Smart-phones have become near ubiquitous device and are used in practical day-to-day scenarios like online banking, e commerce, social interaction, online content consumption, browsing news and information etc.
However, fusion of technology comes with associated risks and rewards. For example, it has led to concentration of Personally Identifiable Information (PIIs) of the users. Therefore, poor configuration of smartphones, lack of digital literacy, low awareness can lead to unintended outcomes including data breaches, compromise of device etc.
By adhering to certain do’s and don’ts the threat vector and attack surface can be minimized significantly. The write up, suggests some globally accepted recommendations to plug-in device security vulnerabilities as well to prevent data loss.
Major Smartphone Threat Vectors:
Data leakage: Smartphones are storehouse of enormous amount of personal data. Hence, the most significant threat to smartphone ecosystem is data loss. Mobile apps or even hardware bugs often orchestrate significant data theft.
Data protocol related vulnerabilities: Unsecured data communication protocols and data terminals like Wi-Fi and bluetooth may lead to enormous data breaches. Even worse it may lead to persistent communication interceptions. Thus, temptation of users to access rogue data access points and hotspots like public Wi-Fi may have devastating consequences.
Phishing attacks: Phishing is a widely known attack vector that can inflict serious damage to users. Phishing attacks have been reinvented in context of mobile platforms and come in different forms like spear phishing etc.
Spyware and Adware: An average smartphone contains hundreds of spywares and adwares either disguised as legitimate app or are invisible to the user altogether under conventional scenarios. They pose a persistent threat to the user.
Surveillance attacks: Often continuous surveillance of the users pose a greater threat than the data leakage itself. By exploiting dozens of sensors inherently present on smart phones and lack of watertight security protocols, the privacy of a target can be compromised to unprecedented levels. One of the most significant surveillance threats is compromise of user’s location, camera or microphone.
Remote Access Trojans: A well crafted and smartly deployed Remote Access Trojan or RAT can give attackers full remote control of an infected device including ability to eavesdrop on conversations, access critical data in unrestricted manner or deploy future payloads.
Mobile ransomware: Ransomware threat once thought to be restricted to large networks or databases, has arrived in mobile domain as well. These include encryption-based ransomware which encrypt target device data as well as communication to C&C server and device-locking ransomware that block the access to the compromised device altogether by locking down the device.
Banking attacks: Such attacks are specifically meant to steal banking data or to cause financial transaction sabotages. These either involve pilferage of credentials from legitimate banking apps or inducing the user to download a fake version of the app altogether.
Scareware: Scareware are those software/ apps that exploit the psychology of users to create a false perception of threat thereby compelling the user to download malicious softwares promising to fix the non-existent problems, thereby opening the floodgates for actual attack. Fake battery saver and memory cleaner apps fall into this category.
Recommended Best Practices for Safe Smartphone Usage:
Record the unique 15 digit IMEI number of the device: This unique 15 digit IMEI number is instrumental in registering complaint to law enforcement agencies, in case mobile phone is stolen/ lost and may help in tracking your mobile phone through various technical means.
Setup a device access control: Always setup a basic access control mechanism via. PIN, pattern, biometric lock or password as first layer of security.
Preferably use alphanumeric password: Recent findings points out that biometric authentication systems integrated in smartphone devices are not as robust as it is generally perceived, owing to limited capture and processing capabilities of the resource constraint devices, prompting Google to introduce “LockDown” mode to disable biometric signatures and fall back to old school passwords. Patterns are subject to easy shoulder surfing and host of other primitive attacks. Hence, you are recommended to use a strong alphanumeric password or PIN of sufficient length till other authentication mechanisms attain required maturity.
Ensure that your device locks itself automatically: Always enable auto-lock to automatically lock the device after a certain timer count, preferably not more that 30 sec.
