Welcome! Welcome, one and all!
There is no doubt the holiday shopping season is upon us. For many, myself included, new phone FTW! This means a myriad of new electronic gadgets and gizmos.
Considering you are reading the NTT Security blog, it stands to reason that you care about security. And because I've started setting up my new phone, it seems like a good time to discuss mobile device security.
The tips below apply primarily to phones, tablets and phablets (phones that are too big to be a normal phone and too small to be a true tablet), but many of these tips can help you protect laptops and other devices as well. The list certainly should not be considered all-inclusive, but applying it is a strong step in the right direction.
Nine Tips for Mobile Device Security
1. Enable Total-Device Encryption
Despite the FBI concerns about mobile device encryption, it represents one of the strongest methods to protect your data from snoops, thieves or unlawful searches. A device without encryption will easily hand over its secrets to anyone (e.g., app, computer, etc.) who asks. Remember, you are carrying a small computer with access to a lot of private information about you.
Most mobile platforms have built-in encryption systems. While some new Apple and Android devices will have encryption enabled by default, most devices will require a manual change in the settings menu.
2. Password > PIN Code > Pattern > Slide To Unlock
Encrypting your data would be worthless if the device didn’t have some kind of lock to prevent decryption. Most platforms require something other than a “slide lock” when encryption is enabled. Even if you skip encryption, enabling a lock will prevent the casual snoop from opening your data.
Of course the trade-off is convenience. It is easy to swipe your finger to one side and use your phone. Each increase in level of security generates more work to get into your device. The good news, however, is that most people get used to the change fairly quickly.
3. Biometrics are More Akin to a Username than a Password
Many manufacturers are pushing biometric sensors, whether fingerprint readers in a button or “face unlock” using the camera. Going back to Security 101, biometrics is an “identification” method or at worst, an “authentication” method. It should not be used as an “authorization” method.
One of the major issues is the balance between false positives and false negatives. Does it let the right person in when it is supposed to AND keep everyone else out? Considering this is “consumer grade” equipment, most manufacturers err on the side of allowing the wrong people in to ensure the right people don’t get upset when they can’t access their equipment.
4. Segregate Business and Personal Data
Just as with finances, business and personal data should not mix in the mobile realm. Some people are provided a work phone. Don’t use it for personal and vice versa. As Bring Your Own Device (BYOD) is exceptionally common, organizations should implement enterprise level “container” systems.
5. Enabling Unknown Sources, Rooting or Jailbreaking Carry Increased Risks
If you don’t know what these are, I highly recommend against working with them without more research.
Unknown Sources: When enabled, packages can be installed from anywhere, not just the verified marketplaces. For instance, on an Android device you can only install applications from the Google Play Store. Enable unknown sources and any APK file can be executed. This opens up many new avenues of attack against the device, such as drive-by downloads.
Rooting or Jailbreaking: These are two different terms for the same process. Essentially, this is obtaining persistent administrator-level access for the device, granting advanced users greater control over every aspect of their equipment. Just as with a standard computer, however, running as an administrator full-time can potentially grant malicious software or users total control of the device.
6. Review App Permissions before Installing and when They Change from an Update
Analyzing the functions and data an app has access to, before granting it access, can assist with identifying potentially malicious or privacy invading apps. All of the major mobile platforms have methods to view, control and/or modify what permissions apps have.
Sometimes, figuring out the permissions is hard, but sometimes, like when that new game wants access to all of your contacts, and wants to be able send SMS messages, deciding that those new permissions are just “wrong” is easy.
7. Be Wary of Public or Unknown WiFi
With decreasing data allowances, more individuals have their devices set up to connect to WiFi whenever it is available – public hotspots, hotel wireless or random connections as you drive down the street. All of these can be dangerous places for your data to flow. Whether an attacker remotely connects to your device or sniffs the traffic as you sign into your bank account, the end result is bad.
Always be cautious of the networks you connect to and consider using a VPN service to encrypt your data stream on unknown connections. Personally, I use Private Internet Access, but there are many quality services available.
8. Maintain Physical Possession of Your Device
This especially holds true if you choose not to encrypt and/or apply locking measures. Once the device is in someone else’s hands, there is no end to what they can do. Keep your equipment close and monitored, especially in public spaces.
9. Backup Your Data
Having previously worked for one of the major mobile providers, I cannot tell you the number of times that a customer called in after their phone was lost, damaged or stolen and wanted to know if we could get their pictures and documents back to them. Unfortunately, the responsibility of backups belongs to the user. When you back up your computers (you do back up your computers, don’t you?), back up the content from your mobile devices as well. Cloud solutions are also prevalent in the mobile domain, although these put the security of your data in the hands of a third-party.
I wish there was an "easy button" for things like this, but each of us is responsible for the security of our own devices. Fortunately, once you get in the right habits, maintaining a fairly high-level of security is pretty easy.