Mobile Security for CompTIA A+ 220-1102

Screen lock is the first line of defense for mobile device security. Lock methods and their security levels: Swipe: no security (no authentication). PIN: 4–6+ digits. Short PINs can be observed (shoulder surfing). Password: alphanumeric — most secure. Pattern: geometric pattern on a 3×3 or 4×4 grid — can leave smudge patterns on screen. Fingerprint (Touch ID on Apple): fast, secure, biometric — cannot be compelled by showing your finger in most jurisdictions. Face recognition: Face ID (Apple, 3D structured light) — very secure; face unlock on some Android (2D camera) — less secure. Iris scan: very secure biometric — less common. Failed attempts policy: iOS: up to 10 attempts, then erase (if configured). Android: varies — typically temporary lockout → Google account required. Auto-lock timeout: configure to lock after 30 seconds to 2 minutes of inactivity (balance security with usability). Biometrics vs PIN backup: biometric authentication always requires a PIN/password backup — if the biometric fails or the device restarts, PIN is required.

Remote lock: lock the device screen remotely — requires network connectivity. Remote wipe: erase all data on the device remotely. Apple (iOS): Find My app (iCloud.com → Find My). Enable 'Lost Mode' (locks, displays message, tracks location), Erase iPhone (factory wipe). Requires: device powered on, connected to internet (or cellular), Find My enabled, Apple ID credentials. Android: Find My Device (google.com/android/find). Lock, Secure device (display message, lock), Erase device. Requires: device powered on, internet connected, Find a My Device enabled, Google account. MDM remote wipe: enterprise MDM solutions (Intune, Jamf) can wipe or selective wipe (corporate data only) from a management console. BYOD consideration: MDM on personal devices should implement selective wipe (only corporate data) rather than full wipe — employees' personal data should not be wiped by the employer.

Mobile app permissions: apps request access to device features. iOS and Android both use per-app permission model. Common permissions: Camera, Microphone, Location (precise vs approximate), Contacts, Calendar, Photos/Media, SMS, Notifications. Review permissions when installing apps. Revoke unnecessary permissions post-install: iOS: Settings → [App Name] → Permissions. Android: Settings → Apps → [App Name] → Permissions. Sideloaded apps (Android) or enterprise-distributed apps (iOS) bypass official store scanning — higher risk. Play Protect (Android): Google's built-in scanner checks installed apps for malware. App sandbox: each app runs in its own sandbox — cannot access other apps' data. Explicit permission required to access shared resources. iOS is strictly sandboxed; Android sandbox is also strict but permissions model has evolved across versions. App vetting: in enterprise MDM, only approved apps may be installed on corporate devices.

BYOD (Bring Your Own Device): employees use personal devices for work. Benefits: cost savings (no corporate device procurement), employee comfort with their own device. Security risks: personal device may be jailbroken/rooted, may have unvetted apps, may not be patched, mix of personal and corporate data. MDM approach for BYOD: Android work profile: corporate apps run in a separate, encrypted container on personal device. IT manages the work profile without access to personal data. Personal apps and corporate apps are completely separated. iOS managed apps: MDM manages specific apps without controlling the whole device. Microsoft Intune MAM (Mobile Application Management): manage apps without enrolling the entire device — only corporate apps are managed, personal apps untouched. Acceptable Use Policy (AUP): written policy that employees sign stating how corporate and personal use of mobile devices is governed. Device enrollment: BYOD devices must be enrolled in MDM to access corporate resources (email, VPN, internal apps).

Malicious apps: apps that appear legitimate but steal data, display ads, or install malware. Risk higher with sideloaded APKs outside Play Store or App Store. Smishing (SMS phishing): malicious text messages with links to fake websites or malware downloads. Vishing: phone-based social engineering. Shoulder surfing: someone observing device screen in public — use screen privacy filter, face away from others when handling sensitive info. Device theft: physical theft of unprotected device provides access to all data. Mitigation: full-disk encryption + strong screen lock + remote wipe capability. Rogue Wi-Fi / evil twin: connecting to a fake Wi-Fi network — use VPN on untrusted networks. Outdated OS: mobile devices that no longer receive security updates from manufacturer are at high risk. Replace devices that cannot receive current OS versions. Baseband vulnerabilities: radio firmware exploits — rare but not theoretical.