Use a reputed and updated AV solution: You should use a reputed device compatible full version AV solution on your device and also keep its signature database up to date. This may prove productive against mundane and prevalent malwares/ vulnerabilities. However, such antivirus should not be considered any magic shield and may not prove effective protection against zero day vulnerabilities or sophisticated attacks.
Use latest version of the Operating System: Newer versions of Operating Systems invariably come with host of security enhancement taking into account the latest threat perspective. Ideally, it is suggested to use latest Operating System. If latest OS is not available without switching hardware, latest patches and updates available for that build should be immediately installed.
Update apps regularly: Always use updated version of the app as older versions of the same may include already exploited vulnerabilities that are generally security patched in their latest updates.
Encrypt your smartphone storage: iOS devices generally come with internal memory inherently encrypted and without any support for external memory. The internal memory of Android devices running relatively new versions of OS i.e. Lollipop (5.x) and higher, also comes encryption enabled by default. However, it is recommended that the external memory card should also be kept encrypted through explicit options.
Avoiding clicking ad and block pop-ups: Ads are quite intrusive and can be exploited by cybercriminals. Malware can be pushed right on your smartphone by a simple click of the user. The auto pop up functionality of browsers must also be deactivated.
Responsible clicking: Never click on short or ‘URL Shortner’ based suspicious links in SMS/ IM/ mail from unsolicited sources. Also, be careful with attachments downloaded via email or instant messaging services. This often constitutes the principle method for malicious exploit deployment.
Disable Google AD ID or frequently reset it: Most of the legitimate tracking of the users in Android environment by Google takes place through Google Advertisement ID (GAID). It is suggested to frequently reset the AD ID or disable the same altogether unless user is interested in receiving targeted ads.
Download apps from verified sources: Verified app-stores like Playstore and Apple Appstore host apps that are subjected to reasonable security screening. Hence, it is always recommended to download apps from such recognized sources, and never from dubious third party sources which can compromise your device.
Avoid app download links: Never use links provided for downloading apps, as domain re-directions are difficult to identify. Manually identify the specific app and subsequently download the same from trusted app store.
Grant least permissions to applications running on your device: Typically, apps request for different permissions at the time of installation. However, additionally apps often seek incremental intrusive permissions on the runtime. One needs to be extremely cautious while granting such permissions. You should deny the same if it appears irrelevant to task being performed by the app.
Disable install from unknown sources: Always disable option to install from “Unknown sources”. It provides primary defense against installation of third party un-trusted apps even by mistake.
Enable Google play protect: For Android platform users, Google has introduced this feature which scans all the apps installed or attempted to be installed on the user’s device and cautions them about anything malicious. Further, as part of the assurance, Google also regularly checks the apps hosted on its store.
Remove the unused apps: Maintain a rigid housekeeping of the applications installed in the device and delete/ uninstall unused or even seldom used apps. Such apps apart from using system resources unnecessarily also add to device vulnerabilities.
Turn off Wi-fi bluetooth and NFC when not in use: Never enable “Auto-connect” mode for Wi-Fi or bluetooth and turn off such interfaces immediately when not in use. Use bluetooth in hidden mode and not in discoverable mode. This saves the connection from being easy prey for hostile Wi-Fi Scanners.
Use complex pairing codes: Use a fairly complex PIN or alphanumeric password for pairing devices over Wi-Fi/ Bluetooth or setting up a personal hotspot.
Avoid critical transaction on Wi-Fi: Subsequent to discovery of number of attacks on Wi-Fi (the blues etc.), while carrying out high value financial transactions or sensitive data communication, preferably use mobile data and avoid Wi-Fi connections, particularly public Wi-Fi connections. This is because public Wi-Fi can be subjected to Man in The Middle Attack to harvest important credentials including log-in details.
Two factor authentication: Activate SMS based two factor authentication for all 2FA supported platforms and particularly financial apps. Preferably, configure a separate firmware based basic feature phone for receiving critical OTPs.
