Whenever mobile usage increases, threats to these devices have become more diverse and more complex. However, it seems that users are not aware of the risks.
A recent survey conducted by security firm Kaspersky says that 28% of users know nothing, or very little about mobile malware [1]. Another statistic from antivirus vendor Avast[2] says that only half of the users have an anti-virus installed in the mobile and only 60 millions of Android devices have an antivirus solution against 230 million of users that have a desktop solution.
Mobile data security: an alarming lack of awareness
According to this, and leaving for another post the actual effectiveness of mobile anti-virus solutions, it looks like most of the users don’t consider their mobiles susceptible of being infected. It seems like mobile phones evolution has occurred faster that users expected. Not long ago we could only do a couple of things with our phone, such as calls and sending sms, and the only valuable information and data that we stored in them were telephone numbers.
With the growth of computing capabilities and social networks nowadays, we gather most of our sensitive and private information in our phone. Not only we store contact information, address, family and friends birthdays, email and professional info, we also have records of our likes (Facebook), interests (Twitter), last travels (Maps), games, notes (Evernote) and banking and shopping information.
In the near future you will pay with your phone as often as you pay with your credit card [3].
Surprisingly, this confidential information storage growth in our phones is not developing protection measures growth for our phones at all.
Very few people [4] have their phone encrypted or even password-protected. Google and Apple understand this problematic very well and it seems like they are taking some steps forward, knowing that a breach in their phones operating systems would mean a breach in their reputation.
The solution: data encryption and a few tips
The main feature they are introducing, among others, is data encryption by default. In the latest Apple iOS 8 [5] some data, photos and messages, are protected under the passcode [6]. Following Apple, Google promised encryption by default in their latest Lollipop Android but they had to back down owned to performance issues with Android devices [7].
Whatever the reasons, it seems like we have entered a new era in which data encryption and data protection will start taking an important role in the Operative System design. Hurray!!
Until then, here you have some tips that will help you to avoid installing malicious applications:
- Don’t install applications outside official stores such as Google Play, Apple Store, Windows Phone Store. Unofficial stores don’t check apps for malicious code and they maintain a good bunch of malware applications. If you don’t want to pay for an app, look for a free or cheaper alternative in other official app store. Remember that if you are not paying for it, you might be giving much more than what you get (access to personal and private data i.e)
- Every now and then, malicious apps show up in official app stores. Until they are removed (could take hours, sometimes days) you can take some precautions: check out who the developer is. Usually there is a blue check next to the name that shows whether the developer has been verified.
- Review apps permissions. Yeah, I know that it’s boring, and sometimes you can’t be sure if the permission is reasonable or not. But most of the times there are permissions that are very suspicious. A few months ago I found a draughts game that needed internet connection. I didn’t figured out any reason why they needed it, so I suspected and search for another app. It is important to bear in mind that an app only needs two permissions (internet and read storage) to easily access and retrieve other apps database information, meaning it could easily access to personal data. Check out Whatsapp case [8], this could be applicable to any similar app.
- Don’t open attachments from unknown emails. A few years ago spam was very easy to detect thanks to poor quality translations, impersonal text… but nowadays spam is much harder to detect. Be cautious even with emails from known contacts. A very popular technic, called Spear Pishing[9], consists in sending emails from people you know and to include text with a little information about you obtained from social networks. If you have doubts about the legitimity of the email, check it by another way.
Javier González Del Tánago
SMiD Cloud Security Engineer
Sources:
[2] https://blog.avast.com/2015/04/30/pcs-require-antivirus-smartphones-dont-right/
[3] http://www.wired.com/2015/06/android-pay-will-succeed-google-wallet-failed/
[4] http://confidenttechnologies.com/news_events/survey-shows-smartphone-users-choose-convenience-security/
[5] https://www.apple.com/business/docs/iOS_Security_Guide.pdf
[6] http://www.engadget.com/2014/09/17/apple-privacy-tim-cook/
[7] http://www.engadget.com/2015/03/02/android-lollipop-automatic-encryption/
[9] http://us.norton.com/spear-phishing-scam-not-sport/article
Image “Phone time” by Maurizio Costanzo
Image “Virus” by Yuri Samoilov