Mobile Security

A stylized cloud with icons for computers, laptops, email, etc.

You may think the information on your phone isn't that sensitive, but you'd be surprised.

Even if you don't use, say, banking apps, your phone has your email on it, and if a thief gains access to your email, they have access to pretty much any account you own.

And a device that portable is easy to lose, giving ne'er-do-wells free reign over your information.

Lock. Your. Phone.
— Wired

The New Mobile Reality

There are now more mobile devices than people on the planet and most people get most of their information through a mobile device.
— CSO

We text, talk and share on the go, often without thinking about the consequences.

Today's mobile devices, by their very nature, are not in a fixed location. Data is often stored in the “cloud” and is available to other applications and services you've permitted to have access to it.

Your mobile devices contain a lot of information about you. Learn how to be careful so your information doesn't end up in the hands of a cyber criminal.
— Get Cyber Safe

We need to tighten security on our devices and pay more attention to what we're giving away.

More Than a Phone

We forget that we're carrying a very powerful computer in our pocket.

More than a phone, mobile devices reveal our most private thoughts.

They contain the sort of personal information earlier generations kept locked in our diaries and filing cabinets.

Laws Are Antiquated

Unfortunately, laws have not kept up with technology and our privacy is being eroded.

Laws that permit border searches of our devices are based upon conditions in a pre-computer era. The law assumes that any physical documents in your possession can be examined.

When the laws were drafted, the reality of electronic documents on portable computers and hand-held devices weren't even conceived never mind taken into consideration.

Conveniently interpreting your smartphone or laptop as a physical entity comparable to a file folder with printed documents, it is just as though crossing a border gave customs officers the right to go to your home or office and examine your private files.

A Double Standard

This data is invaluable in profiling us for advertising and marketing.

Can you imagine Google or Microsoft allowing you to have unfettered access to their personnel files or planning documents?

Why do you think hacking is penalized so severely? Corporations have lobbied for the right to collect our data while protecting their own.

Canadians increasingly access everything online via smart devices and that trend is only increasing. With that change comes a need to learn to protect yourself and your data.

See the full infographic to learn more.

Learn about the inherent risks that go along with the freedoms these devices provide so you can make better decisions about the software you use.

Protect Your Privacy and Security

These practices can better prepare your mobile device for security and privacy:

Update your device
Detox your device by removing unnecessary apps
Update your apps
Privacy

Return to top

Update Your Device

Mobile devices are much better “out of the box” than they were a few years ago.

That doesn't translate into secure experiences once they are put into everyday use.

We've reached a point where mobile ecosystems and platforms are relatively secure at an OS and hardware level; the biggest risk comes from what we do with those devices and what we install on them, what email messages we read, and what links we click.
— TechRepublic

One of the most important security measures you can take is to ensure every device is running a currently-supported operating system (Android, iOS, Windows, macOS, Linux). Update to the most recent version supported by your hardware.

If your device's operating system is no longer supported you need to replace the device.

Delaying updates can leave you vulnerable to zero-day attacksthat have been fixed by the vendor. Learn more about zero-day exploits.

Android

While Google regularly updates the Android OS, manufacturers are free to deny the upgrades on their devices, leaving you vulnerable to known weaknesses to create an artificial need to upgrade your hardware regularly.

How to Check What Version Your Device is Running

Android: Settings ⇒ About Phone.

Android devices are ubiquitous, and the Android platform isn't locked down the way iOS is. Even if you stay away from third-party app stores and refrain from jailbreaking your device, you can still get hit with Trojans, ransomware, and other kinds of Android malware. Smart users protect their devices with an Android antivirus.
— PCMag

Android Vulnerabilities

It was recently revealed that a spyware program was installed on more than 700 million Android smartphones and was collecting information and sending it to China.

But that isn't the only Android threat. Gooligan, breached the security of over one million Google accounts, one of the largest Google breaches yet. Check your Google account activity and choose better security

iOS

Apple iOS is significantly more secure than Android.

Unlike Android users, who are largely at the mercy of their carriers for OS updates, Apple pushes out new versions of iOS to anyone with a compatible phone all at once. That's why 89 percent of iOS users are on iOS 10 as of Sept. 6 [2017], while only about 16 percent of Android users are sampling Nougat as of Sept. 11.
— PCMagazine

That said, iOS isn't free from issues.

