Use of smartphones has taken off over the last 5 years, so much so that they are as common as having a t.v. or a PC. Some companies provide smartphones for their employees and others participate in a bring your own device (BYOD) program, allowing employees to have a portion or all of their cell phone service subsidized by the employer. The smartphone is unique, being an endpoint for both a cellular network and the internet.
Hardening of these mobile devices, and also tablets, is often spotty though many organizations are getting better at securing them. But even a regular user with a smartphone should be knowledgeable in the different ways they can secure their device to help protect themselves from some of the pitfalls that come with owning a smartphone. My goal is to provide an overview of measures that can be taken, additional research may be needed to get the detailed instructions of how to perform these functions on your specific device. The hope is that for the uninformed this will open some eyes to what is out there to help maintain privacy and keep your device safe.
It sounds obvious, but the first thing to remember is the importance of physical security with regards to your smartphone. Leaving your phone unattended means making it an easy target for someone to pick it up and go through your text messages, facebook messages, email, pictures and a variety of other information we have become accustomed to storing on our phones. Even worse, an unattended phone is an attractive target of theft.
The easiest way to keep your phone from being stolen is to keep it on your person when not in your home. A more persistent threat is leaving it on your desk while at work, then leaving your workspace, either for a meeting, lunch, or bathroom break. Rather than trust co-workers to leave your personal property alone, it is advisable that you take advantage of locking/unlocking your phone with a personal identification number (PIN) or a pattern lock. Some of the current generations of Android phones allow facial recognition for unlocking, though currently this method is not as secure as using a PIN or pattern.
In the event your smartphone is stolen be advised that you can remotely wipe it. Obviously you’re still without your phone, but at least your data is not easily accessible to the thief. Some phones have remote wipe capability built in while on others an app must be installed first to gain this feature. Some would argue that important/sensitive information should not be stored on a smartphone to begin with; regardless, it often is, having a way to delete or destroy it in the event of loss or theft is at least a small comfort.
Apps are one of the defining features that give a smartphone functionality. There are apps for just about everything, but they are not all created equal. Apple, Google, and Microsoft all have their own app stores, as do some other vendors, one should be wary of installing apps from unknown sources. Furthermore, not all apps are well designed, some may contain security flaws that could be exploited at a later time. It may not always be apparent to a user if they are about to download one such app, however, it is worth noting that apps developed by inexperienced developers are more likely to have coding flaws than those from an experienced developer team. This is not always the case, but is often true. Apps from less than reputable sources may also contain malware or viruses. It is also instructive to pay attention to the permissions an app requires to run, e.g. if an app is designed to let you change the color of the font on your screen but needs permission to read GPS/location data, it may be wise not to install it. Finally, know what apps are on your phone. If you see an app on your phone and don’t remember installing it, it is possible that someone else got a hold of your phone while it was unattended and put it there. This app may be supplying your information, such as texts or call logs, to the individual who installed it.
For the average user the smartphone doubles as their primary camera. By default most, if not all, smartphones have GPS enabled as well. This leads to photos being taken with a smartphone including geotagging data, primarily revealing the location that the photo was taken. If the user takes many pictures of their children while at their home, a person who finds that phone if it is lost can extract that data from the digital photo and determine where the owner of the phone lives. These photos also contain other metadata, such as type of phone used when taking the picture and the date and time the picture was taken. Using your phone in airplane mode will also prevent photos from recording geotagging data, but not the general metadata. These features are left on by default for smartphones, but with a few clicks can be turned off by the user to offer additional protection and privacy.
*note: Many users share their photos from their smartphone directly to facebook. While facebook is not considered the vanguard of user privacy, the company does strip out this metadata when photos are uploaded, offering some protection to the user.
Turning off your phone’s WiFi and Bluetooth when not needed will also offer additional protection. When these connections are open an attacker can use them as conduits to gain access to your mobile device. In doing so, the attacker may be able to see everything being done on that phone, including photos taken and messages sent or received, and conceivably your passwords as well. Many passwords are transmitted in the web browser via clear text, meaning if the attacker can intercept your browser’s traffic they will be able to see not only your username, but the password as well. Shutting off WiFi connections does not eliminate this threat entirely but it will greatly reduce the likelihood of occurrence.
It is also important to be careful where you choose to physically connect your cell phone. Many people connect phones to computers via a USB cable to facilitate easier data transfer. Connecting to a computer that is compromised means the mobile device is now compromised as well. Best practices would suggest users only connect their smartphone to a computer they trust, and never to a public computer, such as one on a college campus or city library.
Finally, while many of these steps can be seen as tedious or as taking away basic functions that make a smartphone “smart”, there is a feature users can add that will not hinder performance or capabilities, but still provide a measure of protection – encryption. Encrypting your phone’s data does not guarantee that it is safe from thieves, but it does mean it will be difficult if not impossible for a thief or attacker to make heads or tails of the data once they have it in their possession. Searching through your vendor’s app store will likely turn up a variety of apps that can be used to encrypt the contents of your mobile device; as with anything, research should be done to determine what best meets your needs.
Please note that many users will willingly choose to implement few or none of these measures; it is understandable that people want their smartphones to do many of the things I have suggested can be avoided, stopped, or turned off. Each individual must take stock of their environment and their needs before determining what actions are appropriate to take.