Right now, it’s Mobile World Congress week in Barcelona, Spain.
With tens of thousands of visitors each year, the event really does put the G-for-Global in GSM.
This year’s theme is “Creating what’s next,” which is at once both a challenge and a threat.
Because three of the things that are coming next, without doubt, are growth, growth, and growth.
After all, in just under six years, Apple’s App Store has become home to more than 1,000,000 apps, and has served up 60,000,000,000 downloads.
Not to be outdone, in just over five years, the Play Store of rival mobile operating system giant Google has racked up similarly impressive numbers, with more than 50,000,000,000 downloads chosen from a catalogue of over 1,000,000 apps.
Clearly, there are massive – truly massive – fortunes to be made in the online digital distribution of apps.
As a result, you can imagine how interested cybercriminals have become in the mobile ecosystem.
The obvious way for crooks to slice off their unlawful portion of mobile app revenue is through malware, and that has indeed been one of the main weapons in their armoury.
So, to coincide with the Mobile World Congress (in which Sophos is participating), Vanja Svajcer of SophosLabs has produced a Mobile Security Threat Report that makes fascinating, if slightly uneasy, reading.
Many Sophos Naked Security readers will already know Vanja – he’s a friend of, and a regular contributor to, this site.
He’s also a talented and thoughtful researcher, so his paper is well worth a look. (Direct PDF download. No registration or email address required.)
Nevertheless, as Vanja points out, the mobile threat isn’t only about malware.
Even legitimate apps can put your privacy and online security at risk.
Sometimes, they aren’t written with the same care and attention to security as programs such as your desktop web browser or your email client.
And sometimes they stretch the boundaries of legitimacy more than you might ever have expected.
For example, a recent survey suggests that 40% of mobile banking apps don’t even bother to check the SSL/TLS certificates used to secure their web connections back to the bank.
So you could be using an app that is approved by Apple, and actively promoted by your bank as “the right way” to do your online transactions, yet end up being undetectably phished by an imposter site.
And mainstream iOS social media apps have been caught out siphoning off your entire contact list, without permission, as soon as you install them.
Worse still, they exfiltrated (OK, uploaded) the data using an unencrypted connection, potentially leaving it open for eavesdroppers to collect and sell on.
What to do?
Vanja’s paper has ten detailed tips on securing yourself in the modern mobile world, and I urge to to review them>.
In the meantime, here are three more security ideas you might like to consider for your mobile digital lifestyle:
1. Encrypt and password-protect your device
Apple encrypts the data on iPhones and iPads by default, but doesn’t require a passcode.
(That’s not as silly as it sounds: wiping the device in an emergency is quicker if all you have to do is overwrite an encryption key instead of overwriting all the data sectors.)
Android does neither.
Passcodes and device-level encryption are serious security features – use them both!
Don’t be like Yahoo CEO Marissa Mayer, who famously said, “I can’t do this passcode thing, like, 15 times a day.”
2. Meet your company half way on BYOD
BYOD, or Bring Your Own Device, is where a company agrees to let you use your own mobile device at work, provided that you agree to some limitations.
Some users bristle at this, seeing it as overly prescriptive or intrusive, but with a bit of give-and-take from each side, you’ll probably end up more secure both at work and at home.
After all, agreeing to let the IT department remotely wipe your phone if it’s lost or stolen won’t just benefit the company by protecting work data from compromise, it’s very likely to protect details of your personal life from exposure, too – photos of your children, emails on family matters, your banking records, and so forth.
If you really want to keep your personal and business lives separate, get used to carrying two phones and consider it a security feature, not an imposition.
3. Try our Privacy Diet.
Features on your mobile like always-on gelocation (so software can adapt automatically to your situation) and Wi-Fi (so you automatically use cheaper connections than 3G whenever possible) are extremely handy.
But do you need them? Do the benefits really outweigh the risks?
Our Privacy Diet will help you find out.
4. Try Sophos Anti-Virus for Android.
Our fourth of three tips is a bonus suggestion for Android users: please try our free Sophos Anti-Virus for Android. (From the Play Store, free, no ads, no timeout.)
It scans apps when you install them, protects you from malicious websites as you browse, gives you loss and theft protection, includes a handy privacy advisor, and more.
As we said above, mobile threats aren’t all about malware, but on the comparatively open Android platform, malware is a clear and present danger.
12 comments on “Are you safe against mobile threats? Check out our tips for keeping the crooks away…”
“Apple encrypts the data on iPhones and iPads by default, but doesn’t require a passcode…Android does neither.”
What about Windows 8?
.ashx file? Really?
It’s a web page. That page has a range of download links relating to the report. You’ll like it. Honest 🙂
It’s a PDF file. Open it with your favorite PDF viewer (after scanning it , of course.)
Ooops. Sorry, I misread that as “.aspx,” the extension on the links in this article. In my Firefox the .ashx link opens in the internal PDF viewer.
If I were King, the first URI would end “.html” and the second would end “.pdf”. But I am not King (just as well, probably) and the web is awash with absurd URIs these days, so I have sort of stopped noticing or caring. I am not sure if that is good, bad or indifferent.
But yes, those .ashx links end up as PDFs.
[ Smiles ] I totally agree with the idea of installing an antivirus for Android. It is better to be safe than sorry!
I use Sophos on my new Nexus5, I took care and the time to go through all this app’s features. I had to add one more app to compliment the first Sophos security app. The second app was also a Sophos product. I am now satisfied that my phone is fully secure even if I hand it over ‘open’ / unlocked ! Only the functions that I have chosen to leave ‘open’ can be accessed. Its a simple solution to doting fathers who give their kids their phone – ‘just to call my friend, dad, I dont have any credit ‘- or play their endless games. So now I feel quite secure in lending my fav phone. Thanks Sophos
As for geolocation, is it better to turn that off than use the Find my iPhone feature?
It’s a question of benefit versus risk. If you want your phone to be able to tell you its precise location in case you lose it, then you have little choice but to turn on geolocation. Does the likelihood of this helping you out balance the risk?
(When I “lose” my phone it’s almost always somewhere unusual at home, or deep in my bag. I already know where it is within the accuracy of GPS. I’ll find it by dialling it, or by searching properly. If I leave it on a bus, it’ll either be stolen and reimaged by by a crook – I’ll assume it’s gone for good – or it’ll be at the lost property office at the depot, which is where I’ll start my search. If I drop it in the harbour, I’ll know where it is – never to be seen again! – but GPS won’t have a clue because it doesn’t work underwater. So I have to consider whether it’s worth having a “find my phone” feature for the small number of *other* ways I might lose it and yet have a chance of recovering it.)
Personaly, I would be very wairy about allowing my employer’s IT department to remote wipe my BYOD device. Firstly because I would worry that they might be too trigger happy if the phone is just mislaid down the back of the sofa a home or suchlike. And secondly you hear stories about people who had their own phones wiped when their employment was terminated, loosing irreplacable family photos or suchlike in the process.
If the phone has a reliable cloud backup service installed that backs up everything, right down down to game high scores, then I would be happy to setup a remote wipe capablity on my phone, so long as I had the password to initate a wipe, and not the IT department.
If I agreed that the phone had fallen into the wrong hands, or was probably lost for good, then I would be happy to remote wipe it, but I would not want anyone else destroying the data on a device they don’t own just on a whim.
GIVE YOUR DEVICES A PASSWORD! passwords are annoying, i agree. But due to the effects of no password can have. i will have a passcode i my mobile devices + encryption ALWAYS.
btw… this – “40% of mobile banking apps don’t even bother to check the SSL/TLS certificates used to secure their web connections back to the bank.” Is scary as hell!