owned PCs Cloud and external memory media etc Apply encryptions in data backup Including privately held PCs 5 13 Reference Internet Storage Service Usage Internet storage services are becoming popular especially among individuals due to their convenience of using identical data at anywhere anytime and sharing with required persons An access control Filtering and usage monitoring can be possible for PCs but not for smartphones Furthermore since smart
46. l TV broadcasting Specify the scope of use For a disaster programs on mobile phones Usage Bluetooth Usage Specify the scope of use Warning for providing and receiving data Check whether a Bluetooth icon is shown on a home screen Infrared Communications Usage Specify the scope of use Warning for providing and receiving data 5 11 Media Data Usage Specify whether to allow it or not Recommend to prohibit it 5 12 Backup Synchronize The implementation methods for back up synchronization and restore Warning for a data saving area Use the areas for synchronization and back up that are authorized by an organization Additional items for BYOD Protect back up data in a private saving area Privately held PCs Cloud and external media etc Page 31 A 4 An Example for Items to be Listed on Pledge A 4 1 Corporate Owned Version Classification The Level of Recommendation m Strongly recommended rafting pledge Recommended Level of recommendation Specify the Specify and clarify the Specify the purposes and scope of purposes of purposes of use smartphone use and remind users to use observe the rules that are set out by an organization Management An approval by an An agreement on data acquisitions for Since a smartphone is always carried individual regarding data smartphone uses in order to prevent careful drafting of an agreement is a
47. latest information on applications Illegal behaviors n unintended behaviors reliable information etc Private uses Limit uses during business o Private uses Produce a procedure manual Refer to the Appendix improper contents Set out a corporate policy and restrict with filtering D Acquire a use history a Mixed with private Produce a procedure manual Refer to the Appendix data BYOD Let users sign a pledge Refer to the Appendix Sort out data In case of using an identical application for a private and business Upon user s departure from a company or end of use let users certify that they have deleted data 5 10 Camera Usage Illicit use Paste a security seal etc to avoid using o Disable camera functions o Incorrect operations Produce a procedure manual Refer to the Appendix Lack of knowledge Incorrect operations Paste a security seal etc to avoid using o Deactivate camera function n Lack of knowledge Produce a procedure manual Refer to the Appendix Phishing Malware Do not inadvertently authorize an access when installing an o application Disable camera functions n Picture data leak Suspend location information functionality when shooting o When publicizing pictures to outside delete Exif Data o properties and attributes Mixed with private Let users sign a pledge Refer to the Appendix data BYOD Move business data to a dedicated storage area Quickly delete n them f
48. m of PCs to smartphones and therefore various countermeasures need to be combined from the perspectives of a device itself a network access a system and service access data storage and management aspects etc Page 8 4 Characteristics and Considerations of Smartphones In this Chapter the threats unique to the nature of smartphones are described 4 1 Characteristics Smartphones include rich functionalities as communication tools Furthermore there are also various additional functionalities to support them They contain the following characteristics Table 5 List of the characteristics of smartphones Characteristics Conventional mobile Smartphones PCs phones Portability 9 A Network connectivity O A Convenience O Functionality and O processing power Expandability x O Flexibility and x personalization 4 2 Threats and Countermeasures from the Characteristic Perspectives As listed on table 5 smartphones have superior portability That makes us think about possible thefts and losses Not only devices but also the SIM cards may be taken away In addition they may break by falling to the ground or into the water Smartphones are often used in public places and the display information may be accidentally viewed Meanwhile for improved network connectivity always on connection is supported for easier access to external services The possible leakage of data wh
