Mobile Device Security
This is exactly as it sounds. If you’re reading this article on your phone, tablet, laptop, etc… then this is surely relevant to you. If you still use a pager then you can skip this one. Anyway, we’ll cover what threats we can expect and what we can do to protect ourselves.
Securing Wireless Devices
To keep mobile devices secure, it’s important to have secure connections and that means secure WiFi and Bluetooth. For WiFi, that means using a WPA2 (WiFi Protected Access 2) connection. This is more secure than the old WPA and WEP type connections because WPA2 uses the Advanced Encryption Standard (AES) for its encryption algorithm.
For Bluetooth, we want to consider the peripheral devices that our cell phones connect to, like our car’s Bluetooth or wireless headphones. These all become points of compromise for your mobile device. An extreme measure someone could take is to never use wireless connections. Wired devices are almost always more secure than wireless. However, this isn’t a likely option for most people. Something more realistic would be to make sure each pairable Bluetooth device uses AES for their encryption also. When pairing devices, Bluetooth creates a shared link key to encrypt the connection. Not all manufacturers will use AES for their Bluetooth. So before buying a Bluetooth device, it’s always good to check for AES. Some manufacturers will use weaker encryption standards.
Download antimalware for your smartphone… and here are some other prevention tips:
- Ensure your mobile device is patched and updated
- Only install apps from the official App Store or Play Store
- Do not jailbreak/root device… I mean you can, but that can make your device vulnerable
- Don’t use custom firmware or a custom ROM
- Only load official store apps
- Always update your phone’s operating system
One difference to note between Android and iOS devices is that iOS devices are slightly more secure. This is because Apple developers can roll out security patches quicker because their patch cycle is shorter than that of Android devices
Lastly, practicing good digital can go a long way in preventing malware.
SIM Cloning & ID Theft
SIM stands for Subscriber Identity Module. This is an integrated circuit that securely stores the international mobile subscriber identity ( IMSI) number and its related key. The SIM tells the cell phone towers what number is assigned to which device.
SIM cloning allows for two phones to utilize the same service and allows an attacker to gain access to the phone’s data. This was popular among hackers to use someone else’s number to rack up high phone bills. We reduce this risk by using a SIM v2 card instead of a SIM v1 card. SIM v2 cards can still be cloned, but not as easily as the SIM v1. Ultimately, just avoid posting your number on the internet.
However, there are several instances where we need to input our phone numbers, for example, to fill out an online form or to sell things on Craigslist or Facebook Marketplace. To add a layer of security we can get a Google Voice number and use that online. You can use this number on your mobile device but it won’t be associated with your SIM card so you’ll be protected.
There are two types of Bluetooth attacks and they both have funny names: Bluejacking and Bluesnarfing. Bluejacking sends information to your device. Bluesnarfing takes information from your device. I’ll cover strategies for how to prevent these attacks later in the article.
Mobile Device Theft
uh! Ohh! Your phone got stolen. Well, there are a few things to do before this happens. While we hope this never happens, it’s always best to prepare for it in case it does. To prepare for this scenario, always ensure your device is backed-up. We all know devices are replaceable but it’s the memory, account credentials, photos, contacts, etc… that are most important to us. If we have all that backed up externally then the pain of a stolen phone won’t hurt as much.
To go the extra mile you can add full disc encryption and tracking. Tracking is pretty handy too. I’ve used it several times to track down my phone after a night of gratuitous imbibing. FindMyiPhone and FindMyPhone both offer services to get the location of your phone via data location and GPS signal, if lost or stolen.
In addition, you can add Remote Lock and Remote Wipe. Remote Lock will allow you to remotely lock the data on your phone and require a PIN or password to unlock. Remote wipe allows you to remotely erase all the data on your phone so it can’t be recovered by the thief.
How to be secure while using apps
On top of downloading an anti-malware solution for our phones or other mobile devices, we can also follow some simple practices. Only install apps from the official mobile stores. This is pretty easy to follow, but worth mentioning. Also, if inputting info like personal or credit card data, check to make sure the website is using Transport Layer Security (TLS). Unfortunately, it’s not that easy to verify this for an app. One would need a network analyzer software like WireShark to check this. The responses to this forum question will help paint a better picture. This is easy to check while on the internet browser of a phone. Just look in the web address for HTTPS. Checking for TLS will reduce the risk of becoming a victim of a man-in-the-middle attack.
To ensure more privacy on your mobile device you can turn off location services when you don’t need them. Also, you should consider whether you want the geotagging feature for your files on your phone, like when you take a picture. It’s not a bad feature, but you will have more privacy if you disable this because your phone won’t embed geolocation coordinates into the data it creates.
For large organizations, they can manage company-issued mobile devices with a Mobile Device Management (MDM) solution. This is a centralized software solution that allows system administrators to create and enforce policies across their mobile devices. With this, they can allow or block things on the mobile device remotely.
Bring Your Own Device (B.Y.O.D.)
Another consideration for large organizations is whether to implement a ‘bring your own device’ policy. This is a common policy amongst organizations, but it introduces a lot of security issues to consider. To create more security, companies can incorporate storage segmentation. This creates a clear separation between personal and company data on a single device. If the company uses an MDM system then they can prevent certain applications from being installed on mobile devices.
A variation of b.y.o.d. is ‘choose your own device’ (C.Y.O.D.). Basically, a company has a list of smartphone models that meet its security requirements. Employees can choose to work with whichever smartphone model they prefer on that list. Ultimately, though, companies need to make sure they have a good security policy for mobile devices.
Here’s what individuals and companies can do to harden their mobile devices from being attacked:
- Update mobile device to the latest version of the software
- Install AntiVirus
- Train users on proper security and use of the device
- Only install apps from official mobile app stores
- Don’t root/jailbreak mobile devices
- Turn off all features not being used, like Bluetooth and location
- Turn on encryption for voice and data
- Use strong passwords or biometrics, 4-digit pins are very weak
- Enable ‘find my phone,’ remote lock, and remote wipe
- Externally backup mobile device files
- Don’t allow B.Y.O.D.
- Create a good security policy for mobile devices for your organization
Anyway… follow all, or most, of those things and that should keep you on track with your mobile device security.
Thanks for reading!