Right now, it’s Mobile World Congress week in Barcelona, Spain.
With tens of thousands of visitors each year, the event really does put the G-for-Global in GSM.
This year’s theme is “Creating what’s next,” which is at once both a challenge and a threat.
Because three of the things that are coming next, without doubt, are growth, growth, and growth.
After all, in just under six years, Apple’s App Store has become home to more than 1,000,000 apps, and has served up 60,000,000,000 downloads.
Not to be outdone, in just over five years, the Play Store of rival mobile operating system giant Google has racked up similarly impressive numbers, with more than 50,000,000,000 downloads chosen from a catalogue of over 1,000,000 apps.
Clearly, there are massive – truly massive – fortunes to be made in the online digital distribution of apps.
As a result, you can imagine how interested cybercriminals have become in the mobile ecosystem.
The obvious way for crooks to slice off their unlawful portion of mobile app revenue is through malware, and that has indeed been one of the main weapons in their armoury.
So, to coincide with the Mobile World Congress (in which Sophos is participating), Vanja Svajcer of SophosLabs has produced a Mobile Security Threat Report that makes fascinating, if slightly uneasy, reading.
Many Sophos Naked Security readers will already know Vanja – he’s a friend of, and a regular contributor to, this site.
He’s also a talented and thoughtful researcher, so his paper is well worth a look. (Direct PDF download. No registration or email address required.)
Nevertheless, as Vanja points out, the mobile threat isn’t only about malware.
Even legitimate apps can put your privacy and online security at risk.
Sometimes, they aren’t written with the same care and attention to security as programs such as your desktop web browser or your email client.
And sometimes they stretch the boundaries of legitimacy more than you might ever have expected.
For example, a recent survey suggests that 40% of mobile banking apps don’t even bother to check the SSL/TLS certificates used to secure their web connections back to the bank.
So you could be using an app that is approved by Apple, and actively promoted by your bank as “the right way” to do your online transactions, yet end up being undetectably phished by an imposter site.
And mainstream iOS social media apps have been caught out siphoning off your entire contact list, without permission, as soon as you install them.
Worse still, they exfiltrated (OK, uploaded) the data using an unencrypted connection, potentially leaving it open for eavesdroppers to collect and sell on.
What to do?
Vanja’s paper has ten detailed tips on securing yourself in the modern mobile world, and I urge to to review them>.
In the meantime, here are three more security ideas you might like to consider for your mobile digital lifestyle:
1. Encrypt and password-protect your device
Apple encrypts the data on iPhones and iPads by default, but doesn’t require a passcode.
(That’s not as silly as it sounds: wiping the device in an emergency is quicker if all you have to do is overwrite an encryption key instead of overwriting all the data sectors.)
Android does neither.
Passcodes and device-level encryption are serious security features – use them both!
Don’t be like Yahoo CEO Marissa Mayer, who famously said, “I can’t do this passcode thing, like, 15 times a day.”
2. Meet your company half way on BYOD
BYOD, or Bring Your Own Device, is where a company agrees to let you use your own mobile device at work, provided that you agree to some limitations.
Some users bristle at this, seeing it as overly prescriptive or intrusive, but with a bit of give-and-take from each side, you’ll probably end up more secure both at work and at home.
After all, agreeing to let the IT department remotely wipe your phone if it’s lost or stolen won’t just benefit the company by protecting work data from compromise, it’s very likely to protect details of your personal life from exposure, too – photos of your children, emails on family matters, your banking records, and so forth.
If you really want to keep your personal and business lives separate, get used to carrying two phones and consider it a security feature, not an imposition.
3. Try our Privacy Diet.
Features on your mobile like always-on gelocation (so software can adapt automatically to your situation) and Wi-Fi (so you automatically use cheaper connections than 3G whenever possible) are extremely handy.
But do you need them? Do the benefits really outweigh the risks?
Our Privacy Diet will help you find out.
4. Try Sophos Anti-Virus for Android.
Our fourth of three tips is a bonus suggestion for Android users: please try our free Sophos Anti-Virus for Android. (From the Play Store, free, no ads, no timeout.)
It scans apps when you install them, protects you from malicious websites as you browse, gives you loss and theft protection, includes a handy privacy advisor, and more.
As we said above, mobile threats aren’t all about malware, but on the comparatively open Android platform, malware is a clear and present danger.