Many common assumptions about the security and privacy of smart phones or other handheld converged devices are off-base or just flat-out wrong.
For any high-value target -- whether that's a political candidate or an organization with valuable financial or personal data -- a little more thought ought to go into the process of selecting and deploying any device handling important data.
It makes sense, then, to challenge the more widespread assumptions, and consider how to handle oft-ignored risks. (highly summarized, more here)
1. It's just a phone with cool features, right?
No, it's not.
2. It's stable, just like any other purpose-built appliance.
No, it's not.
3. Communications are encrypted from end to end.
No, not entirely.
4. The connection's secure unless I use Wi-Fi in a café.
Guess, again.
5. E-mails and messages are secure from prying eyes.
Not if you're interesting.
6. Using a mobile phone constitutes out-of-band communication.
Who are you? No one knows for certain.
7. I trust the integrity of data and applications on a smart phone.
Not 100%, we hope.
8. Information deleted from a smart phone is gone, right?
No, just marked for overwrite.
9. Spying on my smart phone is hard.
I've got a bridge in Brooklyn to sell you.
10. Abuse is minimal because the network and phones are constrained. :]