49. nchronizations with external services may cause data leakage Therefore the behaviors of applications need to be checked to provide an alert and appropriate control and management for saving areas and synchronization settings are required Table 7 Threats and Countermeasures Phone address book Usage Threats Descriptions Risks Countermeasures or requirements Incorrect Saving data to unintended areas Produce a procedure manual Refer to the Appendix operations causing data leakage Check the behaviors of an application e g data Lack of The data on Devices may be saving area data publication scope etc knowledge synchronized with a certain Cloud Appoint a dedicated data saving area for business Prevent users from selecting a saving area Mixture with With the mixture of business data Let users sign a pledge Refer to the Appendix private data and private data countermeasures Sort out data Separate saving areas for private and BYOD against leakages get complex since business the private data becomes subject to Upon user s departure from a company or end of use forced deletion upon leakage let users certify that they have deleted data Difficult to delete data upon completion of business uses 5 2 Phone Usage There are 3 major communication channels as a phone calls using telecom carrier s voice channel VoIP based calls using telecom carrier s data communication channel
50. nitored and detected In order to acquire the location information of a Device in time for losses we will need to obtain a prior agreement from a user to do so since it may possibly infringe user privacy and a cautious consideration should be taken in acquiring the data 6 3 2 Control Device Functionalities The control of devices is required irrespective of the types of ownership and the purposes of use Administrators are always required to manage and control the safety at business uses employing those measures as the functionality control of smartphones and the remote locking and data deletion In order to control devices a security policy for Devices must be drafted and implemented There are various differences in OSs and Devices and it s hard to target all of them under control We must be careful especially in case of BYOD Some of OSs use SMS for device controls but in such case the tablets that do not support SMS may not be controlled 6 3 3 Manage OS versions Management of OS versions is required irrespective of the types of ownership and the purposes of use Especially when an upgrade to the OS version that includes the hot fix for vulnerability is available this is a crucial issue Due to the policies of device vendors or telecom carriers however upgrades may not be used Thus administrators shall require to know which version of OS is being used and to understand reported threats in order to impose technical and oper
51. o be used and is authorized to use Android OS calls it Permission 10 4 2 Rooting Jailbreak Utilize vulnerability and obtain a root Supervisor authorization 10 4 3 Cloud storage The service to store data using Cloud 12 5 2 IP PBX Abbreviation of Internet Protocol Private Branch eXchange The hardware and software to realize a house phone network with IP phones 15 Ort User authentication The processing to enter a user ID and passwords to identify the user that enters them 15 5 7 Device authentication The processing to identify a device using User ID data etc assigned to a device 17 5 10 1 Security seal A seal to paste on the lens part of a camera to restrict a camera use 17 5 10 1 Exif Abbreviation of Exchangeable image file format The data format to save the camera shooting data for example shooting date a camera model location data as image data 18 5 10 4 NFC Abbreviation of Near Field Communication The communications in close proximity to enable non contact communications 20 5 11 Lock a Device The functionality to lock devices with passwords and patterns The functionalities and the names are different by device There is an automatic lock function etc that works when a terminal is not used for a certain period of time 22 6 1 2 Tap To lightly hit a touch panel screen with a finger to operate 22 6 1 2 Flick Flick and trace a touch panel screen with a finger from side to side and up and down to operate 22
52. ore susceptible to static electricity Vulnerability Reduce or unify the types and OSs of devices Unreliable markets Obtain applications from reliable markets Do not inadvertently authorize an access when installing an n application Obtain the latest information on applications Illegal behaviors o unintended behaviors reliable information etc Refer to Application Usage in the Section 5 9 Alterations by user Prohibit alteration A 2 Check Sheet for Countermeasures per Case Usage Level of recommendation sm Strongly recommended Recommended Not applicable Chapter Classification Threats Countermeasures or requirements Levetot number recommendation 5 1 Phone address book Incorrect operation Produce a procedure manual Refer to the Appendix Usage Lack of knowledge Check the behaviors of an application e g data saving area o data publication scope etc Appoint a dedicated data saving area for business o Prevent users from selecting a saving area o Mixed with private Let users sign a pledge Refer to the Appendix data BYOD Sort out data Separate saving areas for private and business a Upon user s departure from a company or end of use let users certify that they have deleted data 52 Phone Usage Wiretapping In using VoIP encrypt the communication channel o Illicit use Correctly configure the equipment and services of IP PBX o servers Illicit access Enhance the