Access internet using VPN service: While using un-trusted Wi-Fi access points, it is recommended to use a VPN (Virtual Private Network) to secure against possible Man in The Middle attacks as well as rouge access points. There are number of paid as well as free VPN service apps of repute available for both Android as well as iOS.
Clear app data and cache on Android completely: App generally have two types of storage files i.e. data files and cache files. Though, cache allows quick loading of applications but also may hold critical user credentials in relatively unsecure environment. Hence, such memory should be cleared once in a while for different apps, particularly sensitive apps.
Restrict background data: It is recommended to enable “Restrict background data” to safeguard against background data transaction by apps when not in use.
Control app specific data: iOS and many versions of Android provides dashboard to toggle on/ off data specifically for different apps. Switch off data for less frequently used app and turn on such data as per need. For Android versions in which such data control dashboard is not available, third party apps serving same functionality may be used.
Never use jail broken devices or rooted phones: Rooting/ jail-breaking allows admin privileges but may weaken intrinsic security of the device significantly. Hence, it is suggested not to use rooted Android devices or jail broken iPhones.
Configure lost phone tracking options: iOS as well as Android provides inbuilt mechanism to track location of a lost device and even erase data of a lost device remotely, to safeguard against data compromise to a large extent using Apple ID and Google login credentials respectively. Moreover, many OEMs also provide application with similar features.
SIM change alert: Many smart-phones support SIM change alerts to notify an alternate pre-configured mobile number regarding change in SIM Card. Such option should be kept configured with a trusted alternate number.
Application backups: Backup options for different applications must be activated in a frugal and well thought manner only if absolutely necessary, since all the backups are kept in third party servers often without adequate security. For instance, though Whatsapp communication is end to end encrypted but its backup is kept in Google drive or iCloud unencrypted.
Location privacy: Apart from third party apps, even pre-installed default trusted apps like Google search, Google maps continuously monitors and records your location if used with default settings. It is suggested to explicitly turn off automatic location tracking individually for
Device account: Preferably use a different user account to permanently log on to device than the one used for critical communication or financial transactions.
Turn off geo-tagging: It is suggested to disable geo-tagging for social networking apps or photo capturing utilities.
Keep your mobile number private: Most users know the importance of not sharing personal mobile numbers to strangers. You should apply the same in virtual world by not offering the mobile number to any app that prompts you. The more the number of places you share your number, more you shall increase your attack surface. You become more vulnerable to spam, scams and even invasion of your protected 2FA accounts.
Don’t share PIIs on social media: You should limit the personal information you share online. For example, avoid posting your full name, address, phone number, email ID etc. on social media sites or elsewhere. An identity thief can potentially use the information to target you or to complete the security question to log-into your accounts. Curate your information present online and delete / hide ones that reveal more information about you that you’d like.
Use unbreakable passwords: Most users hate having numerous, non-repeating and ultra complex password. But they are very crucial to one’s online safety and privacy. Therefore, your password should have at-least 13 characters, and be a mix of letters and numbers, upper and lowercase letters and symbols. It will render brute force attacks futile. You can use password managers to create such unbreakable passwords with ease.
Avoid public chargers: Public places like airport, railways, shops etc have public charging stations and we are often desperate to use them when our devices are drained out. But, the same charging port can take complete control of your smart-phone and inject malicious codes. Juice jacking is a cyber attack technique involving use of free public smart-phone charging kiosk for installing a malware using a USB charging port. Subsequently, the malware copies all of the phone’s data covertly. The technology required to compromise a public USB charging port is easily available and hence the threat of Juice jacking is very real. To prevent being victims of juice jacking you should carry a portable personal charger, charge devices at leisure time and use only power USB cables for charging the phone.
Use a SIM card lock: A SIM card lock prevents someone from removing the SIM card from your phone and using it on another phone. To prevent this from happening, you should set up a SIM card lock in the form of a PIN number that needs to be entered when a phone is turned on in order to connect to a network.