How to Check What Version Your Device is Running

iOS: Settings ⇒ General ⇒ About.

iOS Vulnerabilities

iOS apps may be vulnerable to silent man-in-the-middle attacks (where a nefarious third party can intercept the communication and steal data).

As for iPhones and other iOS devices, Apple's built-in security makes life tough both for malware coders and antivirus writers. Many cross-platform suites simply skip iOS; those that don't typically offer a seriously stripped-down experience. Given the platform's intrinsic security, it rarely makes sense to expend one of your licenses installing protection on an iPhone.
— PCMag

Do You Need a Security App on iPhone?

As iOS moves away from 32-bit software, users are warned that older apps may slow down their devices. In many cases, these apps are no longer maintained and probably should be deleted.

Mobile phishing attacks are on the rise and iOS is the biggest target. 63% of mobile phishing attacks target iOS devices. The number one source of those attacks is gaming apps. People are getting wise to email phishing, so hackers are becoming much sneakier. Mobile phishing that hides inside apps is harder to catch, making it a huge security risk.— TechRepublic

Virtual Assistants

We're now interacting directly with our computers using virtual assistants built into our devices (Siri, Cortana, Google Assistant) as well as in our homes and offices with Internet-connected devices like Amazon Alexa and Google Home.

They Know Too Much

Not only do they need to know a lot about us in order to function properly, they can also overhear private conversations and misunderstand commands. Their security is too dependant upon others whose motives are profit rather than privacy.

Thousands of Amazon workers listen to Alexa users' conversations.

A War For Your Loyalty

There is a war for your loyalty.

In the future these virtual assistants are going to have a larger role in what music we listen to, what movies or TV programs we watch and what products we buy.

Governments are already asking companies about the algorithms used by services like YouTube and Facebook to determine what content is promoted to users based their profiles. Better profiling results in higher ad conversion and profitability.

“We're Listening”

We are providing more information to these devices every time we use them.

By their very nature, they need to know a lot about us to be effective (one of the reasons that Siri or Cortana want to “get to know you” when you first use them).

You can't have Google call Beth if they don't know who Beth is and how to best contact her. When we refer to Beth as our sister, then the assistant knows her relationship to us. The learning continues as we place requests that are clarified (“What is Jeremy's number?”).

Danger, Will Robinson

Not all is as rosy as it appears. Using these virtual assistants is providing a lot of personal information to companies with a less-than-perfect track record for privacy.

We have less control over what is collected than you might think.

Voice data is being monitored all the time but the assistant is supposed to wait for the “hey Google” or “hey Siri”prompt. That may not limit what is recorded and can reveal a lot of private information.

Apple contractors regularly hear confidential medical information, drug deals, and recordings of couples having sex, as part of their job providing quality control, or "grading", the company's Siri voice assistant, the Guardian has learned.
— The Guardian

Children and Virtual Assistants

Children are quick imitators and young children have been found to be conversing with these virtual assistants like they are a friend.

This issues is only going to get worse as the Internet of Things becomes pervasive and a thousand small devices (baby monitors, smart toys, security devices, etc.) begin monitoring our activities

Protecting Your Privacy

Start by choosing devices based upon their privacy track record. Next, change the default passwords and privacy settings on devices like Alexa and Google Home.

*Privacy not Included is a Mozilla guide to shopping for save, secure connected products.
How to opt out of human review of your voice assistant recordings.

Return to top

Detox Your Device

Regularly review the apps on your device to see what you actually use. If it serves no purpose, delete the app. You can always reinstall it if you find that you're missing features you want.

This frees up space on your device and eliminates any potential problems without impacting your daily use of the device.

Some iOS devices have the ability to offload apps without removing the related data.

Clean Up Your Settings

Take some time to clean up your device as well as tighten security and privacy settings:

Avoid Data Collection

Having these apps on your phone can introduce new vulnerabilities and are almost always collecting information about you and your purchases.

While you may not think your privacy is important, these companies spend millions to collect such data while providing little in return.

Data Collection Significant

The vast numbers of apps on the app stores and the number of downloads can make a seemingly minor oversight affect millions of users.

That assumes that all this was accidental. Not so.

The collection of personal data has become a multi-billion dollar industry that will require legislation to fix.

While most apps aren't malicious and need these permissions to work properly, it's worth reviewing them at times to make sure an app isn't taking information it doesn't need.

And in the case of apps like Facebook, the absurd amount of permissions might make you want to uninstall it completely.
— MakeUseOf

More and more fast food and other chains insist that you download and install their app to obtain access to the company's specials or bribe you with freebies when you collect enough points.

