• Home »
• Self-Help Resources »
• Mobile Security

Mobile Security

Update Devices | Detox Apps | Privacy | Virtual Assistants | SIM Card Fraud
Spam & Deception | Troubleshooting

You may think the information on your phone isn't that sensitive, but you'd be surprised.

 

Even if you don't use, say, banking apps, your phone has your email on it, and if a thief gains access to your email, they have access to pretty much any account you own.

 

And a device that portable is easy to lose, giving ne'er-do-wells free reign over your information.

 

Lock. Your. Phone.
— Wired

The New Mobile Reality

There are now more mobile devices than people on the planet and most people get most of their information through a mobile device.
— CSO

We text, talk and share on the go, often without thinking about the consequences.

Today's mobile devices, by their very nature, are not in a fixed location. Data is often stored in the “cloud” and is available to other applications and services you've permitted to have access to it.

Your mobile devices contain a lot of information about you. Learn how to be careful so your information doesn't end up in the hands of a cyber criminal.
— Get Cyber Safe

We need to tighten security on our devices and pay more attention to what we're giving away.

More Than a Phone

We forget that we're carrying a very powerful computer in our pocket.

More than a phone, mobile devices reveal our most private thoughts.

They contain the sort of personal information earlier generations kept locked in our diaries and filing cabinets.

Laws Are Antiquated

Unfortunately, laws have not kept up with technology and our privacy is being eroded.

Laws that permit border searches of our devices are based upon conditions in a pre-computer era. The law assumes that any physical documents in your possession can be examined.

When the laws were drafted, the reality of electronic documents on portable computers and hand-held devices weren't even conceived never mind taken into consideration.

Conveniently interpreting your smartphone or laptop as a physical entity comparable to a file folder with printed documents, it is just as though crossing a border gave customs officers the right to go to your home or office and examine your private files.

A Double Standard

This data is invaluable in profiling us for advertising and marketing.

Can you imagine Google or Microsoft allowing you to have unfettered access to their personnel files or planning documents?

Why do you think hacking is penalized so severely? Corporations have lobbied for the right to collect our data while protecting their own.

Canadians increasingly access everything online via smart devices and that trend is only increasing. With that change comes a need to learn to protect yourself and your data.

See the full infographic to learn more.

Learn about the inherent risks that go along with the freedoms these devices provide so you can make better decisions about the software you use.

Protect Your Privacy and Security

These practices can better prepare your mobile device for security and privacy:

• Update your device
• Detox your device by removing unnecessary apps
• Update your apps
• Privacy

Return to top

Update Your Device

Mobile devices are much better “out of the box” than they were a few years ago.

That doesn't translate into secure experiences once they are put into everyday use.

We've reached a point where mobile ecosystems and platforms are relatively secure at an OS and hardware level; the biggest risk comes from what we do with those devices and what we install on them, what email messages we read, and what links we click.
— TechRepublic

One of the most important security measures you can take is to ensure every device is running a currently-supported operating system (Android, iOS, Windows, macOS, Linux). Update to the most recent version supported by your hardware.

If your device's operating system is no longer supported you need to replace the device.

Delaying updates can leave you vulnerable to zero-day attacksthat have been fixed by the vendor. Learn more about zero-day exploits.

Android

While Google regularly updates the Android OS, manufacturers are free to deny the upgrades on their devices, leaving you vulnerable to known weaknesses to create an artificial need to upgrade your hardware regularly.

How to Check What Version Your Device is Running

Android: Settings ⇒ About Phone.

• Check & update your Android version.
• Check if your Android smartphone is secure and supported with updates.

Android devices are ubiquitous, and the Android platform isn't locked down the way iOS is. Even if you stay away from third-party app stores and refrain from jailbreaking your device, you can still get hit with Trojans, ransomware, and other kinds of Android malware. Smart users protect their devices with an Android antivirus.
— PCMag

Android Vulnerabilities

It was recently revealed that a spyware program was installed on more than 700 million Android smartphones and was collecting information and sending it to China.

But that isn't the only Android threat. Gooligan, breached the security of over one million Google accounts, one of the largest Google breaches yet. Check your Google account activity and choose better security

• The risk of accessibility permissions in Android devices.
• Here's how you can use Android but ditch Google .
• How to safely delete your Google or Gmail account for good.

iOS

Apple iOS is significantly more secure than Android.

Unlike Android users, who are largely at the mercy of their carriers for OS updates, Apple pushes out new versions of iOS to anyone with a compatible phone all at once. That's why 89 percent of iOS users are on iOS 10 as of Sept. 6 [2017], while only about 16 percent of Android users are sampling Nougat as of Sept. 11.
— PCMagazine

That said, iOS isn't free from issues.

