People throughout the world have had our lives changed in the past few weeks. I am sad for the individuals and families who have lost loved ones or friends from the global coronavirus pandemic.
Many people are now “sheltering in place,” working from home, or are experiencing other restrictions that have now become part of our “new normal.”
But our use of mobile devices doesn’t come without risk, and I want you to at least start thinking about that today.
Mobile devices do more for us each day, and most people can’t imagine living or working without them.
Nobody can doubt that mobile devices provide excellent features and convenience, as well as entertainment and increased business productivity.
But it’s easy to forget that mobile devices are pretty powerful computers, and you need to think about the security risks that come from using them.
Do you use your mobile device for anything you’d like to stay confidential or keep private?
Is there data transmitted by or stored on a mobile device that you want to keep secure?
The use of mobile devices is growing at unbelievable rates.
First, here are a few statistics:
- There are now more connected mobile devices than there are people on earth.
- Currently, in the U.S., there are approximately eight networked devices per person, a number expected to climb to 13.6 per person by 2022.
- Nearly three-quarters of the world will use just their smartphones to access the internet by 2025.
- In the U.S., roughly one-third of people (31 percent) use mobile banking more than any other app on their smartphone.
But the following will give you some background about the associated risks.
A Forbes magazine article, referencing the Verizon’s Mobile Security Index (MSI) 2020 Report, revealed that:
- 54% of companies were less confident about the security of their mobile devices than that of their other systems.
- 21% of organizations that were compromised said that a rogue or unapproved application had contributed to the incident.
A more in-depth review of the full Verizon report adds more thought-provoking information:
- 83% of organizations were concerned about device loss or theft, and 20% of those felt that their defenses were inadequate.
- Device operating systems are also a concern and often out of date. Almost half (49%) of enterprise devices are being used without any managed update policy.
- According to Wandera, employees connect to an average of 24 Wi-Fi hotspots per week, and Netmotion found that the average device connects to two or three insecure Wi-Fi hotspots per day.
From a study produced by Aite at the request of Arxan, discussing mobile device vulnerabilities:
- “There is no shortage of anecdotal evidence that hackers are actively seeking to leverage those vulnerabilities, such as the recent discovery in the wild of mobile malware that leveraged Androids’ accessibility features to copy the finger taps required to send money out of an individual’s PayPal account. The malware was posted on a third-party app store disguised as a battery optimization app. This mobile banking trojan was designed to wire US$1,000 out of an individual’s PayPal account within three seconds, despite PayPal’s additional layer of security using multifactor authentication.”
- The study found three app categories with the highest number of vulnerabilities: retail banking, retail brokerages, and auto insurance.
Whether you are working remotely or not, let’s take a few steps to improve your mobile device security.
Mobile Device Threats
Are You Taking Risks Using Unsecured Wi-Fi?
Mobile device users routinely connect to the nearest or strongest available Wi-Fi network signal, and some may not even be aware of the significant security risks.
I have already written two blog posts about the use of Wi-Fi, so I won’t repeat that information in this one. Here are links to the previous posts, for your convenience:
In addition to public Wi-Fi, if you now depend on your home router, you’ll need to make sure that it is also secure. Here’s a link with more information:
Should You Be Worried About Mobile Device Malware?
Mobile devices can be infected with malware, just like any computer.
A report from Check Point states that attacks against mobile devices in the first half of 2019 increased by 50% compared to 2018, with mobile banking apps being one of the primary targets.
Reports from multiple security companies document that the overwhelming majority of mobile malware targets Android devices. Still, anti-malware protection should be installed on every mobile device.
If your device is infected, mobile malware can:
- Allow the attacker to wipe the device or alter data
- Track your physical location in real-time
- Surreptitiously turn on the device camera or microphone
- Allow the developer complete access to all data stored on or transmitted by the device
- Allow the developer to send text messages or make calls on the device
- See text messages sent as part of 2-factor authentication systems
- Change settings on the device
- Convert the device into a node on a criminal botnet
- Masquerade as an app from a legitimate financial institution to steal your financial data, including your login
- Manipulate the screen so that it continues to show your valid transaction and expected balance, but not the real data
- Recognize when you dial a financial institution 800 number and reroute the call to one of the attacker’s call centers
- Connect to the company network, raising the possibility of infection on other machines
Do You Know All the Data You’re Giving Away to Your Mobile Apps?
Users who install apps on their mobile devices seldom read the Terms of Service agreement that comes with the app or the developer’s Privacy Statement.
But there are a significant number of apps that take advantage to permit themselves to do many things with your device and the data that it contains.
Most users are completely unaware that they have given away these rights.
The app developers are then free to sell the collected data to advertisers or any other interested party.
Apps may be allowed to collect and transmit:
- The device manufacturer and model
- The device serial number and IMSI number
- Geolocation data
- Browsing and search history
- Demographic data
- All contacts stored on the device
The Terms of Service may also give an app permission to:
- Record audio through device microphone
- Have full Internet network access via the device
- Take photos or videos
- Modify or delete the contents of data storage
- Create accounts and set passwords
- Send text messages
- Read phone status and identity (includes call logs, phone signal, carrier, device ID, and phone number)
- Connect and disconnect from Wi-Fi networks
- Retrieve information about current and recently running apps on the device
Did You Already Know These Mobile Device Security Tips?
What can we do to secure our mobile devices against these problems and threats?
Here are a few essential recommendations:
- Use a secure passcode on every mobile device
- Configure the screen lock to engage after a minimal time with no activity
- Use anti-malware and a firewall on every mobile device
- Only connect with websites using HTTPS, but even that does not guarantee a secure connection
- Use a VPN on every mobile device
- Download and install apps only from approved app stores
- Do not let sensitive apps remember your login user ID or password
- Consider using encryption to protect any sensitive data stored on the device
- Consider the use of an encrypted app to send text messages or make voice calls
- Make sure to keep the operating system and all apps up to date at all times
- Use a secure password manager
- Do not use your fingerprint to access a mobile device
- If not already available, consider the use of an app to locate your device if it is lost or stolen
- When you sell or trade in an old device, make sure that your data is securely erased
- Be very selective in choosing which apps can use location services
- Turn off all unnecessary system services
- Allow text, video, audio messages to expire rather than store them forever
- Limit what diagnostic data is sent to the manufacturer, app developer or carrier whenever possible
- Be careful what you sync with services such as iCloud, Dropbox, etc.
- Control what notifications are displayed on your locked screen
I hope this post will help you understand some of the risks from your mobile devices, and help you begin to improve your security.
If you would like more details, go to the Free Content Library on our website. We’ve compiled a “Smart Home and Mobile Device Security Checklist,” which we are gladly providing at no cost.
This checklist doesn’t address all of the security issues you may face with mobile devices, but at least it gives you an excellent place to start.
Please share this information with co-workers, family, and friends to help everyone improve their security!