Sophos Cloud Optix
This month is National Cyber Security Awareness Month.
Each week within October will take on a different theme, with this week’s being ‘Mobile’.
So, with that in mind, we thought we’d prepare some tips to help keep your smartphone safe.
1. Always secure your smartphone with a password
One of the most basic security tips, but one which is sometimes completely overlooked! Having no access protection at all is just foolish. Swipe patterns are ok, but greasy finger-trails could reveal too much.
A four-digit PIN is an improvement but using a strong passcode is the ideal phone protection.
2. Ensure that your device locks itself automatically
If you set up password-protection on your phone but then leave it unlocked on your desk for 15 minutes, you won’t have achieved very much. Most smartphones allow you to set them up to automatically lock themselves after a period of inactivity.
Make sure you choose the shortest timeout you are comfortable with. Two to five minutes is better than ten to thirty, even if it does feel slightly inconvenient.
3. Install security software
Your smartphone is a computing device and should be protected accordingly. Look for an app like Sophos Mobile Security that includes malware prevention, remote data wipe, privacy review of apps and an automatic security advisor to alert you to potential risks when you change a device setting.
If you’re in charge of securing your organisation’s phones and tablets, then choose a mobile device management solution like Sophos Mobile Control.
4. Only download apps from approved sources
The Google Play Store and Apple’s App Store take security pretty seriously. They are very careful about what apps they make available and will withdraw apps that raise concerns after release.
Read user reviews of apps before installing them – if there are any security concerns then someone else may well have mentioned them.
5. Check your apps’ permissions
Many apps require more than the basic default permissions. For instance, you can reasonably expect an SMS app to send and receive text messages just as a mapping app will request your GPS location.
But something like a calculator that needs network access or an alarm clock that wants to read your contact database should be treated with extreme caution!
6. Don’t miss operating system updates
Updates to your OS often include system vulnerability patches, so it’s important to install them.
You might want to be advised of updates rather than having them automatically installed, as early adopters sometimes experience teething problems – but the forgetful among you may prefer that to missing updates altogether.
7. Be wary of any links you receive via email or text message
Now you can pick up email on your phone, exercise caution when clicking on links. And phishing scams are not limited to email – a text message can incite you to click on a dodgy link or ask for personal information.
Even simply replying to unknown SMS or email senders can raise the crooks’ interest in you, leading to more pressure to respond.
8. Encrypt your smartphone
Even if you’ve secured your smartphone with a password, a thief could still plug your device into a computer and gain access to all of your personal information. Using encryption on your smartphone can help to prevent such data theft.
9. Turn off automatic Wi-Fi connection
One of the great things about modern mobile phones is their ability to connect to the internet in many ways, but continually probing for wireless networks gives away information about your identity and location, and blindly connecting to unencrypted access points can let your phone leak all sorts of useful things for malicious actors to intercept and act upon.
So tell your phone to forget networks you no longer use, so as to minimise the amount of data leakage and configure your phone to automatically turn on/off wireless in certain places using a location-aware smartphone app.
10. Turn off Bluetooth and NFC when not in use
Bluetooth and NFC (near field communication) are great in terms of connectivity, allowing you to use accessories such as wireless keyboards and headsets or make payments with a wave of your smartphone.
But it does open a door for the bad guys to gain access to your device and access your data, so you should either switch these features off or put your device into “not discoverable” mode whenever possible. Also, be careful when pairing devices – never accept requests from unknown devices.
If you’re responsible for mobile security at work, you might like to read our practical advice for handling smartphones in the workplace.
And if you’re interested in reading other stories related to National Cyber Security Awareness Month, read the 3 essential security tasks you can do for your family today and our 10 topical security tales.
Images of smartphone, apps and Wi-Fi courtesy of Shutterstock.
10 tips for securing your andriod/iphone
OR
use a windows phone :p (well a little exaggeration may be, don't forget 1 and 2)
What Apps are there that can automatically turn WiFi on or off?
For Android I use on{x}, www.onx.ms, which funnily enough has been created by Microsoft.
You can up rules for just about anything. I'm sure there's many other alternatives out there too.
Point 5 says 'check the app's permissions', which I did. How come so many permissions to use the Sophos apps? Seems all a bit over the top to read all my contacts and be able to modify them.
I can't answer with specific per-permission explanations (probably ought to learn, though 🙂 but security apps – ours and our competitors – all face this ironic problem: to protect you as thoroughly as we can, including shielding you against abuse from apps that ask for lots of permissions, we have to ask for lots of permissions.
Remote wipe, loss notification, message filtering and so forth all require permissions such as 'make and receive calls' or 'trawl through the contact database.'
In reality, the advice to "check an app's permissions" often doesn't help a lot on Android. If an app needs some network connectivity you have to give it all network connectivity.
On the other hand, permissions can be very useful when choosing between two apps with similar functions.
(For example, I found two compass programs I liked. One wanted permissions that suggested it would send geolocation data over the network; the other wanted no special permissions at all. So I chose the one that *couldn't* talk on the network, rather than trying to fathom what the other one was up to.)
I do the exact same thing. A calculator program that wants Network Connectivity, no sir! I just don’t care if it’s better, I just look for another one.
what about iPhone tips? I cant seem to find Sophos anti virus for IPhone.