53. phones are always connected with the data communication lines of telecom carriers a company is not able to grasp the data transmission that are directly transferred to Internet storage services via communication lines of telecom carriers even after securely receiving the data via a VPN connection with a corporate Page 20 network Therefore we would strongly recommend that the business uses other than organizationally nominated services be not used 5 14 Reference SNS Usage SNS and mini blog are becoming popular as communication tools especially among individual users They fit the characteristics of smartphones as users can promptly inform their friends etc of what they ve seen and heard The number of companies using them as marketing and active communication tools is increasing However the threats of SNS for example a writing mindlessness an incorrect data publication a private use during office hours and location discovery from the GPS data and the pictures of the phone are intensifying It is recommended to set out a rule in an organization before using Page 21 6 Consideration on Lifecycles The discarding plan is called a lifecycle In this Chapter considerations for a lifecycle are described In order to securely use smartphones we need to be aware of the differences between PCs and study necessary security means in meeting the objectives of uses while achieving low cost and steady means to avoid the risks with the
54. possible communication restrictions by telecom D Network restriction by carriers prepare multiple means for connections telecom carrier Mobile network Telecom carrier s Prepare Wi Fi connectivity for off road a subscription line trouble Illicit use Let users sign a pledge Refer to the Appendix 5 7 Corporate Network Masquerade Impose a user authentication In case of Wi Fi a device Usage User authentication and a user authentication cannot be made concurrently and therefore a prioritization depending on Corporate Wi Fi threats is required In case of a user authentication only an Network access from an authorized device cannot be prevented Acquire an access log o Masquerade Impose a Device authentication In case of Wi Fi elimination Device of unauthorized Devices tends to be a major objective and in such case the system side for access imposes a user authentication Acquire an access log o Wiretapping Encrypt communications Use stronger encryptions n Protect important data Encryption password etc o Illicit use Acquire an access log n Illicit access Limit accessible corporate systems Separate networks SSID access points etc Acquire an access log o Corporate Network Masquerade user Impose a user authentication Usage Acquire an access log o Masquerade Impose a Device authentication VPN Device Acquire an access log a Mobile network and public Wi Fi Equipment trouble Pr
55. quired security measures The example of the items described in procedure manuals and the example of items described in pledge Corporate owned version and BYOD version can be used in producing a procedure manual and or pledge as may be necessary Page 4 2 Advantages in Using and Utilizing Smartphones In this chapter the advantages in using and utilizing smartphones are presented Smartphones in comparison to other devices have the outstanding features as communication tools for example superior portability always on power and always on connection They also have higher scalability in their functionalities and are easy to be personalized with the additions of applications by users at their preferences 2 1 Aims and Reasons for using Smartphones Smartphones are now more frequently used in viewing websites e mails and schedules when outside offices Such usage scenarios can also be achieved by note book PCs that are connected with the network In consideration of the convenience and the agility however smartphones yields overwhelming advantages Therefore increasing number of organizations have been trying to use smartphones for achieving various objectives for work style innovations for example active communications faster decision making cost reduction and productivity improvement and other factors for example business continuity and customer satisfaction improvement etc 2 2 Examples for the Utilization and it
56. rom a Device Upon user s departure from a company or end of use let users certify that they have deleted data Microphone Usage Lack of knowledge Produce a procedure manual Refer to the Appendix Incorrect operations Lack of knowledge Malware Do not inadvertently authorize an access when installing an a application Page 29 Mixed with private Let users sign a pledge Refer to the Appendix data BYOD Move business data to a dedicated storage area Quickly delete a them from a device Upon user s departure from a company or end of use let users certify that they have deleted data Location Incorrect operations Produce a procedure manual Refer to the Appendix Information Usage Lack of knowledge Fraud Suspend a location information functionality if not it s not a necessary Malware Do not inadvertently authorize an access when installing an o application NFC Usage Skimming Use a lock function when not in use o Put a cover on chip portion a Masquerade Produce a procedure manual Refer to the Appendix Activate a lock function n 1seg a terrestrial Private uses Limited uses during business D TV broadcasting programs on mobile phones Usage Bluetooth Usage Malware Limit accessible equipment with a Device a Disable Bluetooth if it s not used n Illicit access Illicit use Produce a procedure manual Refer to the Appendix
