How secure are you with mobile devices?

How secure are you with mobile devices?
Mobile devices and you 

As people tend to use their mobile devices more frequently in their day to day life, mobile device security has become increasingly important in mobile computing. Of particular concern is the security of personal and business information now stored on smartphones.

More and more users and businesses use smartphones to communicate, but also to plan and organize their users’ work and also private life. Within companies, these technologies are causing profound changes in the organization of information systems and therefore they have become the source of new risks. Indeed, smartphones collect and compile an increasing amount of sensitive information to which access must be controlled to protect the privacy of the user and the intellectual property of the company.

All smartphones, as computers, are preferred targets of attacks. These attacks exploit weaknesses inherent in smartphones that can come from the communication mode-like Short Message Service (SMS, aka text messaging), Multimedia Messaging Service (MMS), WiFi, Bluetooth, and GSM, the de facto global standard for mobile communications. There are also exploits that target software vulnerabilities in the browser or operating system. And some malicious software relies on the weak knowledge of an average user.

Security countermeasures are being developed and applied to smartphones, from security in different layers of software to the dissemination of information to end-users. There are good practices to be observed at all levels, from design to use, through the development of operating systems, software layers, and downloadable apps.

Major threats related to mobile security 

  1. Phishing attacks

Because mobile devices are always powered-on, they are the front lines of most phishing attacks. According to CSO, mobile users are more vulnerable because they are often monitoring their email in real-time, opening, and reading emails when they are received. Mobile device users are also more susceptible because email apps display less information to accommodate smaller screen sizes. For example, even when opened, an email may only display the sender’s name unless you expand the header information bar. Never click on unfamiliar email links. And if the matter isn’t urgent, then let the response or action items wait until you’re at your computer.

  1. Unsecured Wi-Fi

No one wants to burn through their cellular data when wireless hot spots are available—but free Wi-Fi networks are usually unsecured. According to V3, in fact, three British politicians who agreed to be part of a free wireless security experiment were easily hacked by technology experts. Their social media, PayPal, and even their VoIP conversations were compromised. To be safe, use free Wi-Fi sparingly on your mobile device. And never use it to access confidential or personal services, like banking or credit card information.

  1. Network Spoofing

Network spoofing is when hackers set up fake access points – connections that look like Wi-Fi networks but are actually traps in high-traffic public locations such as coffee shops, libraries, and airports. Cybercriminals give the access points common names like “Free Airport Wi-Fi” or “Coffeehouse” to encourage users to connect.

In some cases, attackers require users to create an “account” to access these free services, complete with a password. Because many users employ the same email and password combination for multiple services, hackers are then able to compromise users’ email, e-commerce, and other secure information. In addition to using caution when connecting to any free Wi-Fi, never provide personal information. And whenever you are asked to create a login, whether for Wi-Fi or any application, always create a unique password.

  1. Data Leakage

Mobile apps are often the cause of unintentional data leakage. For example, “riskware” apps pose a real problem for mobile users who grant them broad permissions but don’t always check security. These are typically free apps found in official app stores that perform as advertised, but also send personal—and potentially corporate—data to a remote server, where it is mined by advertisers, and sometimes, by cybercriminals.

Data leakage can also happen through hostile enterprise-signed mobile apps. These mobile malware programs use distribution code native to popular mobile operating systems like iOS and Android to move valuable data across corporate networks without raising red flags.

To avoid these problems, only give apps the permissions that they absolutely need in order to properly function. And steer clear of any apps that ask for more than necessary. The September 2019 updates for Android and Apple iOS both added protocols to make users more aware of it and why apps collect users’ location data.

  1. Improper Session Handling

To facilitate ease-of-access for mobile device transactions, many apps make use of “tokens,” which allow users to perform multiple actions without being forced to re-authenticate their identity. Like passwords for users, tokens are generated by apps to identify and validate devices. Secure apps generate new tokens with each access attempt, or “session,” and should remain confidential. According to The Manifest, improper session handling occurs when apps unintentionally share session tokens, for example with malicious actors, allowing them to impersonate legitimate users. Often this is the result of a session that remains open after the user has navigated away from the app or website. For example, if you logged into a company intranet site from your tablet and neglected to log out when you finished the task, by remaining open, a cybercriminal would be free to explore the website and other connected parts of your employer’s network

What are the actions we could take to prevent these issues?

1). Download applications only from official stores

For iPhone users, download only from the App Store, and for Android phones, Google Play Store. Downloading apps only from these platforms doesn’t guarantee that your phone will be 100% safe from malware, but doing so greatly reduces the likelihood of you downloading malicious programs disguised as legitimate apps.

Even Apple, which used to be the gold standard for software security, is no longer immune to system vulnerabilities. Despite having a strict policy on downloads (iPhone users can download only from the App Store), those with ‘jailbreak apps’ are exposed to a multitude of malicious entities. As a further precaution, download only apps that have high ratings and steer clear of downloads from unknown links.

2). Check your apps’ permissions

When you download certain apps, you’ll be asked to grant permission for it to access your data (files, contacts, photos, etc.). What most users don’t know is that some of these permissions also gain access to hardware controls such as those found in the device’s camera and microphone. And if a malicious app happens to slip through the cracks, these permissions can serve as a gateway for hackers.

Android and Apple have already improved their respective OS’s mechanisms to control what apps can access, but you can take it up a notch. Follow these steps to manage what apps can access on your phone:

  • iOS – Go to Settings > Privacy to see your apps’ access level. For example, if you tap on the Microphone, you’ll see all the apps that have access to your iPhone’s Microphone. If you wish to deny access to it, you can do so by turning privacy off.
  • Android – Go to Settings > Apps, select an app, then tap ‘Permissions.’ From here, you can control every individual app’s access to your devices’ files.

3). Update apps and security software

We cannot stress this enough: As soon as they become available, download and update your OS and apps’ software.

In exceptional cases where certain versions of an OS are known to have bugs, not patching your device doesn’t make it any less exposed to risk. And here’s why: Most older OS versions have had to be patched because of a software vulnerability, and delaying its update to the latest version doesn’t make it safer. In fact, it’s far riskier to remain unpatched and wait for the next update.

4). Set a strong password

Whether your device requires a 4-set or 6-set numerical PIN, a fingerprint, or a facial scan, set a lock that’s difficult to crack. This is not the strongest security measure by any means, but they provide a necessary initial barrier for intruders.

Major manufacturers like Apple and Samsung are innovating their products’ locking mechanisms and you’re doing yourself a favor by using them. To manage your device’s locks, follow these steps:

  • iOS – Go to Settings > Touch ID & Passcode, enter your passcode, and switch on ‘Require Passcode.’ This is also where you can manage your Touch ID settings and adjust access controls (Recent Notifications, Today View, and more). If you’re using an iPhone X, go to ‘Face ID & Passcode.’
  • Android – Go to the Settings page > Lock Screen and Security to set your passcodes. These feature names may vary per device.

Conclusion

Mobile devices do not provide much security. As people share personal and so sensitive data through mobile devices, a vulnerability may have severe consequences. But we could minimize the risk of being exploited by taking necessary countermeasures. 

References 

https://www.kaspersky.com/resource-center/threats/top-seven-mobile-security-threats-smart-phones-tablets-and-mobile-internet-devices-what-the-future-has-in-store

https://en.wikipedia.org/wiki/Mobile_security

https://www.techadvisory.org/2017/12/steps-to-safeguard-your-mobile-devices/

Written By
Share Button