Securing Your Mobile Devices
Welcome back, everyone. By now, I hope you have all taken concrete steps to improve your digital habits in order to better protect yourself in our interconnected world. Hopefully, you’re using a top-tier VPN to bolster your privacy. Maybe you’re using a best-in-class password manager to help you create and use complex and unique passwords for every website you visit. Or maybe you’ve locked down your most precious accounts using two-factor authentication.
My only goal in this series is that you start the process. If you have, let me and the other readers know with your comments and thoughts.
In our previous installments (found here), I focused mostly on how to implement security on your home and business computers. But what happens when you leave the confines of your home or business? What happens when you leave the laptop or desktop behind and pick up the most-used computer in your life: your smartphone? Well, that’s where things get a bit interesting, kids.
“More connections to more devices means more vulnerabilities.” — Marc Goodman, security expert and consultant to Interpol and the FBI
First, some raw numbers to help set the scene: There are currently about 7.5 billion humans on planet Earth; those humans currently own about 5 billion smartphones. That makes the smartphone the most popular computer system on the planet, dwarfing the number of desktop and laptop computers. Despite their diminutive size, mobile devices are still computers and should be treated as such: They run operating systems, offer a variety of services that require connecting to the internet, and — just like larger computers — can be hacked.
At the beginning of each calendar year, companies like McAfee publish reports on the previous year’s underbelly of the web. McAfee’s January 2014 report claimed a 197 percent increase in mobile malware; its January 2015 report claimed an increase of 112 percent. Stats for 2017 are just as worrisome and now include new categories of hackable devices, such as smartwatches (Apple Watch, Fitbit, Jawbone, etc.), home internet devices (smart thermostats, lightbulbs, and voice assistants), and cars. Yes, cars. What, you thought smart cars were only something cool from the 1980s? Think again, and…cue theme song.
Let’s take a look at some of the glaring vulnerabilities on our mobile computers. I’ll suggest ways to help minimize them, but as I’ve reminded you before, no one, including me, can prevent all hacks. Rather, what we discuss and debate here are ways to help reduce the threats by changing our digital strategies and online behaviors to better increase our security and peace of mind.
Researchers now estimate that 99 percent of all mobile malware is targeted at Google’s Android operating system. Currently, that’s about 19 million malware instances and growing, a remarkable and damning statistic. Just last year, in 2016, Google provided one answer as to why this is happening. Regarding the security problems with Android, Google admitted that “about half of devices in use at the end of 2016 had not received a platform security update in the previous year.” How this came to pass can be explained by two factors.
First, Android has a very open system of app distribution compared to Apple’s iOS. Lots of developers release apps for Android, but historically, those apps weren’t well-vetted prior to publishing. That has allowed rogue apps by the thousands to infect the Google Play app store. Second, Google can’t push Android updates to non-Google devices. That leaves companies like Samsung and Huawei to deliver Android updates in different ways. By comparison, Apple controls all of its own hardware and software, allowing it to push iOS updates and security patches to all iOS devices centrally. And when I say “push,” I really mean “badger”: Apple notifies users via on-screen messages to update their device when a patch is available. As a result, Apple users update their iOS devices very quickly compared to Android users.
Before any of you Androiders start complaining, I’m not suggesting Android is a terrible operating system. I think it’s a clean, highly customizable, and powerful OS. However, the multiple vendors and infrastructures established to push out and serve the Android OS are far too open, something hackers have clearly leveraged.
I’m also not suggesting that Apple’s iOS is hackproof. In February 2014, researchers at the security firm FireEye placed a keylogger application onto iOS devices that hadn’t been jailbroken. The app tracked what users typed and where on the screen they touched in many other apps. In 2015, it was reported that XcodeGhost malware infected between 40 and 350 apps in Apple’s App Store, all of which needed to be pulled. So, malware for iOS does exist, but by and large, Apple’s platform is statistically a rare target for mobile malware, making it an ideal alternative to Android.
Regularly update your OS and apps. If you’re using an iOS device, follow your on-screen alerts when a new version of iOS is ready and install it. I’d also suggest turning on the iOS auto-update feature for your apps. That goes double for my friends using Android devices: Update your OS and apps as soon as updates are available. To learn how to update your Android OS, click here. To learn how to activate Android’s auto-update feature, follow these directions:
Use a “safer” mobile OS. Apple’s iOS devices constantly (some would say annoyingly) remind you to update your OS when a new version is made available. That’s partly why new versions of iOS are so widely and quickly adopted. It’s also how existing security holes get patched in a timely fashion. Because Apple creates and manages all of its hardware and software, it can offer strong protections and controls that Android simply cannot. If 99 percent of all malware is targeted for Android, then it’s good common sense to choose another OS. In my humble opinion, iOS is your best bet.
“What we see on the PC side, we soon see on the mobile side. We have already seen mobile malware variants that encrypt phone data and demand payment to retrieve.” — Nathan Collier, senior malware intelligence analyst with Malwarebytes
Some malicious apps manage to bypass the security checks established by Google, Microsoft, and Apple in their app stores. Some — like the ScareMeNot trojan — even masquerade as security apps that claim to scan your device for viruses. Instead, they lock your device and hold it hostage until you’ve paid a steep fee. This is known as ransomware, which we discussed in Part 5. Sometimes, however, app stores aren’t needed to infect mobile devices.
In 2014, during protests in Hong Kong, a fake mobile application was spread via a link on the WhatsApp social platform. The app was made to look as if it had been deployed by organizers of the protests, when instead it was deployed by the Chinese government. The app allowed hackers to eavesdrop on phone calls, messages, and geolocation data on infected phones. They could then use that information against the protestors.
