Security overview
Security should always be considered as an important component in your mobile solution. Unless you intend to share information with the general public, it is recommended you protect your data from being captured, sniffed, intercepted, or modified by unauthorized parties. This is especially true when your data is confidential and should not be exposed to other personnel or organizations.
Mobile security can be implemented in various stages along the entire workflow, depending on whether your mobile solution is based on desktop or server workflow. For more details on desktop workflow versus server workflow, see Desktop and Server workflows.
If you are taking the desktop route, the only security you need to consider is on the mobile device side. However, when the server workflow is used in a mobile solution, your data will be exposed in the ArcGIS Server as a mobile service. The mobile project may be stored on a mobile content server for easy access by mobile client applications (see Mobile content server for details). Depending on network connectivity, your field crew may or may not interact with the mobile service and project directly when they are in the field for data collection. In this case, you need to understand mobile solutions as a whole system, meaning that any security holes within the system may lead to unnecessary leakage of information.
Therefore, on a server-based mobile solution, you can address security on the following three places: ArcGIS Server, communication pipeline between ArcGIS Server and ArcGIS for Windows Mobile applications, and mobile devices.
ArcGIS Server
ArcGIS Server provides a variety of out-of-the-box security options that you can adopt to ensure data and service is secured on the server. Additionally, it also provides built-in token-security for mobile content servers, if you choose to store mobile projects on it (other than sharing your project to the mobile content server, which is a component of an ArcGIS Server, you can also share your project to ArcGIS Online or Portal for ArcGIS, or save it locally).
You should always secure ArcGIS Server for your mobile solution unless you have an obvious reason for not doing so. Security implemented on the server ensures that your data is protected and not being exposed by unauthorized users. Securing ArcGIS Server for mobile usage means both securing the mobile service and mobile content server.
Learn more about securing map service and mobile content server
Communication pipeline between ArcGIS Server and mobile applications
Communication pipeline determines how the data is transferred between ArcGIS Server and mobile client applications. By default, server transmits information through the network with plain text, meaning that this information may be intercepted by anybody listening to the traffic. This could happen inside or outside of your organization's firewall. In such cases, confidential information such as user name and password may be at risk without you even knowing about it. When you are planning on a mobile solution, you should consider Secure Socket Layer (SSL) as part of your solution. By encrypting your data through the communication pipeline, you can minimize the risk of leaking your information over the network.
Mobile devices
Likewise, the information stored on your mobile device and used by mobile applications can be accessed by other people if no security is implemented. Your user may lose the device with the data easily being accessed by others. This is especially true when it gets to the Windows Mobile devices, where there is no authentication system in place at the operating system (OS) level. This makes it possible for other users to see and copy your data without providing credentials. There are various options for securing your device, either using software or hardware. If your organization manages mobile devices, you may already have a well-established security measurement that could secure mobile devices in case of lost or theft. When you are planning on a mobile solution, you may want to contact your system administrator regarding the security options you may have and make sure that it works seamlessly with your existing security implementation in your organization.