Mobile devices are typically designed to be single-user devices and normally lack basic user profile and security features beyond just a simple password. Do not assume mechanisms available on larger platform will be available for mobile. An enterprise Mobile Device Management (MDM) solution is a great starting point to a more secure mobile posture.
- Weak server-side controls
- Insecure data protection (in-transit and at-rest)
- Lack of authentication and authorization
Reference the OWASP site for the full listing of the Mobile Top 10. The best practices section for mobile provides useful guidance for minimizing these risks.
Security Guidelines for specific Esri mobile products
- Control access through ArcGIS Online or ArcGIS for Portal
- If using Track Location Layer, know that it captures the following:
- Accuracy (GPS accuracy in meters)
- Creator (username for named user account)
- Creation date (date/time at point of creation)
- Editable Feature Services
- Limit user capabilities by limiting feature access (create, delete, query, update)
- Use ArcGIS Groups and Sharing to control which field users can access published surveys
- Use ArcGIS Custom Roles to limit privileges granted to Survey123 users
- Use the Collaborate Tab in survey123.arcgis.com to share surveys with stakeholder groups
- This will leverage ArcGIS Hosted Feature Layer views to block editing access to the data from stakeholders
- Enable HTTPS in your ArcGIS organization to encrypt data in transit
- Password protect and encrypt the AXF data file
- Encrypt mobile device memory cards
- Secure your ArcGIS Server environment with users and groups to limit who can publish ArcPad data
- Secure internet connection used for synchronizing ArcPad data
Best practices guidance across all ArcGIS mobile apps is coming soon.