Some people don’t like the restrictions and safeguards that Apple and Android have established to keep their smartphones safe, so they “jailbreak” their devices using special software or technical processes. This voids some protections from Google, Microsoft, and Apple. Once jailbroken, even an iPhone can download and install apps from app stores other than Apple’s. This allows malicious apps to easily find their way onto thousands of smartphones, if not more.
Don’t jailbreak your device. Yes, it’s tempting to jailbreak your smartphones. I get it. Jailbreaking allows you to do things you’d otherwise never be able to do. But here’s the truth: It’s not safe. Once your device is jailbroken, it’s possible to install nonstandard apps coded by programmers who aren’t vetted and approved by Apple, Google, and Microsoft. Yes, there are safe apps for your jailbroken device. The problem: Unless you’re an InfoSec expert, you’ll never know for certain which apps are safe and which are dangerous. Malware affects both Android and iOS users and is sophisticated enough to steal your AppleID and password. Some malware can steal SMS messages, call logs, location data, photos, address books, and passwords from the iOS keychain and send them to operatives in the Chinese government. So, pretty please: Don’t jailbreak your phones. Not now. Not ever.
Download apps only from trusted marketplaces. Did someone send you a link to an app that’s not on an known app store? Danger, Will Robinson! Ignore it and walk away, quickly. Obtaining apps from marketplaces like Google Play, the Windows App Store, and Apple’s App Store is generally considered safe because those companies maintain their digital marketplaces with strict guidelines, code vetting, and safety measures. Is this enough to stop all malicious apps? No, but it’s a far better system than you could devise and implement on your own.
Never blindly grant permission to apps. Some apps ask for various permissions to make your life more convenient. Some apps, for example, ask to gain access to your contact list, calendar, or camera. That’s nice and all, but conveniences don’t necessarily make you safer. If a mobile app asks for something that’s not essential for that app to function, don’t grant it access. Although a QR code scanner app might need access to my camera to do its job, Google Translate does not. Be strict: If it’s essential, say yes. If it’s a convenience, learn to say no.
Research every app before installing. Don’t assume that all apps on mainstream app stores are safe: Hackers have already found cunning and creative ways to bypass even Apple’s stringent vetting process. Do your research before you install any app. Read about the developers, and absolutely seek out reviews on the app store in question, especially from reviewers who have panned the app and have taken the time to explain why. I’ll provide a potent example at the end of this installment.
Install reputable security apps on your device. Because it needed to do something, Google recently deployed Google Play Protect to all Android smart devices. The software scans all apps on all Android devices and uses algorithms to detect malicious apps and, so the company claims, remove them from your device. While I’ve yet to see any sources backing that claim, you should know about the product and where to find it.
Install recommended security apps on your device. On Android, Bit Defender Mobile Security & Antivirus is made by a well-respected InfoSec company and is one of the best-reviewed apps around. The free version helps to detect and remove malware; some features on the paid version include identifying malicious apps, warning you about fraudulent or malicious websites, and locking down apps for additional security. I can’t recommend any iOS apps at this time, but not because I don’t want to. Top names in InfoSec (Norton, McAfee, TrendMicro, F-Secure, and others) aren’t making apps that provide value above what Apple already provides for free with tools like Find My iPhone and remote wipe. Additionally, none of the apps are consistently well-reviewed.
Bonus Feature: How to Identify Malware
As a bonus, I’d like to show you, step by step, an example of how malware works—in this case, on iOS. This isn’t something I found online; rather, I captured it in a series of screenshots on my own phone just the other morning as it happened. These photos clearly demonstrate why — before installing any new app — we should always research the app’s developer and carefully read app reviews on any app store. I’d be remiss if I didn’t say this now: Please don’t try this at home.
Photo #1: I was in my fave news app (Newsflash), and the article I was reading online suddenly switched to the page you see here. Wow, my iPhone is 28.1 percent damaged! In capital letters, too, because screaming always helps. A quick look at the URL (in the red box at top) indicates that this is a scam. I clicked “Close” at the bottom right to see what would happen.
Photo #2: I am automatically shifted to a second page—a warning from Google! Only, again, the URL (red box at the top) isn’t affiliated with Google. So again, we know this is a scam. Still, I click “REPAIR FAST NOW,” because obviously I need my 28.1 percent damaged iPhone to be “repair fast now” with the worst grammar available.
Photo #3: Here’s the culprit. I could click on “DOWNLOAD APP,” but instead I check on my laptop to see if “app.adjust.com” is a legitimate app developer. Not to anyone’s surprise, it is a known purveyor of malware. To illustrate how this works, I clicked on “DOWNLOAD APP.”
Photo #4: Here’s the app’s landing page on Apple’s official App Store. And wow: It has 404 reviews and a 4.5 out of 5 star rating! Plus, 500 million users (more than the entire population of the United States!) trust the app, so it’s gotta be great, right?!? Wrong. Click on the “Reviews” tab.
Photo #5: Now, we find the truth, right there in the first few reviews. It’s clear that this app is a scam. It doesn’t work. Tech support is nonexistent. It’s a ploy by the company to get you to infect your devices and then pay them money to fix the problem that their own software created in the first place.
Scam app developers like these and the way they attract new victims need to be reported. If you see them, report them. Click the following links for reporting to the app store in question: Apple Support, Google/Android, and Microsoft/Windows.
What tips and tools do you have? Leave comments below.
In Part 2 of our discussion on mobile device security, we’ll take a look at other options you can change both on and off your phone to increase your digital security. Until then…