Smartphone Backup and Recovery

PDF version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files. The
reader is available for free

Smartphone Backup and Recovery

by Geoff Keston

Docid: 00018038

Publication Date: 2209

Report Type: TUTORIAL


As the use of personally-owned smartphones for business has increased and
the threats against devices have become more numerous, their backup and
recovery has become an enterprise-wide concern. The technical aspects of
backup and recovery are now cloud-based and mostly automatic, and they are
largely managed by operating system developers Google (Android) and Apple.
But companies still have much responsibility for monitoring and making
decisions about employee smartphones, and many considerations involve broader business issues.

Report Contents:

Executive Summary

[return to top of this

Recovering data, apps, and configurations from a lost or damaged
smartphone is not merely an after-the-fact process. Instead, it requires
much advance planning, not just to backup data and configurations but also
to choose the software and services to use and even to select phone
hardware, software, and service providers with recovery options in mind.
All this planning extends beyond technology to factor in executive-level
concerns such as regulatory compliance and customer satisfaction. For
example, stolen data could raise issues with laws such as HIPAA and GDPR;
if the data relates to customers, its unauthorized access could put their
security at risk too.

Even the technical aspects of backup and restoration are not as simple as
they seem. Some key configurations must be set correctly to ensure that
all data and settings are kept. Unexpected problems, such as
incompatibilities between newer and older devices, threaten to make
restoration slower and less reliable.

These challenges are part of a broad and long-term trend, sharpened by
the pandemic, of using phones for more business applications. In
particular, many organizations now favor letting employees use their own
devices to access corporate resources and to send and receive sensitive
data. With these ongoing trends in mind, organizations would better manage
smartphone backup and recovery by:

  • Keeping track of what data is stored on phones
  • Considering limiting the number of platforms and versions in use
  • Using in-built features that thwart unauthorized access
  • Testing the backup and recovery processes
  • Assessing damage when incidents occur and performing a self-analysis
    to learn from them


[return to top of this

Backup and recovery of smartphones involves both technical and business
management processes. The technical steps vary based on the vendor and
version of the operating system, and they are detailed in vendor
literature available online. The overall business management processes, on
the other hand, apply broadly.

Business Management

From a management perspective, smartphones and the data they contain are
assets, and the potential for the devices, and especially the data, to be
lost or stolen is a concern for the following business functions:

  • Risk Management – To assess the potential damage to an
    organization’s finances.
  • Reputation Management – To assess the potential damage to an
    organization’s reputation.
  • Regulatory Compliance – To assess the implications for
    compliance with data-oriented regulations.
  • Customer Satisfaction – To consider how the organization’s
    ability to meet customer timelines and quality expectations might be
  • Employee Training – To build training programs and monitoring
    activities that reduce the likelihood of losses.

Together, these varying considerations will shape an organization’s
smartphone policies, not just for backup and recovery, but also for
policies covering:

  • Product selection
  • Patch management
  • Data retention
  • Access control and authentication
  • Employee training

The organizational functions and policies listed above connect in various
ways to smartphone backup and recovery, which has grown in importance and
complexity to become not just an IT staff concern but also an
organizational and business management responsibility.

Technical Considerations

The backup process for smartphones covers data, apps, and configurations.
Some personally identifying data may be backed up too, such as log-ins. Data
and configurations can be backed up to the same phone or another device.

For Android and Apple devices, backups are typically automatically
performed and stored in the vendor’s cloud service. But organizations must
monitor and manage the process to avoid issues. For example, Android
phones can be set up as personal or work devices.1 Devices
configured as personally-owned can be backed up by employees, but devices
configured as employer-owned cannot. This important configuration decision
is best made when an employee is issued a phone or first receives
permission to use a personally-owned device to store company data.

Another example of a potential problem is that the success of backups and
recoveries depends on compatible versions of software. For instance, newer
versions of Androids can’t be restored onto older versions of the
operating system.2 Or processes and options may differ between
versions. For example, restoring backups onto a Mac is performed
differently on systems with a macOS Catalina than on systems with macOS

Organizations may also in some cases need to choose which backup and
restore service to use, potentially creating confusion. For example, phone
manufacturer Samsung offers a backup service for its devices, but because
its products use Android operating systems, Google backups can be used as
an alternative. Having multiple options could put extra learning demands
on users or IT staffs, and it might increase the possibility of mistakes
or oversights.

The simple, automatic process that works most of the time for smartphone
backup and recovery can lead organizations to falsely assume that
monitoring and management aren’t needed. Instead, oversight is required.
Key questions for organizations to ask about employee phones are:

  • Is automatic backup turned on?
  • What data, apps, and configurations are being backed up?
  • Are platform versions compatible with backup and recovery across
  • To what devices can data be restored?
  • How much data can be backed up?
  • What data, configurations, and software will be restored? Will they be
    fully restored?

Security concerns arise as well. The data from backups is stored
off-site, by a third party, and is thus vulnerable to hacking. It could be
viewed or copied by hackers without the vendor – and thus without the
owners of the data – knowing there was a breach. The risks of smartphone
data being compromised include:

  • Personally identifying information could be used for future attacks,
    such as through social engineering.
  • Corporate data could be used by competitors.
  • Apple phones backup Apple Pay data and Android phones backup Google
    Play data, putting user payment data at risk.