57. roviding the environment to reach necessary IT resources at anywhere at any time In order to fully exploit the Cloud services smartphone uses in combination with them are growing Utilize privately owned smartphones The ownership style of smartphones themselves has changed remarkably Organizations have now started authorizing users of privately owned smartphones to use their phones at work BYOD Various reasons behind this can be assumed for example reducing and streamlining expenses dealing with emergencies and alleviating cost burdens for owning 2 phones etc The new trend can be considered as noteworthy The environments surrounding organizations in response to the globalization and the increasing intelligence in the society impose volatility and uncertainty The utilization of smartphones will likely enable the work styles of individuals to be flexible new ideas to be created reliability and human relations to be deepened and individual capabilities to be enhanced thereby enhancing organizational competitiveness and productivity Let s now see how such benefits can be lead to work style innovations Let s Go Beyond with Smartphones Page 6 3 Mechanism and Overview of Smartphone In this Chapter the mechanisms and the overview of smartphones are described 3 1 Characteristics of Devices and Types of OS The hardware of smartphones is different from conventional mobile phones and PCs Smartphone screens LCD are larg
58. s Effects The examples for typical work style innovations are shown below Activate communications and streamline businesses In addition to the more timely communications that could be achieved if e mails can be responded easily at outside of offices or during waiting time also big improvements would be expected in our business efficiencies by using idle time Thereby the time that is required in responding e mails after returning to the office would be substantially reduced If we could reduce the time at offices by 1 hour per day for example about 20 hours Supposing for 20 business days will be saved per person per month With 500 employees for example business efficiencies 10 000 hours 1 250 business days will be achieved Faster decision making Corporate managers who stay out of their offices for a business trip etc have piled up tasks for decision making for their organizations and for their daily issues With the use of smartphones important subjects could be naturally checked with the voice and e mail functions but moreover corporate decision making would become expedited and those managers time for the duty would be reduced if they connect with corporate networks securely at anytime and anywhere and may electronically provide necessary approvals Reduce cost and enhance business efficiency in achieving the paperless office The aim at cost reduction and business efficiency with a paperless office is an ongoing trend A
59. s described analyze the severances think about the purposes of use and take necessary measures cautiously 7 2 Security Policy of an Organization and Decision Making Criminals and accidents by an insider or an outsider alike may occur When studying the security aspects of smartphones usual security considerations for emergencies significances and the confidentiality of data must be well taken and the set out security measures need to be reviewed in line with a PDCA cycle though there may be some exceptions due to the characteristics Furthermore non conventional know how for example the feasibility study of the countermeasures compatibility checking with existing security policies and necessary amendments control and management that is different from PC s and legal checking of overseas laws in using Cloud services is required The time and budget required for the effort and the literacy of users and the scope to be able to support as an organization must be well studied 7 3 Necessity for Continuous Data Acquisition As stated at the beginning the security measures of smartphone are still on a developing stage leaving some issues unaddressed at moment A decision must be taken on whether to avoid an operation with an acceptance of the issues to select a usage to exclude the issues or not to use smartphones In addition the selection on whether to provide to an employee a corporate owned smartphone or to turn a privately owned one B
