Mobile phone and app security

All information assets in the University's operations are to be managed in a secure manner. This also applies when you use mobile devices, such as a mobile phone and tablet. If information is stored on the device, the information needs to be protected adequately, and the devices need to be managed in a way that reduces exposure. The device is to be protected so that it does not fall into the wrong hands.

Checklist — Protect your data and information assets!

• Avoid being localised. Turn off location services (Wi-Fi, GPS and Bluetooth) when you do not need them
• Lock your mobile with a PIN or password and set it to activate the screen lock if you are inactive.
• Update correctly.
  • Update your mobile phone's software. This will improve security and performance. Devices that no longer receive security updates from the device manufacturer may not be connected to the University's network or services.
  • Do not accept unsolicited software installations through MMS messaging, Bluetooth or the like.
• Open Wi-Fi networks.
  • Beware of connecting to open Wi-Fi networks, such as in airports or hotels.
  • Recognise that your data traffic can be monitored.
  • Use Eduroam wherever possible.
• Save smart. If your mobile phone disappears, this does not necessarily mean that valuable information will fall into the wrong hands. Think about what you save and regularly delete information you do not need. A mobile device should be regarded as an insecure medium on which to store information.
• Be careful with links. The risk of phishing or malware is as great on a mobile phone as on a computer. This means you should handle your phone as carefully as your computer. Do not click on links in emails and texts if you are uncertain about them.
• Be careful with apps. There are good and safe apps. And then there are those that can spread malware or act as portals into your phone if you are not careful. Read more under Tips about applications (apps).
• Secret data. Never discuss classified or secret information on a regular cell phone.

More about work mobiles

• A work mobile phone is to be linked to a mobile subscription provided by the employer. Your work phone subscription is to be active during working hours.
• You are responsible for the information stored on your device and for ensuring that it is protected in a secure manner. No data worthy of protection is to be stored on the mobile phone (or on a mobile device).
• You are responsible for ensuring that operating systems and applications on mobile devices have the latest security and software updates.
• You are not allowed to modify the device in ways that prevent the University from managing the device with client management systems.
• Lost mobile phones. Report the loss as an incident to the Incident Response Team (IRT) via abuse@umu.se

Tips about applications (apps)

• Limit how apps are used.
• Check what kind of information the app can access, such as your location, microphone, contacts or photos, and whether it can share the information with third parties. Think about whether you really want to approve all these permissions. Be restrictive and ask yourself why an app provider needs this information.
• Official app stores. Only install apps from official app stores. Select well-known apps that many have used.
• Avoid malware. Do research and check reviews and ratings from other users. Recognise that there are fake versions of legitimate apps that can spread malware.
• Unknown sources. Be wary of links you receive in emails and text messages that may trick you into installing apps from third parties or unknown sources.

General vulnerabilities

• Mobile phones are constantly connected.
• The equipment is simple.
• Vulnerabilities exist in hardware, operating systems and applications.
• Mobile phone suppliers often provide only limited security updates.
• Applications can be downloaded from the wrong place – which can give malware access.

What could happen? What can a cell phone reveal?

• Who you communicate with and the content of the communication. A mobile phone can be used to access emails and messages, credit card details, pictures and contact lists.
• It can reveal where you are and where you have been. This is done through the GPS positioning of the mobile phone and via connection to wireless networks. IP addresses provide an approximate position.
• In some cases, the mobile phone can also be used to remotely monitor the phone's surroundings.
• A lost phone can mean that information is lost or falls into the wrong hands. The device could also be used as a springboard for further attacks into the University's internal networks and resources.

Intelligence gathering by foreign powers

Countries such as China, Russia and Iran spend considerable resources on acquiring technology, skills and knowledge that can enhance their own capabilities, both civilian and military. Because Sweden and Swedish universities in particular are at the forefront in several areas of cutting-edge technology, research and innovation, we are attractive targets for the intelligence activities of foreign powers. This occurs daily through covert technology and knowledge acquisition from foreign powers.

Technology and knowledge acquisition by foreign powers is a major problem and, along with other activities, poses a threat to Sweden's security. Foreign powers have a very high capacity for electronic attacks and can use cyberattacks to obtain information through applications and other channels.

By following the advice above, you reduce the risk that the University's protected information assets will fall into the wrong hands.