Tim Horton's abused their customers by tracking them even when they weren't using the app.
An Android Banking Trojan was found inside 467 apps for restaurants and take away services.
A local KFC store wouldn't even let me know what their specials were unless I downloaded their app.

Update Your Apps

Once you've removed any apps that you don't use or don't recognize, check to see if there are updates for the remaining apps.

One of the most important security measures you can take is to ensure your apps are updated regularly.

See the full infographic.

If any apps are no longer supported you need to find a replacement then remove the obsolete apps.

Return to top

Privacy on Mobile Devices

Tech companies are on a buying spree, which can compromise your privacy.

You need to be careful about how much information you provide to apps rather than simply clicking the “Accept” button.

Let's look at a real-world example.

Eavesdropper Vulnerability

In 2017 Appthority discovered a vulnerability in 685 enterprise apps affecting nearly 700 iOS and Android devices (44% Android, 56% iOS) which had provided access to private data since 2011.

The vulnerability is called Eavesdropper because the developers have effectively given global access to the text/SMS messages, call metadata, and voice recordings from every app they've developed with the exposed credentials.

Importantly, Eavesdropper does not rely on a jailbreak or root of the device, take advantage of a known OS vulnerability, or attack via malware.

An Eavesdropper attack is possible simply because developers have failed to follow Twilio's documented guidelines for secure use of credentials and tokens and allowed theses apps to leak audio and message-based communications.
— Appthority

Careless Developers

This vulnerability could only be fixed by the developer. These developers probably lacked the knowledge or motivation to fix the issue.

The cause of the Eavesdropper issue is careless developers. We've seen many cases in the past where developers leave API and server credentials inside an app's source code, instead of storing them in a secure, remote database.
— Bleeping Computer

Removing the apps from your device became the only logical option.

Combined Services Share User Data

When a company or service is purchased by a new parent company the privacy policies change to suit the new owner. Often it is the user base that is the reason for the purchase more than the technology.

Did Microsoft acquire LinkedIn to access the wealth of user data as much as adding a social media platform to their holdings? What about Facebook's purchase of Instagram and WhatsApp?

Generate Unique Identities

Do not use single sign-on — the practice of using your Google, Facebook or Apple ID to log into third-party sites.

Single sign-on uses your Google, Facebook or Apple ID to log into third-party sites.

This creates a single point of failure (you're essentially using one password everywhere).

While convenient, you provide much more than if you login using a unique ID.

I recommend that you change your logins for any services that you've used Google, Facebook or other accounts for access. A password manager can track these for you and generate new passwords on the fly.

Be Selective in Permitting Access

When an app on your device requests access to your contacts, photos, etc. you need to determine if that access is necessary for the app to perform the tasks you acquired it for.

Developers often say that they collect information to create enhanced functionality in their app or to deliver a better user experience.

Think about it like this — why in the world does your calorie tracker need to access your contacts? And really, why does your flashlight app need to know your location? — Check Point blog

Review App Permissions

The Apple Store provides useful information about the sorts of information collected by specific iOS apps in the store.

CASL prohibits anyone from installing software -- including updates -- on your electronic devices without your consent.

It also applies to updates and upgrades installed by somebody else, even if you installed the original software.
— Canada's Anti-Spam Legislation

If an app requests unnecessary permissions, you're probably better off finding another app that doesn't abuse your privacy.

Clean up your phone's apps and review their permissions.

Mobile Location Analytics Invades Privacy

By tracking cell phones, Mobile Location Analytics (MLA) technologies allow facilities to learn about traffic patterns within their venues including how long people stand in line.

This information is more valuable than a “free” app: Your Facebook profile is estimated to be worth $50 per month in advertising revenue.

While this information could benefit you, it also invades your privacy.

If the app is tracking your location, the app's owner knows where you live, work, worship or party but also who you're sleeping with (frequently seeing two phones overnight in the same location but away from your residence) or attend A.A. meetings.

Learn more at MLA Opt Out.

More About Privacy in the Mobile World

Return to top

SIM Card Fraud

SIM card fraud is a type of identity theft where scammers gain control of your phone number and online accounts through your cell phone service provider.
— Open Media

Unfortunately, it appears that it isn't that hard to hijack your cellphone's SIM card, making multifactor security less secure.

