by Don DeBolt, Total Defense, Inc.
It’s hardly a stretch in this day and age to say that everyone in the corporate workforce has a mobile device, whether it is company issued or personal. Mobile devices have helped revolutionize the way people do business by facilitating instant communication and enabling us to store, send and receive documents right from our smartphones, anytime, anywhere. While these features have aided communication around the world, like anything that seems too good to be true, smartphones are not without flaws and can easily fall victim to mobile security threats – the aftermath of which can potentially cripple a small business.
No one would suggest eliminating smartphones from our day-to-day lives and business operations, so following some simple mobile security guidelines can make all the difference in protecting your private information. Here are some mobile security best practices that people can easily implement to protect themselves (and their devices):
1. Protect the investment physically with a hard cover and screen protector.
This small investment will go a long way to keep scratches and cracked screens at bay.
2. Use an access code/password/or pattern sequence to lock/unlock the device when it is not in use.
This helps to ensure the integrity of the device and data, in the event it is out of immediate control of the user. It should also be noted, the Android “pattern” lock option is more susceptible to being guessed according to research performed at Penn State University. The researchers were able to follow the “smudges” on the screen to guess the sequence. The preferred method is to set a pin number as the unlock code. These options can be found in the “Security” settings section of the device.
3. Set the sleep function to lock the screen and put the device into hibernation mode.
This provides added security as well as helps to ensure longer battery life.
4. Avoid adware supported “FREE” applications.
Ads require an Internet connection and therefore turning off the data connection can stop the ads from popping up. Ads are served from a third-party advertising server or network and sometimes they are truly malicious and can attack the device. Reducing the “random” and “unsolicited” connections to the Internet reduces the attack surface. As a byproduct of turning off the data connection to the Internet, if users play games they will reap longer battery life, and thus be able to play the game much longer.
5. Only install applications from trusted application “stores”.
Apple, Google, and RIM (Blackberry) all have a vested interest in offering secure software to their device owners. However, the Android platform is more open and allows device owners to install their own software or other software that they download from the Internet. It’s the software that is downloaded outside of the application “stores” or “markets” that poses the most risk. Software that is offered via the platform “store” is vetted to a degree, and can easily be removed from download if a problem is identified.
6. Take a moment to review the requested permissions.
When installing a mobile application the user may be confronted with a dialog box that requests expressed permission for the application to perform a specific action, or access specific data on the device. Android Permission examples include:
- “Record_Audio” – does the app really need to record audio?
- “Call_Phone” – does the app need to make a call without going through the Dialer user interface?
- “Camera” – does the app need access to the camera device?
- “Wake_Lock” – does the app need to prevent the device from going into Sleep mode?
- “Access_Fine_Location” – does the app need the GPS longitude and latitude coordinates of a user’s current position?
7. Don’t share “location” within GPS enabled apps unless absolutely necessary.
The ability to know exactly where a user is located based on the phones physical location can be a significant privacy and physical security concern. Many apps today are using the GPS embedded in mobile devices to “tailor” content for the user. Per the Google+ help documentation: “Users 18 and over have their location attached to each post by default. You can remove your location by touching the X [in the post].” Once a user removes their location from a post, the application will remember the setting and not share location information in future posts. Users can “opt-out” totally from location services, but this disables key features, like “maps” applications. Each person must weigh the benefit of the “tailored” content against the security concerns of sharing their physical location at any given time.
8. Avoid auto-upload of photos to social networks.
Android 2.1+ devices with Google+ installed offer an “instant upload” option where photos and videos are immediately uploaded to Google’s servers. Images and videos require high bandwidth to transmit and use of this feature may put users over the limit on their data plan. Use of this feature will also reduce battery life. There may also be privacy and physical security concerns if every photo and every video is uploaded prior to review by the device owner.
9. Delete unused applications.
This helps to reduce the attack surface of the device in the event a vulnerability is discovered in that unused application. This also helps free up space on the device.
10. No clear text data in public Wi-Fi hot-spots.
Firesheep demonstrates how easy it can be to capture a user’s credentials on an open Wi-Fi connection and login as them with a simple “double-click.” Mobile device owners must review each of their email and social networking applications to ensure encryption (HTTPS) is used for the entire session, but it is best to avoid open Wi-Fi hotspots whenever possible.
11. Use a mobile security application to protect against mobile malware and lost or stolen devices.
Look for one with “Remote Lock and Wipe” capabilities in the event of a lost device. Many of these applications offer data back-up in the event the device “goes for a swim,” and many offer protection against Malware, which is a growing concern for mobile devices.
12. Recycle old devices, but wipe it first.
Many apps store usernames, passwords, and user data in clear text. To best protect important data when recycling devices, perform the following steps:
- Back-up the mobile device data and apps
- Remove any digital memory (MicroSD) cards
- Remove the SIM card
- Perform a factory reset of the device
- Then recycle/e-cycle
13. Avoid “jail-breaking” the device.
Installation of untrusted applications may increase the attack surface area and users should never leave default passwords in place.
14. Perform device backups regularly and purge personal and business data at the same time.
This provides integrity of data if the device is lost or broken, while at the same time limiting the amount of confidential data stored on the device at any given time. For example, the recent case involving nude photos of Scarlet Johannson, which were allegedly hacked from her phone, may very well have been prevented had she been following some basic mobile device best practices.
15. Patch your device regularly when new software is available.
Keeping the device current with manufacturer updates can help to fix known bugs within the device software.
Don DeBolt is the Director of Threat Research for Total Defense, Inc. Over the last 12 years he has lead both Security Operations teams and Threat Research teams on the quest of identifying and protecting against the latest digital threats. Currently Don oversees Internet Security Intelligence and Global Threat Response for Total Defense, Inc. (formerly CA). From 1996 to 2000 Don learned the art of Penetration Testing while consulting for both Ernst & Young and Deloitte and later took a position with one of the first Managed Security Services Providers, Counterpane Internet Security. In 2004 Don moved to threat research. Don is helping evolve research operations and research technology in line with the growth of Malware. Don leverages a global team of researchers and advanced Crawler and Honey-Client technologies to proactively acquire Malware samples and threat intelligence.