60. s uses irrespective of the types of ownership and the purposes ofuse In drafting a user manual smartphones specific technical terms for example tap flick and pinch need to be well explained Settings and configurations depend on models An instruction manual should be drafted on the assumption that it will be viewed on smartphones In drafting a manual a corporate owned case and a BYOD case should be taken into consideration 6 1 3 Prepare a Support System To put a support system in place is required for business uses irrespective of the types of ownership and the purposes of use Users presently do not have accurate and enough knowledge for smartphones Before using smartphones an appropriate support system should be well prepared In addition the study on how to reduce support burdens throughout the period from a planning stage to an implementation stage with facilitating self support tools for example simplified introduction procedures instruction manuals and FAQ The countermeasures for thefts and losses outside business hours should be planned for in advance 6 2 Introducing Smartphones At time of introducing smartphones to an organization an efficient implementation for example drafting a start using procedure buying attachments to Devices configuring an initial setting setting accounts and registering the applications to use etc is required in minimizing the burden of users In addition to such initial introduction of
61. t CAE FA DOES pereo pae oU EAS Fede ee poses apre a kU dao 14 S T Corporate Network Usage c eerte cere net eee ree uer e e aE sede can Pene Pe Ee R EE ERE EN TER 14 5 8 SaaS ASP services subscribed by an organization Usage esses 15 5 9 Application USdge aee ede ete the edere bee ete eMe enr E canned Re a E aan 16 5 10 Device functionalities Usage ccccecccecccececececececeeeeeceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeseeeeeeeeeeeeeeees 17 EM Camera Usa geiatk E 17 5 10 2 Microphone Usage sese Ire dlesdsceduscecadaussdescacescbsalesdscedasseuadasswevedestesdenebsseeceds to eds 17 5 10 3 Location Information Usage csssssssssseseseseeeseeeeeeee eene nene tenente tenens enne nennen 18 SOA NFC USA E o nente ener re PER OR SEE VERRE Y ERES VE EAR ERREUR EE EE A UE SURE 18 5 10 5 1seg a terrestrial TV broadcasting programs on mobile phones Usage ses 19 ESTERI CE 19 5 10 7 Infrared Communications Usage csesessessssssseseseeeeeeee eene nenne hene nemine tenete nennen enne 19 5 11 area Data USage 1 E A E A eerie na Oc Re aden 20 5 12 Backup Syichr onze se ae p en Secs eee eee e eget eae te EEEa r de e en ahs beds ee EE tahoe eed 20 5 13 Reference Internet Storage Service Usage sss 20 5 14 Reference SNS Usa ces ers ett Lun idiot OR RN ib Octo umb dre d e ut nu 21 Consideration on Lifecycl s uu c iere eee eee RR ER e ere FREE OE
62. t businesses or other organizations hardcopies tend to be produced for instruction manuals and brochures When those copies need to be revised frequently a large burden is imposed to the organizations in terms of the workload and cost People need to carry hardcopies to distribute and rush to search applicable copies in need These issues can be substantially resolved digitizing paper documents and using smartphones and tablets for viewing and searching media Efficient transfer when going out for a visit In order to enhance the convenience in going out for a visit use of maps and location information should be useful and effective There is no need to search destinations and print out information beforehand 2 3 Circumstances Surrounding Smartphones Smartphones attracted attention as the tools to meet the following social needs Deal with natural disasters and support work at home There is a trend in organizations trying to seek for business continuity during a natural disaster to assume social responsibilities for example reducing power consumption and to promote work at home The smartphones are expected to work as an effective tool in innovating a work style and improving the balance between the business and private lives of employees Affinity with Cloud services Since Cloud services help reduce idle IT assets in organizations thereby letting them off the balance sheet efficient Page 5 business management can be achieved while p
63. tatic electricity Vulnerability Many types of devices with Reduce or unify the types and OSs of devices various OSs Difficult to put a patch Unreliable Infected by malware due to an Obtain applications from reliable markets markets inadvertent access authorization Prevent an inadvertent access authorization upon upon installing an application installing applications An application to become Obtain the latest information on applications Illegal malware An initial access behaviors unintended behaviors reliable information authorization enables automatic etc approvals on onward upgrade Refer to Application Usage in the Section 5 9 installations Modifications Infected by malware after OS Prohibit modification by user modification Rooting Jailbreak 4 3 Future considerations Devices and OSs will continue to be upgraded to higher functionality enhancing use capability For example a smartphone user with an additional subscription may use Cloud storage service for automatic data synchronization from a smartphone to the Cloud It is really an appealing service but the user of the service without understanding its nature may cause private information leakages illicit accesses and security threats Furthermore damages may become larger due to the higher and larger data exchange rates of network and battery charging from a PC via a USB cable may cause illicit information leakage More convenien