How to Check What Version Your Device is Running

iOS: Settings ⇒ General ⇒ About.

• Update your iPhone or iPad.
• iPhone User Guide by iOS version.

iOS Vulnerabilities

iOS apps may be vulnerable to silent man-in-the-middle attacks (where a nefarious third party can intercept the communication and steal data).

As for iPhones and other iOS devices, Apple's built-in security makes life tough both for malware coders and antivirus writers. Many cross-platform suites simply skip iOS; those that don't typically offer a seriously stripped-down experience. Given the platform's intrinsic security, it rarely makes sense to expend one of your licenses installing protection on an iPhone.
— PCMag

• Do You Need a Security App on iPhone?

As iOS moves away from 32-bit software, users are warned that older apps may slow down their devices. In many cases, these apps are no longer maintained and probably should be deleted.

Mobile phishing attacks are on the rise and iOS is the biggest target. 63% of mobile phishing attacks target iOS devices. The number one source of those attacks is gaming apps. People are getting wise to email phishing, so hackers are becoming much sneakier. Mobile phishing that hides inside apps is harder to catch, making it a huge security risk.— TechRepublic

• How to limit AirDrop spam in iOS 16.2.
• Apple fixes another three iOS zero-days exploited in the wild.
• Malicious iOS app popup windows could be stealing your Apple ID.
• Five iOS 14 and iPadOS 14 security and privacy features.
• Dozens of iOS apps vulnerable to data theft, despite ATS mandate.

Virtual Assistants

We're now interacting directly with our computers using virtual assistants built into our devices (Siri, Cortana, Google Assistant) as well as in our homes and offices with Internet-connected devices like Amazon Alexa and Google Home.

They Know Too Much

Not only do they need to know a lot about us in order to function properly, they can also overhear private conversations and misunderstand commands. Their security is too dependant upon others whose motives are profit rather than privacy.

• Thousands of Amazon workers listen to Alexa users' conversations.

A War For Your Loyalty

There is a war for your loyalty.

In the future these virtual assistants are going to have a larger role in what music we listen to, what movies or TV programs we watch and what products we buy.

Governments are already asking companies about the algorithms used by services like YouTube and Facebook to determine what content is promoted to users based their profiles. Better profiling results in higher ad conversion and profitability.

“We're Listening”

We are providing more information to these devices every time we use them.

By their very nature, they need to know a lot about us to be effective (one of the reasons that Siri or Cortana want to “get to know you” when you first use them).

You can't have Google call Beth if they don't know who Beth is and how to best contact her. When we refer to Beth as our sister, then the assistant knows her relationship to us. The learning continues as we place requests that are clarified (“What is Jeremy's number?”).

Danger, Will Robinson

Not all is as rosy as it appears. Using these virtual assistants is providing a lot of personal information to companies with a less-than-perfect track record for privacy.

We have less control over what is collected than you might think.

Voice data is being monitored all the time but the assistant is supposed to wait for the “hey Google” or “hey Siri”prompt. That may not limit what is recorded and can reveal a lot of private information.

Apple contractors regularly hear confidential medical information, drug deals, and recordings of couples having sex, as part of their job providing quality control, or "grading", the company's Siri voice assistant, the Guardian has learned.
— The Guardian

Children and Virtual Assistants

Children are quick imitators and young children have been found to be conversing with these virtual assistants like they are a friend.

This issues is only going to get worse as the Internet of Things becomes pervasive and a thousand small devices (baby monitors, smart toys, security devices, etc.) begin monitoring our activities

Protecting Your Privacy

Start by choosing devices based upon their privacy track record. Next, change the default passwords and privacy settings on devices like Alexa and Google Home.

• *Privacy not Included is a Mozilla guide to shopping for save, secure connected products.
• How to opt out of human review of your voice assistant recordings.

Return to top

Detox Your Device

Regularly review the apps on your device to see what you actually use. If it serves no purpose, delete the app. You can always reinstall it if you find that you're missing features you want.

This frees up space on your device and eliminates any potential problems without impacting your daily use of the device.

Some iOS devices have the ability to offload apps without removing the related data.

Clean Up Your Settings

Take some time to clean up your device as well as tighten security and privacy settings:

• Data detox: Five ways to reset your relationship with your phone.
• Protecting personal information on your mobile devices.
• 10 tips to tighten security on your Android device.
• How to protect your privacy using Android.
• How to improve the security and privacy of your iPhone — 5 steps.

Avoid Data Collection

Having these apps on your phone can introduce new vulnerabilities and are almost always collecting information about you and your purchases.

While you may not think your privacy is important, these companies spend millions to collect such data while providing little in return.

Data Collection Significant

The vast numbers of apps on the app stores and the number of downloads can make a seemingly minor oversight affect millions of users.

