Your smartphone, a mini life manager, communication enabler and entertainment hub, the gateway to well… everything (if you have signal), but have you ever wondered how secure your little pocket companion actually is?
Think of all that data, knowledge and personal information you’ve input over the years into your smartphone and now think, what happens if it all just got out?
It’s not just conversations, phone numbers and pictures you’d have to worry about… phones now host banking apps, sensitive data, shopping shortcuts even eWallets. I can literally travel to a different country using only my phone (plus passport) for tickets, money, directions and everything in between.
So how secure is your smartphone? We spoke to McAfee Security to run us through what makes a smartphone safe… or not so secure.
Out of the Box
So let’s start from the beginning. First off- are smartphones secure ‘out of the box’ and what protection do you normally have inbuilt?
“No, they are not secure straight away. Out of the box users will need to start adding/configuring the security of the smartphone.”
“This usually starts with creating a pincode or swipe pattern to avoid others physically accessing the user’s apps and data. After that both Android and iOS do include some features that users can use to protect their personal data, these features need to be activated and configured however they are often hidden in the settings menu.”
We’ve heard lots about security risks and malware but, what are the major risks to smartphone users?
For the physical phone, loss or theft of the device can lead directly to data and theft, as the recipient can literally access the data on a smartphone. This is the most direct form security risk as the criminal (in this case) has the phone. Screen locks and multiple passwords can protect users from having this sensitive data lost or at least hindering progress. There are still ways thieves can force hack into phones.
From a remote or hacking perspective, “Phishing attacks by means of fake apps or SMS/email messages can easily be launched against smartphone users”. ‘Phishing’ is the process of sending a message (usually email or SMS) falsely claiming to be a genuine message from a legitimate, and often well-known enterprise. These false messages often contain links to fake websites that capture the data you input.
“Spyware attacks through fake and malicious apps also collect personal information from a user’s phone and dialler malware which causes the smartphone to make hidden use of expensive SMS services.”
Connecting to open public WiFi networks can also be a gateway into the smartphone. “Network spoofing attacks occur when users connect to dangerous network access points (public WiFi) where an attacker can start stealing personal data from a user’s device using this unsecured WiFi as a bridge.
Ok, so that’s how the criminals hack, but why do they do it and to what end?
“Hackers can steal a smartphone or have users install malicious or fake apps in order to get access to the data on the phone and steal a person’s data, identity or make the phone start connecting to expensive SMS services or phone numbers.
As mobile security/antivirus is a lighter (in terms of software size) are mobiles more vulnerable to attack than a desktop OS?
“No, the fact that mobile apps are lighter/smaller does not affect the effectiveness of the app. The McAfee mobile security app detects malware in real-time using data from McAfee’s cloud database of known good and bad files/apps (Global Threat Intelligence or GTI)”
The total number of mobile malware samples in our database is currently over 8 million (see chart below and the attached McAfee Labs Threats Report for more details)
Where are the Vulnerabilities?
So, are apps particularly vulnerable to attack or is web-based malware still the most common?
“Fake and malicious apps and phishing messages (SMS/Email) are the most common attack vectors for mobile devices”. This is because they are they are commonly used, accessed quickly and can be, in the case of apps, installed with a wide array of permissions.
In the case of phishing messages like email or SMS, the quality of design and often authentic (looking) nature of the message can be enough to trick even the most savvy tech user. The best piece of advice here is to never click a link in an email, always go to the website from a browser you trust.
Are open OS platforms like Android actually more susceptible to hacks and malware, or can these security weaknesses be found across the board?
“Android is by far the most targeted mobile OS, however it is primarily the fact that it is also the OS with the largest market share, that makes it an interesting target for cybercriminals. More devices, more possible weakness a bigger pool for cybercriminals to access. Android is also a relatively ‘open OS’ compare to Windows 10 or Apple’s iOS meaning malicious apps can make it onto the app store easier-Although google are doing a pretty good job of routing these out.
This is not to say Apple and Microsoft smartphones are immune, malware is still out there for these platforms, especially in the from phishing scams.”
Phones for Sensitive Data?
From a privacy stance, should users really be using their smartphone for data sensitive actions (like banking or shopping)? And if they chose to, what steps should users be taking to stay protected.
“Yes, users can use their mobile devices for shopping, banking etc. as long as they make sure that their devices are well protected and follow the steps below:
1) Use a swipe pattern or better even a pin code to prevent access to apps by others.
2) Installing a security app such as McAfee Mobile Security which not only protects against the latest mobile malware but also allows the user to remotely locate, lock and wipe their device in case of device loss or theft.
3) Ensure that you use different and strong passwords for all your online accounts. This way if one of your online accounts gets compromised at least your other accounts are still secure.
4) If you have so many online accounts that you can’t remember all your passwords then install a password manager that can do this for you and log you in automatically when you access one of your online accounts. True KeyTM by Intel Security is an app which works not only on Android and iOS but also on Windows and Mac computers. It is also one of only a few that can automatically log you in into your mobile apps. True Key is available as a free download on www.truekey.com
Mobile payment transactions like NFC, Apple & Google pay are on the rise, are they actually safe?
As long as users make sure to always update their smartphones with the latest NFC updates and patches and have an up to date security app installed then NFC should be safe to use. However if a user is not using NFC then it is always better to turn NFC off on the device. Besides saving some power, turning off unused networking features is a good rule of thumb to limit exposure to attackers.