Tuesday, 23 July 2013

Smartphone security

In 1999 a PC this powerful
would cost twice as much and
be 100 times bigger
At the moment we are, in terms of mobile malware development, in 1998.

Remember when we all used Windows 95 and connected with modems? The threats of the day were Trojans that would dial premium numbers to generate/steal money from victims.

As far as I can tell, that’s where we are today with smartphones.

Modern, powerful mobile handsets are essentially PCs with a modem, run by users who access banks and other financially-connected sites. I've yet to see any evidence of iOS or Android-compatible drive-by attacks so right now social engineering seems to be the most significant threat.

As such, a slight variation on the advice we used to give in the late 1990s is probably suitable:

  1. Keep your phone’s firmware up to date (updates from vendor, via Android Settings).
  2. Keep your software up to date (via Google Play updates). These updates can be set to run automatically.
  3. Only install from official stores such as Google Play. Don’t side-load (i.e. install from removable media).
  4. Ensure the software comes from the original developer. Google Play lists the developer and highlights very popular ones with the ‘Top Developer’ label.
  5. Check the reviews of each application you want.
  6. Check the permissions that each application requires and reject it if it wants too much (in your opinion).
  7. When updating manually, review any new permissions the updated application requires.
  8. Avoid pirated/cracked software, whatever the source.
  9. Install an anti-malware product. After all, even the official stores have been found to host malicious files.

While all this will help, I doubt that normal people will neither bother nor be able to fully understand or remember the details. That's not their fault, though. It's the fault of the mobile industry. It should be easier to be more secure.

This article updates last year's notes on Android security tips.