64. te a cete eee ota ete eie erede re be ede xA edo ie da 24 6 3 1 Acquire and Monitor Device Information sees 24 6 3 23 Control Device F ncti nalities eicere ae cen ge dea oer ide iro gea iras 24 6 3 3 Manage OS versions neiere areena Ean ee sae A ette see eher een o Rare eee tesa eoe ep eu an todo 24 Qe y DID PEE 24 venu L E ai 25 7 1 Balance between the Purposes of Use and Security 25 7 2 Security Policy of an Organization and Decision Making eene eene 25 7 3 Necessity for Continuous Data Acquisition ccccccsececenececececenecenenenecececenenenecececececececeneceneeeeeeees 25 MA CIT IP ERE A A a a ale teste 26 APPendi xA der ER 27 A 1 Check Sheet for Countermeasures per Characteristics cccccccececeeeeeceeeceeececeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeenes 27 A 2 Check Sheet for Countermeasures per Case Usage sse ene enne enne eene eene eene 27 A 3 Example of Items Described in a Procedure ececececececececececececececececececececececececececeeeeseeeeeeeeeeseeeeeeees 31 A 4 An Example for Items to be Listed on Pledge ceeecececececececececececececececececececececeeeeeeseeeseeeseeeseeeeeeeees 32 AA I Corporate Owned VerStOri eu ete eee ke cocto ede Ra ccteslasesdcatesdaccusagcccceebaaesoceseadectavancacetetes 32 A4 2 BY OD Versio itd rh e re bg Cedar ve Pee dde sdacubdaa e Hose qp sl TOR Fei ede eI RETE En daban 33 Page 2 1 In
65. therefore corporate IT administrators are not able to control accesses to non business related sites and improper sites and acquire access logs Under such circumstances compliance with security policies and countermeasures against data leakage are essential Furthermore a browser itself is an application configurable functionalities for example whether or not cache deletion and password saving are possible need to be checked in advance In addition the following threats and countermeasures refer to Corporate Network Usage in the Section 5 7 or SaaS ASP services subscribed by an organization Usage in the Section 5 8 as may be necessary Threats Illicit uses Table 11 Descriptions Risks Use maliciously using cache data Accessible sites have sharply increased Threats and Countermeasures Browser Usage Countermeasures or requirements Produce a procedure manual Refer to the Appendix Do not leave cache Protect with web filtering Wiretapping The content of the communication is Encrypt communications for corporate access wiretapped by the third party and information leaks Malware A Device is hacked to lose control Obtain applications from reliable markets and information leaks Possibility to become an offender Private uses improper contents Non business phone use causes cost increase and productivity decrease Higher criminal chances Produce a procedure manual Refer to the Appendix
66. to install and use the Set out the applications that can be o applications that are not applications that are not authorized in installed and used A white list or allowed by an order to prevent the intrusion of the applications that cannot be organization malware installed and used A black list Private use Agree not to use privately in order to a prevent a cost increase business productivity drops and information leakage Lend assign and sale to An agreement not to let others than the o third parties user to use Intended or negligent Warning under the increasing use Specify to restrict writing company o information leakage cases for carrying data and privately information etc and to let users to sending data In case of information pay an enough attention not to spread leakage take actions in accordance or leak data inadvertently with a company policy Finish using Return terminals An agreement to delete the data and to Handling of data back up return the terminal Violation of Penalty Specify that the uses are subject to the a pledge penalties as set out by an organization Page 32 A 4 2 BYOD Version The level of Recommendation mStrongly recommended Recommended Classification Descriptions aim Warnings for drafting pledge in Hee dation Representations Ownership name of Let a user warrant that the subscriber Specify the terms
