How can you stay safe when on the move?
Mobile computing has become a huge part of most people’s lives, but mobile security? That’s taking a while to catch up. While most of us know the basic rules for staying secure online or at home, knowing what to watch out for when we’re using our tablets and smartphones is a much different proposition.
For that reason, we’ve come up with this list of security threats to look out for when you’re using your mobile device, as well as what – if anything – you can do to combat them and secure your behaviour.
Data Mining Software
Most apps require a certain amount of information to do their jobs. After all, a messaging app would be useless without access to your contacts, and there’s no point trying to use a mapping application if you don’t allow access to your location.
But at the same time, not every app needs to access all your data. In much the same way that alarm bells should ring when a Facebook app wants to be able to see your friends’ contact details even if it’s just a personality quiz, you should be wary of giving apps access to details about you that they probably don’t need.
Luckily, most phones are now good enough that you can exercise some granular control over the access different apps have, as long as you make sure you go and turn it off. If an app is requesting access to something it doesn’t need to function, chances are that it’s harvesting that data for a secondary purpose – and there’s no guarantee that purpose isn’t malicious. Be vigilant about the data you give away.
Jailbreaking & Rooting
If your phone is locked or otherwise restricted, it can be tempting to jailbreak or root it and use custom-written software to add features that you otherwise can’t access.
However, this has the secondary effect of changing the security of a device. Jailbreaking and rooting usually requires genuine security features to be either disabled or circumvented, and custom software to be installed. This doesn’t just open existing security holes – it can create new ones.
Jailbreaking and rooting a device is especially dangerous if you’re using it to install third-party or even pirated software. There are no checks and controls on programs that originate outside of official channels, so the likelihood that they’ll be malicious is considerably higher.
Furthermore, jailbroken devices are often divorced from manufacturer updates so as to preserve the integrity of the modified software. Although the jailbreaking scene normally releases updates each time a new official version of your device’s OS or firmware is released, it can take weeks or even months to happen – during which time your jailbroken device is vulnerable to security holes that have already been identified.
Essentially, if you want to keep your device secure, then you’ll have to avoid jailbreaking it altogether. That may be disappointing, but it’s also true.
Malware Apps
While some apps mine your data as a secondary function, at least they’re doing so in a legitimate (if sneaky) way. That makes it easy to disable and uninstall them if you decide the trade-off isn’t worth it.
Unfortunately, mobile malware is getting more and more prevalent. Malware apps can mine data, alter browsing behaviour and even outright steal information that they shouldn’t have access to such as passwords and credit card details.
Although iOS devices were, historically, less vulnerable to malware than more open platforms, it has been shown that it’s possible to acquire enterprise-level privileges to circumvent App Store controls and get malware onto phones without going through the traditional (and incredibly secure) App Store. Apps based on the WireLurker malware in particular could gain access even to iOS devices that hadn’t been jailbroken.
Beating malware of this kind is quite difficult but largely relies on you keeping your software up to date to ensure that security loopholes are closed, and staying vigilant about the source of your apps. Don’t sideload them or use third-party app stores unless you’re 100% confident of the safety and integrity of the software.
Man In The Middle Attacks
Although most of us have a mobile connection on our smartphones, the cost and coverage issues means that a free wi-fi connection is almost always a more attractive option when it’s available. And on mobiles and laptops, it’s usually the only option.
But public wi-fi can be incredibly insecure. For one thing, you can’t verify the setup of the connection or the integrity of computers using it. In many cases you can’t even be sure that you’re connecting to an official wi-fi source or a ‘honeypot’ network set up to capture people and devices.
If a wi-fi connection is insecure, this constitutes a ‘man in the middle’ attack, because the sender’s system is secure, the recipient’s system is secure, but the connection between them has been compromised. It allows for real-time monitoring of web traffic and data, which can deliver all sorts of sensitive information to hackers. By stealing cookies and session IDs, they may even be able to gain access to your account without needing a password or further verification. They could even use DNS servers that direct your requests to insecure login pages without you realising.
There’s not a lot you can do to prevent this kind of attack other than avoid public wi-fi completely, but a comfortable middle ground might be to avoid accessing online banking or using your credit card online while you’re connected to a public hotspot. Even just temporarily disabling your wi-fi while you conduct a sensitive transaction is better than nothing.
Lost And Stolen Devices
If your tablet or smartphone gets stolen, the financial loss can be irritating, but that shouldn’t overshadow the more serious concern: all of your data was on that device. That means passwords, email access and who knows what else.
Obviously, no one plans for their mobile device to get stolen, but there are things you can do to make sure that if the worst happens, you aren’t giving your entire identity away with it.
The first is to make sure it has a passcode (or some other security measure) on it. Once your phone is locked, it’ll become virtually useless to anyone trying to get data off it without specialist software, and most of the time they’d rather just wipe it and sell it on than persist with trying to break the passcode.
Secondly, installation software that can help you locate a lost device or at the very least wipe it remotely. As soon as the device connects to a mobile or wi-fi data signal, these programs issue a command that cleanses it of all personal data, so at least you’ll know it can’t be stolen even if it’s distracted.
Finally, make a note of the phone’s IMEI number. This is a unique identifier, which mobile providers can use to disable the handset at a network level, ensuring that it’s useless to anyone who tries to use it once you’ve reported it as stolen. That won’t necessarily secure your data, but it will discourage thieves from stealing handsets in general!