What is the current state of mobile security? Part 2
John Shier, senior security adviser at Sophos
If you’re like most people, your phone is by your side throughout your day. Thanks to payment apps, mobile GPS and mobile banking, our phones now double as a wallet, map, bank and so much more.
Know where your data is stored
As well as malware, data privacy continues to be a key concern for mobile users. Mobile apps are always seeking permissions from users to access data from other apps and programmes.
What many users don’t consider, says John Shier, senior security adviser at Sophos, is what these apps are doing with this information.
Researchers at the School for Computer Science at the Georgia Institute of Technology recently found that in-app advertising is leaking potentially sensitive personal information on millions of mobile phone users to advertisers. This includes how much money users make, whether or not they’ve got kids, and what their political leanings are to name a few. Many users are unaware of what data their apps are gathering, how they are storing it, how they are transmitting it and how it is protected – this needs to change.
To ensure that they aren’t sharing more than they want to, users must pay attention to what each of their apps has access to, and never give unnecessary permissions.
Protect your privacy when using mobile GPS
Maps are one of the most used functions on smartphones, helping people get from A to B at the press of a button. It is therefore very common for users to leave location services switched on all the time. Modern smartphones typically use a cocktail of signals to pinpoint users’ whereabouts, and regularly call home to Apple, Google, Microsoft and various other app vendors. Similarly, fitness apps that track users’ steps are also drawing information from this GPS data.
The problem with letting anyone and everyone track users wherever they go is that the more data that’s needlessly collected, the more likely it is to get breached at some stage. Our recommendation at Sophos would be to turn on as much location tracking as you feel necessary to enjoy all the convenience of a modern device. Only the user should to decide how rich a mobile experience they want, but in the end, it should be an informed choice.
Practice caution when trying IoT devices
IoT-enabled devices are becoming increasingly vulnerable due to poor mobile security. As users purchase these exciting new devices that they can control with their smartphones, they need to be aware of the inherent security risks. For example, poorly secured mobile apps connected to IoT-enabled devices are vulnerable to attacks from ‘man in the middle’ tools. These tools allow hackers to infiltrate the signal between a user’s smartphone and their IoT-enabled device.
For example, if a user has a smart door lock that they use their smartphone to lock, the man in the middle tool, which could be a raspberry pi hidden in the bushes near the user’s front door, could hijack the lock signal from the phone. The man in the middle tool has the capacity to then reply back to the user’s smartphone with a signal confirming that the door is locked, and then purposely fail to send the lock signal to the door lock itself. This leaves an unlocked front door that the user is oblivious to.
Similarly, the same man in the middle tactic can force IoT-enabled devices to join a rogue network. It can very easily disconnect the device from the user’s home network and connect it to a hacker’s similarly named rogue criminal network. Hackers can then make all of their victims’ devices connect to the rogue network and access all of the data that is going across the connection, including credit card numbers and passwords, leaving these open to theft and the devices open to manipulation.
While mobile threats are perceived as less prevalent than other end user attacks, there are still multiple threats out there specifically targeting mobile devices, therefore appropriate security controls need to be implemented. In order to protect their privacy, users must ensure that they only download apps from an authorised app store and that they are aware of how these apps are storing, using and sharing the data from their phones that they have access to.
In addition, users must practice caution when trying new IoT-enabled devices by using mobile security best practices and taking a cautious approach to trying new IoT-enabled technologies, consumers can protect their mobile data from theft and save themselves a lot of time, money and stress in the future.
The author of this blog is John Shier, senior security adviser at Sophos
Comment on this article below or via Twitter @IoTGN