Mobile Device Security
Last week we covered the topic of email security. And as mentioned at that time the second most common way used to communicate these days, apart from email, are mobile devices, especially smartphones. They are great devices that make our busy lives easier to manage but as any convenience comes with a price so does the convenience of using the multitude of functions available through a smartphone or other mobile device starting with the device itself. When I say this, I mean the geolocation function which has a lot of pros, but the disadvantage is that the ‘Big Brother’ always knows where you are.
So just as with our post about enhancing your email security, here is some advice on increasing your mobile devices security and increasing your privacy.
1. Encrypt your devices
Ever wondered what might happen to all your personal information if you lose your mobile device or it is stolen? A good practice is to encrypt your data to keep it safe from unauthorised physical access. You can do this by going to Settings on your phone and go to Security / Encryption on your Android device and to TouchID & Passcode / Data Protection on your iOS.
2. Turn off connectivity features not in use
WiFi, Bluetooth, NFC and their like are all ways your device communicates with other devices. These two-way channels can be used to access the device by malicious actors stealthily without our consent with known vulnerabilities utilising these communication paths. Therefore, when not in use, always disable temporarily redundant features.
3. Only keep apps you are using
Don’t keep apps on your you don’t particularly use. Firstly, apps often collect various data about your activities, secondly, as they often run in the background, they slow down your device.
4. App permissions
Often, apps will ask for permissions that they absolutely don’t need for the job they are designed for.
5. Only install apps from a trusted source
To avoid the possibility of installing an unwanted code on your device download apps only from Apple App Store and Google Play Store which are scanned and cryptographically signed (making it less likely to contain malicious code). To further improve your security avoid downloading .apk or .ipa files from an unverified source. It is also a good idea to check the app’s reviews before downloading.
6. Beware of phone charging threats
It is possible to have your device hacked – your data being stolen, or a malicious code installed – when using a public charging station. It is called Juice jacking and can be mitigated by either using a power bank, an AC wall charger or using a data blocker device – a device that blocks data transfer when connected to a mobile device only allowing electricity to pass through it for charging the battery.
8. Use offline maps
The map apps we use on our mobile devices, such as Google Maps are a potential avenue for data and privacy leaks as they collect plenty of private data. Consider using an offline maps app if possible.
9. Opt out of personalised ads
You can reduce to some degree the amount of information Google collects about you by opting out of personalised ads.
10. Erase the device after too many login attempts
Although it comes at a cost of potentially losing all your data you can set your device to erasing after a set number of failed attempts to login in case of an attacker attempting to brute force your pin/password. Syncing your device with the cloud for backup is strongly advised with this solution
10. Tracker monitor
Apps can collect a lot of data about you. To find out what kind of permissions an app has and what kind of trackers are embedded in it you can use a service called Exodus which lets you search apps by name to check their impact on your privacy and security.
11. Use a mobile firewall
To prevent applications from leaking privacy-sensitive data, you can install a firewall app. This will allow you to block specific apps from making data requests, either in the background, or when on WiFi or mobile data.
12. Orbot for Tor traffic
From the maker of the Tor browser, you can install Orbot a free proxy server for anonymity on the web and for protection from public WiFi threats
13. Avoid custom virtual keyboards
You can download and use third-party keyboards on both Android and iOS. These apps will be able to access everything that you type on your phone/ tablet: passwords, messages, search terms etc. It is recommended to stick with your device’s stock keyboard. If you choose to use one of these apps, ensure it is reputable, block internet access (which can be done with a firewall app), don’t grant it permissions it does not need, and turn off analytics or other invasive features in its settings.
14. Regularly restart your device
Over the years there have been vulnerabilities relating to memory exploits. Restarting your device at least once a week will clear the app state cached in memory.
15. Avoid SMS
SMS is probably one of the most common ways of sending messages, but it is not particularly secure. The SMS protocol has been known to be susceptible to threats such as interception, sim swapping, manipulation, or malware. It is best to avoid using SMS for 2FA – use an authenticator app instead. For communication purposes use an encrypted messaging app such as Signal.
16. Keep your number private
There are apps available that will allow you to create and use virtual phone numbers. This is especially useful if you don’t want to give out your actual number and need different numbers for the sake of compartmentalisation.
17. Watch out for stalkerware
Stalkerware is malware that can be installed directly on your device by someone who has direct access to your device. It allows the stalker to see your location, messages, and other data remotely. Most likely the stalkerware will be disguised on the device as a non-conspicuous app such as a game, a flashlight, or a calculator. It might be difficult to spot and what might give it away could be unusual battery consumption, network requests or high device temperature. If you suspect stalkerware is installed on your device, the best way to get rid of it is to perform a factory reset.
18. Use in browser apps instead of dedicated apps
Where possible, consider using a secure browser to access sites, rather than installing dedicated applications. Both Android and iOS applications often have invasive permissions, allowing them intimate access to sensitive data and your device’s sensors and radios. But the extent to which these apps can access is often not clear, and even zero-permission apps can see more data than you think: accessing phone sensors, and vendor IDs and determining which other apps you have installed. All this is enough to identify you.