Smartphone security: Keep your handset safe
- 12 January, 2011 02:07
Once upon a time, a phone was just a phone: It simply made and received calls. The only security you worried about was if someone had picked up in the other room to listen in.
Flash forward to 2011, and the line between phones and computers has all but vanished. In fact, your smartphone is likely more powerful and feature-rich than your desktop computer was just ten years ago.
With that increased utility, though, comes more vulnerability. Having a wealth of information--personal and otherwise--in your device makes your phone a target, and as the bad guys ramp up their efforts to infiltrate it, the good guys are gearing up their efforts to keep the bad guys out.
Does Smartphone Security Really Matter?
The short answer is yes, absolutely, more and more. The degree to which it matters, however, depends on the individual user, or the individual company.
Threats to your mobile security are not always easy to see. They range from the simple (such as when someone finds your phone and reads all of your e-mail) to the highly complex (such as Trojan horses, viruses, or third-party apps that share your personal information).
Here are some common security risks, with tips, tricks, and tools to combat them.
Don't Lose Your Phone
This may seem like a no-brainer, but don't put your phone down on a bar (especially if you work for Apple and have a prototype that no one is supposed to see). If you're in a public area, don't put it in a pocket or an open bag where it's visible and could be grabbed easily. Obvious suggestions, sure, but these kinds of on-the-street situations account for most cases of phone theft.
Your First Line of Defense
Set your phone to lock, or time out, after a certain period of inactivity, requiring a password to get back in. All of the major smartphone operating systems support this function.
You'll want your password to be something hard for you to forget and easy to type since you'll enter it frequently throughout the day, yet difficult for someone else to guess. Anything containing your name, information found on a driver's license, or a number as simple as "1234," for example, are not good passwords.
Here's how to find time-out settings on various smartphone OSs:
- Android: Previously, Android supported only pattern unlock (in which you draw a pattern to access the phone), but with version 2.2 of the OS, it now supports PINs and passwords. From the home screen, press Menu, Settings, Location & Security, and under Screen Unlock you'll find many options for setting passwords. To set the screen time-out, however, you must go back to the Settings menu and this time click Display. (Hint: If you decide to go with the pattern unlock, create a complex one that crosses over itself, or someone might deduce your pattern from the repeated smudge marks on your screen).
- BlackBerry: From the home screen click Options, Security Options, General Settings. There you'll see options to enable the password, set or change the password, and set the security time-out options.
- iOS: Earlier versions of iOS allow only for a four-digit PIN unlock code (which isn't ideal). Luckily iOS 4 introduced the option to set a longer password. Open the Settings app, and then select General, Passcode Lock. Just above Passcode Lock is the Auto-Lock option, which controls the time-out.
- Windows Phone 7: Open Settings, and then select Lock and Wallpaper. From there you can set or change the password, and also set the screen time-out.
Your Second Line of Defense
Remote wipe, plus the aforementioned password protection, is the bare minimum that most IT departments will require, although the specific steps you'll need to take very much depend on the level of security at your company.
Remote wipe means that if your phone is lost or stolen, you can remotely clear all of your data--including e-mail, contacts, texts, and documents--off of the handset, thus keeping that information out of the wrong hands.
You or your IT department can set this feature up for any of the major OSs, as well as use Microsoft Exchange to wipe the device (provided that you have an Exchange account). Those people without Exchange accounts or IT departments have other, simpler options.
- Android, BlackBerry, and Windows Phone 7: If your OS is among one of these, you're in luck, as you can find many fantastic third-party applications that allow you to remotely wipe your device. Lookout Mobile Security is just one example that not only enables you to wipe your device via the Web but also lets you track a lost device through GPS, back up your data over the air, and even scan for viruses. Its basic version is free, but to enable advanced features such as remote wipe you will have to pay for a Premium account ($3 a month or $30 a year). You'll encounter big players in the security-app game, too; for instance, NotifyMDM, Symantec, and Zenprise sell multiple-mobile-device management systems to companies.
- iOS: iPhone remote wipe is a bit trickier. If you have iOS 4.2 or higher, you can simply download the Find My Phone app from the App Store, and enable it in MobileMe in the Settings app. If you lose your phone, you can log in using MobileMe via Apple's Website to track it, display a message, or wipe it. If you have an older version of iOS, though, you'll need a paid MobileMe account, which costs a steep $99 a year. Plus, you'll have to enable the function by going to Settings, choosing Mail, Contacts, Calendars, and clicking Fetch New Data then Enable Push. Afterward, return to the 'Mail, Contacts, Calendar' screen and select your MobileMe account.
Note that all of the apps and services mentioned in this section, as well as other tools (such as Mobile Defense and Where's My Droid?), can help you find your phone via GPS. These apps have drawn attention lately, as their usage has led to the arrest of several thieves and carjackers.
