Have you ever downloaded an application on your mobile device and pressed the Next button continuously until the application launches? More often than not, these screens that you pass through without reading are authorization forms allowing the app to access information and execute actions on your device. However, granting apps all access to your phone is a bad idea and can put your privacy at risk. Below are some best practices for securing your mobile device and the apps you install.
Do My Apps Really Need Access to All of This Stuff?
If an app requests access to something, it must need it, right? Not necessarily. Many developers design smartphone apps with a "request all" approach, meaning it is easier to seek permission to everything at the beginning of an install than it is to release an update later when additional permissions are needed. A good example of this is a photo editing app that requires access to the contacts on a mobile device — this request is unnecessary, but it is commonly seen during app installations.
What Are the Risks?
The more information you allow your smartphone apps to share, the easier it will be for hackers to steal this information and use it for malicious purposes. Locking down the privacy settings on your mobile device is essential to preventing such intrusions. An attacker will try to exploit both your device's software as well as the applications installed on the device. In addition to obvious things like your email and messages, an attacker could gain access to your phone's camera, microphone, contacts, and other data.
How Can I Protect My Phone and My Data?
There are several simple steps you can take to protect the data and personal information on your phone, whether because your phone is lost or stolen, or because a hacker is trying to gain access remotely.
- Secure your phone and sensitive apps with a password. Require a passcode, and, if supported, your fingerprint, to gain access to your smartphone. In addition, protect all sensitive apps with a secure password and multi-factor authentication, if supported.
- Perform a regular cleanup of your apps and settings. Delete apps you don't use regularly. Check the app's settings to see if you need to make any adjustments. Hackers can reverse engineer even known applications and then recompile them with malware in order to view your phone's camera, download contact information, turn the speakerphone on and off, and import/export the data on the device.
- Secure your phone's access to Wi-Fi networks. Many people leave their phone's wireless setting turned on at all times because the option to auto-connect to your home or office Wi-fi network saves time and effort. However, in this state, the device must continuously send out a probe seeking its known access points. Hackers can intercept this probe and masquerade as an access point in order to perform a man-in-the-middle attack to view your device's inbound and outbound traffic.
- Download apps only from reputable sources. Only install applications that are distributed by vendor websites or application stores.
- Configure location services wisely. If your device is compromised, an attacker can use this information to discover your workplace or home address.
Smartphone Safety FAQs
The best way to protect your smartphone from an attack is to incorporate a layered security approach. The following are frequently asked questions about mobile device security.
Am I vulnerable to a cyber-attack through my smartphone if...
...I grant apps all permissions they request?
Possibly. Many times an application will function as normal without the mentioned permissions. Do not grant access to unnecessary actions.
...the Wi-Fi setting is always turned on, even when the phone isn't connected to a secure Wi-Fi network such as my home network?
Yes. Turn off your phone's Wi-Fi setting when you're not actively connected to a secure network.
...I'm not connected securely to the Wi-Fi network at the coffee shop, airport, etc.?
Yes. Attackers can both spoof and capture traffic from your device. See our Public Wi-Fi Best Practices
...I jailbreak or root my phone?
Yes. Jailbreaking and rooting devices grants the owner administrative privileges to settings that are typically locked on the device. An attacker can install malware on the device that cannot be detected by standard antivirus software.
...I even rarely use apps that could expose sensitive personal information, such as my banking app?
Yes. An attacker only needs to install an exploit one time in order to control your device and access your personal information. Once an account is compromised, an attacker can pull the device's history and use the discovered information to compromise additional accounts.
...I only use my phone to access social media sites?
Yes. Many attackers use social media sites as a platform to launch their attacks. A web browser can be compromised by clicking a link.
...location services are enabled?
Yes. If your device is compromised, an attacker can use this information to discover your home or workplace, for example.
...I only configure the privacy settings for my phone but not for my other electronic devices?
Yes. Many of the websites and applications that we use today have privacy settings that you can configure. As mentioned, the best protection against a cyber attack is to adopt a layered security approach: configure the privacy settings within all devices, websites, and applications you use.
For More Information
For more cyber safety tips and resources you can apply at work and at home, see our Cyber Awareness Resources page. If you have any questions, please contact your regular ACA Aponix consultant or email us at firstname.lastname@example.org.
About the Author
Jose Ramos, GXPN, OSCE, CEH, is a Principal Consultant at ACA Aponix, the cybersecurity and IT risk division of ACA Compliance Group. Prior to that, he worked for eight years as Sony Music Entertainments’ technical manager and cybersecurity liaison. Earlier, Jose served as a network administrator at Metro One LPSG and a systems administrator for the U.S. Navy. Jose earned his graduate certificate from the SANS Institute of Technology in Cybersecurity Engineering, and graduated with honors from Excelsior College, earning his Bachelor of Science degree in Information Technology with a concentration in Cybersecurity. He also has earned an Associate Degree in Applied Science in Technical Studies with a concentration in Computer Systems. Jose is a certified ethical hacker (CEH) through the EC-Council and holds a number of SANS GIAC Security certifications including GWAPT (Global Web Application Penetration Tester), GCIH (Global Certified Incident Handler), GCIA (Global Certified Intrusion Analyst), and GSEC (Global Security Essentials) through the Sans Institute of Technology.