Basic Security Assessment Questions

These following questions comprise our basic security assessment. You have several options for navigating these questions, and learning more about data security. This page contains 10 basic questions that relate to the most important privacy and security observational practices of smart devices and mobile applications. The full security assessment questions integrate the Consumer Reports Digital Standard questions, Ranking Digital Rights questions, and OWASP IoT project questions into a single full security assessment framework.

1:0 Data Privacy

1.3: Data Privacy

1.3.1: Data Collection

  • Criteria:
    • Does the application or service collect the same amount and type of information specified in the policies?
    •  
  • Indicator:
    • Assess the solution to determine the amount and type of personal and non-personal information collected by the application or service.
    • Assess whether personal information is collected by the application or service.
    • Assess whether audio information is collected by the application or service.
    • Assess whether video information is collected by the application or service.
    • Assess whether geolocation information is collected by the application or service.

1.3.7: Default Privacy

  • Criteria:
    • Does the application or service set privacy settings or protections by default?
  • Indicator:

    • Assess whether the default settings in this product prioritize a user's privacy.
    • Assess whether settings are opt-in or opt-out by default.
    • Assess whether user interface settings which are optimal for privacy are set by default.
  • Procedure Overview:

    • Review settings available from the user interface, and determine which options would be optimal for privacy considerations.
    • Determine whether those options are selected by default and opt-in or opt-out.

1.6: Mobile Interface

1.6.2: Strong Passwords

  • Criteria:
    • Does the mobile application require strong passwords to be created?
  • Indicator:
    • Assess the mobile interface to determine if the option to require strong passwords is available.

1.6.8: Multi-user Roles

  • Criteria:
    • Does the mobile application provide managed accounts or multi-user roles with separate permissions?
  • Indicator:
    • Assess the solution for multi-user environments and ensure it includes functionality for role separation.
    • Assess the solution for separate roles such as parent and child, or teacher and student to provide consent for other users.

1.7: Mobile Security

1.7.1: App Encryption

  • Criteria:
    • Does the mobile application encrypt communication between devices and the Internet?
  • Indicator:
    • Assess the solution to determine the use of encrypted WiFi network traffic between an application, device, and the Internet.
    • Assess the solution to determine the use of Bluetooth pin paring between the application and device.

2.0: Data Security

2.2: Software/Firmware

2.2.1: Software Updates

  • Criteria:
    • Is the software kept protected with software updates for a clearly defined and communicated period of time (i.e., the product life cycle)?
  • Indicator:

    • Assess the device to ensure it includes update capability and can be updated quickly when vulnerabilities are discovered.
    • Assess whether the product life cycle is communicated to the potential owner before purchase.
    • Assess whether software updates are authenticated.
    • Assess whether automatic software updates are provided.
  • Procedure Overview:

    • Examine software settings and product documentation to determine if automatic software updates are enabled by default or can be enabled by the user.

2.2.2: Update Encryption

  • Criteria:
    • Does the application or service encrypt updates files transmitted to the device?
  • Indicator:
    • Assess the device to ensure it uses encrypted update files and that the files are transmitted using encryption.

2.2.3: Update Notifications

  • Criteria:
    • Is the user notified software updates are available or that updates have been installed?
  • Indicator:

    • Assess whether users are notified of software updates.
  • Procedure Overview:

    • If updates are not automatic, examine software settings and product documentation to determine if the product notifies the user if a software update is available, and if that notification is persistent, or if the user can easily determine if a software update is available.

2.2.6: Automatic Updates

  • Criteria:
    • Can the user change the software update process to be automatic?
  • Indicator:

    • Assess whether software can be kept up-to-date for security issues.
  • Procedure Overview:

    • Check if a later version of software exists but the product cannot be updated to it (e.g. Android devices with pre-KitKat versions).

2.2.7: Firmware Updates

  • Criteria:
    • Is the device firmware able to be modified or updated?
  • Indicator:
    • Assess whether the firmware can be modified or updated by physical or remote access.
    • Assess whether the firmware can accept unauthorized updates.