Next page: How to keep malware out, plus which phone OS is the safest
Trojan Horses, Malware, and Viruses
"As there gets to be hundreds of millions of smartphones out there, that becomes a bigger target for attackers," says Ahmed Datoo, chief marketing officer for Zenprise. His firm creates software that enables a large company's IT department to scan all devices in the system at once, remotely, to make sure no malware has snuck in.
"We have seen a rise in malware across the board for all platforms. Lately it's been focused on the newer devices with greater adoption: iOS, Android," he says.
And if you're thinking that kind of thing results only from installing pirated software from sketchy Websites, be forewarned that attacks can also occur in official app stores.
What should you do? Consumers should turn to third-party apps once more. If you're on Android, BlackBerry, or Windows Phone 7, again consider Lookout: It scans your phone for malware and spyware, even examining any application you download. That said, it could still miss a nasty SMS or MMS script, so think twice before you open an MMS item from someone you don't know. Symantec, which makes business-level products for virtually every mobile platform, also creates consumer-level tools for Android and Windows Phone 7; more software like Mobile Defense is emerging, too.
iOS doesn't really have antivirus apps available on a consumer level, relying instead on Apple's stringent App Store policies to keep out malware. Considering the scale and speed at which apps are submitted and approved, though, things are bound to slip through the cracks. The potential for human error is just too great to deny. On iOS you can use the Trend Smart Surfing app, which blocks access to Websites known to contain malware or potential phishing attacks. It would be nice to see more protection for various inboxes, though.
Third-Party Apps That Share Too Much
When you install a third-party app, you grant it certain privileges. Those privileges may include access to your physical location, contact information (yours and that of others), or other personal data. Most of the time an app will be fine, but how do you know what its makers are doing with those privileges and your information? The short answer: You don't.
Most phone OSs try to handle this problem with a centralized application-store screening process, attempting to weed out any bad eggs before they get in. Again, however, undesirable things slip through.
Android takes a different approach, having looser central control but providing the end user with more information. Before you install an application on Android, the app must ask you for specific permissions. Don't simply ignore such messages. If you're just trying to install a simple wallpaper, ask yourself why it needs access to your contacts and your location. Be judicious when granting permissions.
Additionally, with all platforms, always pay close attention to app ratings and read the comments to see what other users have said. If an app has merely 50 downloads and a two-star rating, do a little digging and find out why. The best protection here really is common sense. Failing that, Lookout Premium can provide you with an overview of the permissions you have granted.
Even major companies including Facebook and Pandora have been sharing (read: selling) more user information than was commonly thought. Your options are pretty much limited to avoiding these applications or starting a letter-writing campaign.
Which OS Is the Most Secure?
There is no easy answer to this question. All of the major smartphone OSs have made significant strides in the last year.
"From an enterprise control and security standpoint, BlackBerry is still the gold standard," says Khoi Nguyen, director of product management for mobile security at Symantec. RIM's phones also feature advanced, devicewide encryption--including for the SD Card--that's cleared for usage at some of the highest levels of government.
Yet in the last six months Apple and Android have expanded support for security management, and more companies appear comfortable using them, Nguyen adds. Also, to enable further security, device manufacturers such as HTC and Motorola have added proprietary software on top of the various OSs their phones support.
With Windows Phone 7, Microsoft is following a similar strategy to that of Apple and Google in that it's starting out by keeping its mobile OS consumer-focused. The company is likely to add more business-friendly security in days to come, however.
One of the biggest holes in Android's security that's slowing its mass adoption in the business world is its lack of encryption, especially on the SD Card. That's a significant risk for business users, who save their e-mail attachments on unencrypted SD Cards.
BlackBerry phones offer the option to encrypt SD Cards, whereas iOS and Windows Phone 7 do not currently support removable storage. That said, many companies are willing to accept phones with unencrypted SD Cards, as long as remote wiping is set up. This arrangement will be fine for most consumers, too. It's important to note, though, that in order to wipe a phone remotely, it must be powered on and have a data connection. So if someone pulls the battery out of your Droid before you wipe it, you cannot erase your SD Card.
Smartphone Security For the IT Crowd
The enterprise ecosystem has changed dramatically in the past year. Each end user wants to stick with the device they prefer personally, and they want to use it for work. Denying them that freedom doesn't always go over so well.
"The days of the IT department trying to regulate what devices users can and can't have--that battle is lost. So they should focus on their real mission, which is providing security to their users," says Datoo of Zenprise.
With so many platforms and new devices flooding the market, how can the IT pro at a small company possibly develop software to track them all, and keep them virus-free? More companies are turning that job over to software developers such as NotifyMDM, Symantec, and Zenprise, which enable management of a company's devices from a single interface.
Third-party software allows an IT admin to search all devices at the same time--whether for 5 or 57,000 users--while still accommodating the latest, most cutting-edge phones.
It's a brave, new, constantly evolving world out there. While we have yet to see an attack on smartphones that rivals the scale of PC attacks, attempts are becoming more and more frequent, and they will continue to proliferate. Critical thinking and your browser's search button may always be your best line of defense.