67. to observe in using smartphones as an essential element to help improve the labor productivity and innovate the work styles in Japan and to contribute to facilitate the environment for securely and safely using smart phones at the workplace 1 3 Target Readers of the Guideline The Guideline is mainly targeting the following readers 1 The managers and planning persons who are responsible for introducing smartphones to their companies or organizations 2 The managers and individuals who are responsible for setting out security policies for introducing smartphones to their companies or organizations 3 The managers and planning persons who are responsible for the work style innovations at their companies or the organization 1 4 Scope of the Guideline The scope of the Guideline is defined in terms of the ownership and the utilization purposes of smartphones The scope is not only limited to the business usage of the smartphones owned and supplied by companies but also to the business users bring their own smartphones BYOD Bring Your Own Device and the multi purpose users for business and private In the information security sphere the classifications in order of importance is now becoming commonly used but a threat analysis of the smartphone characteristics was applied in this Guideline for a better understanding of usage cases Table 1 The Scope of the Guideline Purpose For business and private For business use only use
68. troduction 1 1 Guideline Usage Smartphones are mobile devices that equip advanced information processing functionalities in addition to the services offered by conventional mobile phones In addition to voice communications rich communication functionalities for example data communications and wireless LAN Hereinafter Wi Fi are supported There are also mobile devices called tablets which support almost equal functionalities as smartphones but have larger screen sizes In this Guideline we define smartphones to cover both smartphones and tablets The Guideline is version 1 0 as of December Ist 2011 and is subject to further changes 1 2 Objectives of the Guideline Presently the number of businesses that actively utilize IT for work style innovations is increasing Smartphones trigger an attention as key IT devices in the initiative Even in businesses where organizational initiatives utilizing IT for work style innovations have not been promoted the individual users have already started using smartphones in various business situations Smartphones however are still technically in a developing stage the information is not readily available for companies that plan to introduce them for their business uses and there are number of issues that require to be resolved before using them in full scale for business The Guideline is intended mainly to identify the security threats and countermeasures that businesses and organizations need
69. wn theft data in order to assess the effect of an loss repair model type incident change assignment and resale Prohibited Modification of a An agreement not to modify in order matters terminal OS and an to prevent security threats application Install and use of the Prohibit to install and use the Set out the applications that shall not o applications that are applications that are prohibited in be installed and used Blacklist prohibited by an order to prevent the intrusion of organization to do so malware etc Lend to third parties An agreement not to let others than o the user to use Use other terminals than Prohibit the use of other terminals applied for an approval than declared to use for business Intended or negligent Warning under the increasing use Specify to restrict writing company o information leakage cases for carrying data and privately information etc and to let users to sending data In case of information pay an enough attention not to spread leakage take actions in accordance or leak data inadvertently with a company policy Finish using Delete business data and Let a user delete business data and applications applications in order to prevent security threats Violation of Penalty Specify that the uses are subject to the o pledge penalties as set out by an organization Page 33
70. xisting phones smartphones require to activate an application even fora call In that respect all smartphone functionalities for example call e mail and schedule are considered as applications There are the applications that are pre loaded before device shipments and there are applications that are downloaded from the markets by users The markets are offered by OS suppliers communication telecom carriers and or device vendors The applications that are downloaded from the markets may not have been screened and therefore the security risks for important data leakage exist A caution is required upon downloading the applications in such a way as checking the reliability of a market and an application Refer to Application Usage in the Section 5 9 Furthermore since smartphones are always connected with networks they can access the markets at anytime anywhere smartphones enable us to obtain applications far easier than PCs do Companies or other organizations may distribute their own applications and in such cases the developer can have the control on how to distribute them In this case however a careful attention needs to be paid in order not to infringe the intellectual property rights of third parties Page 7 Table 3 Markets and Characteristics Suppliers Markets Market characteristics iPhone iPad App Store Register the third party applications that Apple screen For distribution and use of the applications need to sign an agre
Download Pdf Manuals
Related Search