That assumes that all this was accidental. Not so.

The collection of personal data has become a multi-billion dollar industry that will require legislation to fix.

• How secure is your business data on your employees' personal smartphones?
• 8 mobile security threats you should take seriously in 2020.

While most apps aren't malicious and need these permissions to work properly, it's worth reviewing them at times to make sure an app isn't taking information it doesn't need.

 

And in the case of apps like Facebook, the absurd amount of permissions might make you want to uninstall it completely.
— MakeUseOf

More and more fast food and other chains insist that you download and install their app to obtain access to the company's specials or bribe you with freebies when you collect enough points.

• Tim Horton's abused their customers by tracking them even when they weren't using the app.
• An Android Banking Trojan was found inside 467 apps for restaurants and take away services.
• A local KFC store wouldn't even let me know what their specials were unless I downloaded their app.

Update Your Apps

Once you've removed any apps that you don't use or don't recognize, check to see if there are updates for the remaining apps.

One of the most important security measures you can take is to ensure your apps are updated regularly.

See the full infographic.

If any apps are no longer supported you need to find a replacement then remove the obsolete apps.

Return to top

Privacy on Mobile Devices

Tech companies are on a buying spree, which can compromise your privacy.

You need to be careful about how much information you provide to apps rather than simply clicking the “Accept” button.

Let's look at a real-world example.

Eavesdropper Vulnerability

In 2017 Appthority discovered a vulnerability in 685 enterprise apps affecting nearly 700 iOS and Android devices (44% Android, 56% iOS) which had provided access to private data since 2011.

The vulnerability is called Eavesdropper because the developers have effectively given global access to the text/SMS messages, call metadata, and voice recordings from every app they've developed with the exposed credentials.

 

Importantly, Eavesdropper does not rely on a jailbreak or root of the device, take advantage of a known OS vulnerability, or attack via malware.

 

An Eavesdropper attack is possible simply because developers have failed to follow Twilio's documented guidelines for secure use of credentials and tokens and allowed theses apps to leak audio and message-based communications.
— Appthority

Careless Developers

This vulnerability could only be fixed by the developer. These developers probably lacked the knowledge or motivation to fix the issue.

The cause of the Eavesdropper issue is careless developers. We've seen many cases in the past where developers leave API and server credentials inside an app's source code, instead of storing them in a secure, remote database.
— Bleeping Computer

Removing the apps from your device became the only logical option.

Combined Services Share User Data

When a company or service is purchased by a new parent company the privacy policies change to suit the new owner. Often it is the user base that is the reason for the purchase more than the technology.

Did Microsoft acquire LinkedIn to access the wealth of user data as much as adding a social media platform to their holdings? What about Facebook's purchase of Instagram and WhatsApp?

Generate Unique Identities

Do not use single sign-on — the practice of using your Google, Facebook or Apple ID to log into third-party sites.

This creates a single point of failure (you're essentially using one password everywhere).

While convenient, you provide much more than if you login using a unique ID.

I recommend that you change your logins for any services that you've used Google, Facebook or other accounts for access. LastPass can track these for you and generate new passwords on the fly.

Be Selective in Permitting Access

When an app on your device requests access to your contacts, photos, etc. you need to determine if that access is necessary for the app to perform the tasks you acquired it for.

Developers often say that they collect information to create enhanced functionality in their app or to deliver a better user experience.

 

Think about it like this — why in the world does your calorie tracker need to access your contacts? And really, why does your flashlight app need to know your location? — Check Point blog

Review App Permissions

CASL prohibits anyone from installing software -- including updates -- on your electronic devices without your consent.

 

It also applies to updates and upgrades installed by somebody else, even if you installed the original software.
— Canada's Anti-Spam Legislation

If an app requests unnecessary permissions, you're probably better off finding another app that doesn't abuse your privacy.

• Clean up your phone's apps and review their permissions.

Mobile Location Analytics Invades Privacy

By tracking cell phones, Mobile Location Analytics (MLA) technologies allow facilities to learn about traffic patterns within their venues including how long people stand in line.

This information is more valuable than a “free” app: Your Facebook profile is estimated to be worth $50 per month in advertising revenue.

While this information could benefit you, it also invades your privacy.

If the app is tracking your location, the app's owner knows where you live, work, worship or party but also who you're sleeping with (frequently seeing two phones overnight in the same location but away from your residence) or attend A.A. meetings.

• Learn more at MLA Opt Out.

More About Privacy in the Mobile World

• Uniquely you: The identifiers on our phones that are used to track us.
• The many identifiers in our pockets: A primer on mobile privacy and security.
• Three tips for phone privacy.
• What your apps know about you.