Smartphone Security

There are two ways to keep your device safe from hackers:

1. Never activate any form of data sharing. That means no Bluetooth, no Wi-Fi, no NFC, no 1X/3G/4G data, and even no GPS! Even text messages could contain links that are malicious, and you can be spammed. You could have your phone calls scanned too, so to play it safe, don’t send or receive calls from your phone.
2. 

   Stock image provided by http://www.sxc.hu/profile/txutowski

   Remove the batteries and memory cards, and NEVER turn it on. Better yet, just eliminate all risk by placing the device in the middle of a driveway. First, repeatedly compress it by applying a minimum 10# sledgehammer using overhead swinging technique, then drive over it with a pickup truck with redneck swamper/mud bogger tires on it (or a steamroller, if one is handy), then clear the immediate area surrounding the potentially compromising device, and on a calm, no-winds evening, pour gasoline on it, and light it on fire (use all safety precautions to prevent injury as you will then be unable to call 911 if you hurt yourself in a “Hey Bubba, watch this!” moment).

That’s not gonna happen, so let’s get real…

If you took the time to set that four-digit PIN on your phone’s lockscreen, CONGRATULATIONS! You have taken one step more than the average smartphone user. Most people won’t even bother with that because it makes it harder to get into their phone and use it while they’re driving. But they are opening themselves to losing their data effortlessly to a thief.

But not you!

Nope, you’ve taken an extra step in protecting your smartphone data.  In fact, I’d say you’ve caused a thief to waste at least another 10-30 seconds to hack into your phone. Really. It takes long enough to plug your phone into a USB cable attached to a laptop or PC, the device to be recognized by the computer, then for it to populate in any number of freely available hacking tools. Once that happens, you select the device in the hack program, click a button on the screen, and you’re in. Feel free to do a web search on this topic to see for yourself just how easy it is.

The police across America often can do this right in their patrol cars with their MDT or Toughbooks. Some agencies go so far as to limit this access to detectives who are specifically trained in the legal intricacies of doing this, but it’s likely an agency-by-agency policy. It is probably handled the same way they search a vehicle. If consent is given, then they may be able to search the entire device. This can be useful for fire and EMS if we’re trying to determine an identity or find an emergency contact.

But what if the phone they are searching is yours? What if it isn’t law enforcement? What if it’s a thief? Do you have anything personal that the public or some other intruder shouldn’t see on your phone ? [Note: It’s a rhetorical question – I REALLY don’t want to know 😉 ]

With a basic 4-digit PIN, I can unlock your phone within 10,000 possibilities without the use of a PC. Once I figure out what that PIN is, I can probably guess your ATM/Debit/Credit Card PIN too. Any of that info stored on your device? Do you use Google Wallet or PayPal? Do you use a banking app? Those hacker programs don’t worry about the PIN number, by the way. They bypass that process altogether. Have you set up the option to allow only three failed attempts to unlock your phone and then, BLAMMO! It wipes out the contents of your hard drive? What about the removable SD card? Have you tried a complex password for your phone?

Many phones allow you to receive a call without unlocking the phone, for convenience, but have you set the option to disable outgoing calls while locked? How about making sure that texts and social media posts can’t be replied to when the phone is locked? Yep, those are choices too! Have you set up your phone data to be encrypted?

So you see…

You probably aren’t doing everything reasonable to protect your information from being stolen with your phone. If you get some bum, umm, homeless guy, umm, urban outdoorsman, or perhaps a junkie, umm, crack addict, umm, person in search of their next fix, umm, person desperate for quick and easy money, you might get lucky and lose only your phone, but if you get a hacker, you could lose much more than a device. I know the security steps I’m about to recommend are tedious and time-consuming, but how important is security? Do you own the device or does it belong to your work? Does it contain FOUO, sensitive, restricted, or even classified materials? If it’s yours, you lost the device and you will pay the consequences, but it’s just you (and maybe anyone else who’s info and/or photos you had on there). If it belongs to your work, then for the agency, it could be a source of public embarrassment, patient data compromise, or worse. Is it worth your job or being named in a personal liability suit, which will follow you for the rest of your career or life?

Think of it like this… you use a lame password, or none at all to lock your device, it’s like taking your new Ferrari to the mall, leaving the top down, the keys in, and the doors unlocked and walking away. If you use a better password, maybe you took the keys. You use a complex password, encrypt, and set up a (decent) security app, then you put the top up, locked the doors, took the keys, and set the alarm. Will someone be able to take your car? Yep. Even if you left a Club on the steering wheel and a slobbering Doberman in the front seat, if someone wants it bad enough, they’ll just take it away with a tow truck or a flatbed and hide it away until they find a sure way of breaking in. The object is to make it unappealing and to protect it as long as possible so you can activate your LoJack and nail the bad guys, or to fry the data so that the info on it is unrecoverable.

Real security you can implement…

SO… every device manufacturer is different in how they say to secure your phone, but even though the specifics depend on the device, some things are consistent. You should:

• 

  Turn it off!
  Image Credit: http://www.sxc.hu/profile/muresan113

  Set a complex password (letters, numbers, uppercase/lowercase combos, symbols, 8 or more characters). Some apps are available for lockscreens that use patterns instead of alphanumerics. It may be worth a try.