Backup services like those of Android and Apple encrypt data, providing
protection. But encryption is imperfect,4 and it is possible
that stolen data, even if encrypted, could be accessed by hackers.

Current View

[return to top of this

For years, enterprise employees have been more and more often using their
personally-owned phones and other devices to access corporate services and
data. The increase in remote working due to the pandemic further blurred
the lines between business and personal devices. During the pandemic, 58.3
percent of employees reported making greater use of personal devices for

The growth of remote work has led to an expectation of “more flexibility
in how, where and when employees work and collaborate,” according Reda
Chouffani, co-founder of managed services and cloud hosting company Biz
Technology Solutions.6 While using personal devices enables
employees to “customize their experience, resulting in greater
satisfaction,” says Chouffani, this greatly complicates privacy and
security. “The future of BYOD includes building out policies and using
technologies like mobile device management (MDM) that support
employee-owned devices and ensure security,” he says.

The need for organizations to adapt to new working conditions and
employee preferences is also made by Dean Hager, the CEO of Jamf, which
develops mobile device management software. “The Covid-19 pandemic taught
us that employees are more productive when using their preferred
hardware,” says Hager.7 “Rather than fight this notion, it’s
best to foster a workforce that is happy and empowered. Employee choice,
therefore, is a powerful tool for both recruitment and retention. We’ve
come a long way since former iterations of BYOD, where devices were either
left unprotected or subject to generic device management tools.”


[return to top of this

The broad trends that have made smartphone backup and recovery a pressing
need are likely to continue well into the future.

  • Remote work will remain commonplace.
  • Employees will use their personal devices for business.
  • Security threats will continue to grow, diversify, and worsen.

And the platforms that lead the market – Android and Apple – are
unlikely to change. The market has been stable for years.

For enterprises setting strategies for backup and recovery, it is
therefore possible to make long-term plans and to dedicate significant
resources. The problem and context are well understood, and there are many
well-tested technical and business management approaches for managing the


[return to top of this

Know What Data Is on Phones

Knowing what data is on phones is crucial to ensure that a backup has
fully succeeded. But this knowledge is also vital for conducting other

  • Monitoring compliance with data handling policies.
  • Assessing damage if data is accessed by unauthorized parties (see
    Perform a Damage Assessment below).
  • Evaluating how phones are being used so that changes to technologies
    and processes can be considered.

Organizations may identify data with periodic manual spot checks or via
software. But either approach requires attention to issues of privacy.
Some mobile device management software, such as from Cortado Mobile
Solutions, restricts companies to viewing and managing a limited segment
within an employee’s phone. Cortado also recommends that the nature and
extent of any monitoring and management be shared with employees.

Consider Limiting Platforms, Versions, and Apps

The challenges of smartphone backup and recovery are exacerbated by:

  • The number of platforms in use.
  • Variations in the versions in use.
  • The number of apps used.

Each platform is backed up and restored somewhat differently, requiring
different IT staff training and often different software. Aside from the
direct effect of requiring more training time, this complexity can
indirectly lead to failed backup and recovery by increasing the likelihood
of an IT staff mistake.

While the industry trend is toward allowing employees to use their own
devices – the benefits of this bring your own device policy are discussed
elsewhere in this report – there are security, management, and reliability
advantages to exerting tighter controls. A good approach is to not view
employees bringing their own devices as a binary decision but to instead
find an appropriate balance between flexibility and oversight, based on
employee job roles, technology considerations, and the broader data
management needs of the organization.

Configure Phones to Thwart Unauthorized Access

There are phone options that can make it harder to access data on a
stolen device, for example, screen locks and biometrics.8
Androids can even be configured to automatically be wiped after 15
straight incorrect attempts to log in, and both Apple and Android offer
“Find My” location services.9

By studying the configuration options of employee phones and setting them
to align with business policies, organizations can reduce the chances that
people without authorization could access the data or services available
on a phone.

Test Backup and Recovery Processes

Backup and recovery processes sometimes fail. A missed step in the
process or a change made recently to the phone or to backup software, for
instance, could create a problem. Routine tests help to spot potential
problems so that they can be fixed before a real recovery is needed. In
addition, tests train IT staff, reducing the chances of human error during
real processes.

These tests determine whether all data, software, and configurations have
been restored, and can evaluate the process itself, such as by measuring
its speed and spotting any potential problems. And based on the test
results, organizations will be able to modify their backup and recovery
processes. (Such self-analysis and continual improvements are also helpful
for compliance with certifications such as ISO 9001 and 27001.)

Perform a Damage Assessment

Even when a smartphone is fully recovered, significant damage may have
been done to a company if competitors or hackers accessed data or
performed other malicious actions. It is therefore a good practice to
assess the potential damage that may have been done if a phone was lost,
stolen, or temporarily missing.

Potential damage to assess includes:

  • A lack of compliance with HIPAA, GDPR, and other laws and regulations.
  • Negative effects on customers or suppliers.
  • The planting of malware or launching of another type of attack.
  • Unauthorized access to employee personal information.
  • Unauthorized access to company confidential information.


[return to top of this

[return to top of this

About the Author

[return to top of this

Geoff Keston is the author of more than 250 articles
that help organizations find opportunities in business trends and
technology. He also works directly with clients to develop communications
strategies that improve processes and customer relationships. Mr. Keston
has worked as a project manager for a major technology consulting and
services company and is a Microsoft Certified Systems Engineer and a
Certified Novell Administrator.

[return to top of this