An iPhone anti-virus (at least, one not baked into iOS by Apple) is effectively impossible.
There are strict rules that limit what third-party iOS software *can* do, and a limit to what it *may* do if it is to win App Store approval. In particular, the places where it can slot into the operating system are strictly limited, so that malware prevention is pretty much impossible. For example, you can't have a so-called "file filter," so you can't validate new content as it arrives. All you can do is tell someone they're pwned after it happens.
(Some of the same limitations, by the way, apply to OS X, which is why our free Sophos Anti-Virus for Macintosh is not available from the App Store, but only via http://sophos.com/freemacav – to get it into the App Store we'd have to neuter it pretty much to the point of uselessness.)
Since the App Store is the *only* place for iPhone and iPad apps, that's that for anti-virus.
You do get anti-virus software via the App Store, but my feeling is, "Beware." It can't really work like an anti-virus should.
Sadly, there is no place for security innovation by third parties in the iOS ecosystem.
I think Apple ought to change that (even if they put stiff technical and quality hurdles in place for "system-approved" developers), but I would say that, of course.
Apple would probably say, "App store vetting has done us fine so far, without needing to let third parties meddle in the iOS kernel, and that's the way we like it," but they would say that.
Impasse 🙂
Following on from this post, what security measures would you recommend we employ if selling phones?
Many people use the re-sale value to offset the latest and greatest phone but I've often wondered about the data on them. Obviously wiping the phone before sale is a no-brainer but how secure is this? I doubt anyone reading this site would simply rely on a windows format of their hard drive/ usb drive before selling it on.
So if someone wants to sell their iPhone on ebay should they/can they rely on the Apple standard reset function? Somehow I doubt it.
Do you know of any third party tools to securely wipe smart phones of their data?
A complete factory reset will probably be the best you can do – outside physically shredding the device..
I'm more worried about NFC on phones and wiping this information on phone's being reissued and making sure the links to any accounts etc is wiped out.
Correct me, readers, if I am wrong here…but IIRC an iPhone is always encrypted, even if you don't have a passcode or decryption key of your own. In that case, the decryption is stored directly on the device and supplied at startup automatically.
This is not as absurd as it sounds: it means that if you wipe the key, you effectively wipe the whole device, since no-one can decrypt it, so the whole disk turns into shredded cabbage.
As a result, wiping the device should be pretty reliable (and quick, since it relies on overwriting once sector of the flash disk, not the whole thing).
On Android, encryption of the whole device is not on by default.
If you turn it on, IIRC it encrypts every sector. That takes hours, but if you subsequently reset the device, you can IMO be more certain that the reset was effective.
In short, encryption plus wipe is your friend, at least on iOS and Android.
As an older person, I removed the password protection from my phone because I want the "In Case Of Emergency" information to be available in case of an illness or accident. That seems to me to be of utmost importance. What do you think?
What about putting it into the wallpaper image on your lockscreen? Or even a good old fashioned sticker on the back of the device?
That way it's more openly visible, I admit, but you don't have to leave the whole device unlocked just to give out a small amount of data. (Probably just one or two phone numbers, right?)
On Android 4.x (and possibly other versions) go into Settings – Lock Screen – Owner Identification. There you can input text that is displayed on the lock screen. For instance, "If found or in case of emergency, call this number."
My phone allows you to access those I've flagged as emergency contacts even while locked… granted I'm not sure people would know how to do that if I was unable to explain it. I like to hope emergency personel might know those things.
I'd also suggest turning location off, and only turn it on when you need it for a specific task, and then turn it off again. Geo tags in photos are a problem..
I went through this list and had never thought of turning off the bluetooth, granted I've never had the name visible unless trying to pair. I continually turn off the wi-fi, but for some reason it often turns itself back on and searches for networks which drives me crazy.
After reading this I started trying to remember to turn my bluetooth off too (just to create good habits with being aware of my connections) – and yesterday something weird started. I have two devices that come up when it scans no matter where I am. At home, at work, at lunch, doesn't matter – they're always available (they weren't in the past). One says it's a Blackberry (I don't have one) and the other is an odd name. Why would the same two bluetooth connections be continually available regardless of where I am?
3 tips for securing your smartphone:
1. don't use it
2. throw it away
3. use a classic phone instead
This doesn’t shield you from social engineering. People can still be persuaded to give up information over a landline. But you won’t have to worry about apps being manipulated by malicious code.
Does anyone sell “classic” phones anymore ?
I see lots of comments about IOS and Android but nothing about windows phones does this mean that mine is safe?
Some thoughts to add to your useful article.
My phone came with security software (not Sophos) that made it unusable and I ended up taking it off. Security has to be usable.
Windows 10 phones will have some good security features.
There are phones available that will only provide calls. Great if you don’t want all the extra features. Only issue with them is you can’t use silentcircle.com to ensure your privacy. I still have a Motorola 3300 brick phone working on Vodafone 🙂
Bluetooth is often necessary for things like hands free in cars, fitness gadgets and smart-watches. It’s down to the user to balance risk/reward. I often turn off wifi, it saves battery as well as giving better security. Do people turn off GPS as well?
Another tip for making your smartphone secure is moving away from total usage of cloud when it comes to syncing sensitive data.
Do you have any update for this post?
Thank you