• Disable Bluetooth discoverability unless you are actively performing the initial pairing with another device. This means you leave Bluetooth on so you can sync your phone and computer or pair with your headset, car speaker, or stereo. This is the equivalent of a toddler covering his eyes and saying, “You can’t see me now!”
• Turn off Wi-Fi, at least until you really need it. Most people leave Wi-Fi on all the time, as it saves some battery power by allowing you to connect to networks instead of using your 3G/4G connections, and it saves money on your limited-data wireless plans.
• Disable NFC (near-field communications, which is the “tap to pay” or “bump to fileshare”  function in newer phones, except iOS, which will probably debut it with the next generation iPhone and proclaim it is their awesome innovation).
• It’s better if you disable Bluetooth completely. I could tell you scary stories about Bluetooth’s lack of security, but I don’t want to scare you with any black ops conspiracy theories facts on the government and hackers’ ability to make your phone spy on you.
• Don’t connect to public Wi-Fi or unsecured hotspots (McDonalds, Starbucks, bookstores, any hotspot with the word “FREE” in its name). Even then, read the terms of services (TOS) or terms of use (TOU) since it is legal to spoof (pretend you are something you are not) hotspots as long as you properly disclose what you are doing. You often get what you pay for.
• Update your operating system and apps as often as updates can be had. With Apple and Android devices, this can be a daily chore. I literally start my day out by turning on my phone and checking the marketplace for app updates within about a half an hour of getting out of bed. Now it’s a habit. It also gives me something to Tweet about.
• Don’t jailbreak or root your device (well, I don’t necessarily agree with this, but the reality is that manufacturer updates will not be supported any longer).  I’d be happy to have a discussion with you about this if you want to know more.  Just drop me a message in the comments or e-mail me at: cdm [at] unwiredmedic [dot] com and make sure to replace the brackets and included text with the appropriate symbols.
• Enable your phone locator (activates the GPS so you will expend more battery life). If your Android doesn’t have this feature, you can use one of the security apps I list below that includes it in the features.
• Use encryption services built in to the phone, if they exist.
• Make use of a VPN app (virtual private networking) to tunnel back to your home or work server. It encrypts all data transmitted over the cellular and Wi-Fi networks (there are also drawbacks to this option and again, I’ll be happy to discuss them if you want to know more).

Here are some platform-specific tips:

• Microsoft Windows Phone (applies to all smartphones though): http://www.microsoft.com/security/online-privacy/mobile-phone-safety.aspx
• Android Security Forum (a bit geeky, if you ask me): https://groups.google.com/forum/?fromgroups#!forum/android-security-discuss
• iPhone Security (read the users manual or check out this business IT resource): http://www.apple.com/iphone/business/it-center/security.html

And what reference would be complete without the feds giving their 2¢/plus taxes (this links to a .pdf document):

• http://www.us-cert.gov/sites/default/files/publications/cyber_threats-to_mobile_phones.pdf

Security apps:

Apple thinks the iPhone apparently doesn’t need security, so there’s nothing in iTunes. No Windows Phone apps (AVG has a family-safe browser app and Comodo has a management app for Endpoint, but it isn’t an antivirus app), yet. With Apple and Windows Phone, I think that if they don’t look at the problem, it won’t exist. They don’t even have an app to protect your browsing behavior, so the best thing for that is to use a VPN. I don’t have a Blackberry anymore, but Blackberry has one of the most secure operating systems anyway.  That pretty much leaves Android. I can think of three particular apps that are worth investing in. There are literally dozens of apps that are security-related. Some of them are even worth putting on your device.

• Cerberus. It’s a 3-headed dog in Greek mythology guarding the gates of hell. I hear its most recent reincarnate version hails from 3-Mile Island, but I digress. You can get the app for Android with a one week free trial, but follow them on Twitter and Facebook, because they do give away free licenses from time to time. It’s less than $5 (2.99€) if you want to just buy it, otherwise, plus you can put the app on up to 5 devices. Nicely, it includes the ability to locate your device, send a text to it, control it by text message or via the Cerberus account website, trigger an alarm remotely (even in silent mode), get an alert if someone drops a different SIM into the device, even wipe the device’s internal and flash memory (microSD cards), and you can activate the camera and microphone to record the thief. My favorite part is if you have rooted the device, you can have Cerberus installed in the ROM, so that if someone hacks in and does a factory reset to wipe all your traces of info and your apps off, Cerberus will still be installed and tracking the device. The app is absolutely brilliant. Android Police did a review of it and found it stood above all the other security apps: http://www.androidpolice.com/2011/11/28/mobile-security-app-shootout-final-roundup-out-of-a-sea-of-apps-just-one-emerges-as-a-clear-winner-in-keeping-your-device-safe/
• Avast! Mobile. I use it myself on my Android devices. It even incorporates a lot of the features of Cerberus for device recovery and protection against factory resets on rooted devices. It’s kept me from hitting malicious websites and checks out the apps downloaded from Google Play and Amazon Appstore. I have to say it does it’s job, and it does it well. You also can’t beat the price: FREE. It isn’t perfect, but it is the best. I have no faith in big name companies like that one that begins with a capital “N” and ends with an “orton”, or that other big one with a Scottish last name. Get avast! Mobile here: http://www.avast.com/free-mobile-security3
• Sophos Mobile Security. I haven’t played a lot with this one yet, but it offers mostly the same features as avast! Mobile, including antitheft features. http://www.sophos.com/en-us/products/free-tools/sophos-mobile-security-free-edition.aspx

As far as the smorgasbord of other security apps, I’d recommend visiting Android Police. The link I’m giving you is for the keyword “security“.

If you have a favorite security app, let us know in the comments. Thanks for reading!