SIM swapping is a nasty business that can destroy lives and provide access to your bank accounts, social media, online files, all while denying you access to your social media, email and other accounts.

Besides the financial and data risks, the hacker can destroy any credibility you've built up over the years. It also compromises multifactor authentication for most of your accounts, including online banking.

SIM swapping, sometimes called SIM hijacking, occurs when a bad actor convinces a telecom carrier to transfer a mobile phone number to a SIM card they control.

Once a fraudster associates a victim's phone number with a new SIM card, they can use the number to access bank accounts or other sensitive information associated with it.
— VICE

With as little as the last four digits of your credit card, your birth date, phone number and current address (all probably revealed in some data breach or in your social media posts), someone else can convince your cell provider that your phone was lost or stolen and allow your cellular account to be transferred to a new phone by authorizing a new SIM card.

Return to top

Spam & Deception

Dealing with Spam

Spam and deceptive advertising are rampant in mobile computing.

From the ads running in “free” apps to the misleading links on our Facebook feed, we are being bombarded with misinformation.

With the exploding use of mobile devices advertisers worked hard to penetrate that new market.

Secure your devices has information from the Government of Canada on how you can be protect your devices and information from being compromised.

Deceptive Software

Edward Snowden revealed that the US government was capturing and storing information from our Internet, phone and other electronic interactions using a number of programs designed to avoid congressional oversight.

The Five Eyes coalition, China and other nations were also involved in spying on the world's citizens.

Deceptive Services

Facebook is known for allowing deceptive advertising links on their newsfeed by obfuscating those links.

The user cannot determine the link's destination without clicking on it.

Facebook allows a wide mass of its users the freedom to spread fake news (which they won't regulate), while simultaneously working to prevent another group from sharing actual news.
— Mashable

Facebook maintains that they are unable to monitor these deceptive practices or control fake news.

They had no problems guaranteeing the Chinese government that they will be able to control content unapproved for their population.

Widespread Spying

Our governments introduced legislation that traded our privacy for “protection” against terrorists, yet we are no safer.

The Act does not require individualized suspicion as a basis for information sharing amongst government agencies. There is no impediment in the Act to having entire databases shared with CSIS or the RCMP. The standard for ‘sharing’ is very, very low.
— BC Civil Liberties Association

[W]e have seen too many cases of inappropriate and sometimes illegal conduct by state officials that have impacted on the rights of ordinary citizens not suspected of criminal or terrorist activities.
— Privacy Commissioner Therrien

We need to tell our governments and corporations to quit collecting our private information and to restore a sense of privacy.

User Pays for Security

Most people have no concept of the value of their private information, so they traded it for “free” apps and services or less.

Unfortunately, too often security is seen as a cost center, and privacy is seen as the revenue generator for the company that develops the app.

Therefore, apps are often not secure -- and privacy is nonexistent -- to minimize cost and maximize revenue.

The only way to combat these breaches is to actually pay full price for the apps consumers are using and to reject advertising-supported apps.
— Roger Entner

Government Regulation Necessary

Corporations won't do this on their own. Our “metadata” is simply worth too much to them.

We need governments to regulate access to our private data by police, spy agencies and corporations.

Take Back Our Privacy

We need to take back our privacy.

I don't want to live in a world where everything I say, everything I do, everyone I talk to, every expression of creativity and love or friendship is recorded.
— Edward Snowden

Return to top

Troubleshooting

Some mobile devices will not start unless there is sufficient charge, but run when plugged in and charging.

Verify Your Cable

The cable could be damaged. Try another matching cable.

Android

Most Android devices use USB-mini cables, but check first.

Apple

Apple devices sometimes won't charge with third-party cables or adapters. Use only genuine Apple accessories.

Older devices use Lightning to USB cables.
Newer ones use USB-C to Lightning cables.
A MagSafe Charger may be an option.

Verify that the USB block is the right one for your device.

Power Blocks

Power blocks plug directly in the wall and convert AC power to DC.

Using the wrong power block can damage your device.

Block input is AC and should indicate that it is 110–240 VAC.
Block output is DC and should indicate the power in volts and amps (e.g., 0.5V 2.5–2.6A).

Ensure that the output plug matches the power receptor on your device (inside-positive or inside-negative).

Your device or its manual should indicate its power requirements.

Return to top

Related Resources

On this site:

Found this resource useful?

Return to top
RussHarvey.bc.ca/resources/mobilesecurity.html
Updated: July 31, 2023