Chapter 6
Smartphones and Tablets
Modern smartphones are amazing pieces of equipment. More powerful than a 1990s supercomputer, they are small, convenient, energy-efficient, and come with built-in peripherals like touch screens, motion sensors, global positioning system (GPS), cameras, and of course, cellular connectivity. Perhaps most remarkable is their energy efficiency, which permits them to send and receive messages, watch movies, and talk on the phone for hours, all on a single charge. Modern smartphones and their larger cousins, tablets, are so successful that many users have dispensed with personal computers altogether, doing all their computing on their phones.
Delivering the power of a personal computer to an object in your pocket has risks, however, as your smartphone can be targeted by attackers just like a personal computer. While smartphone infection rates are generally lower than that for personal computers, attackers are targeting them and infection rates are increasing. As with all things computing and internet-related, you should be vigilant and cautious as you use your devices to message, surf the web, communicate with your colleagues, and talk on the phone. And, of course, they are far more frequently lost or stolen than other, larger, computing devices.
This chapter describes smartphones and tablets, how they are different from personal computing, and how you can protect them at home and at work.
Smartphone and Tablet Differences
Phones and tablets have some significant differences that separate them from their larger PC cousins. Phones and tablets run different operating systems—most usually either iOS from Apple or Android from Google. While these operating systems were originally “stripped down” versions of larger computer operating systems, today’s mobile operating systems are pretty much as fully-featured as their PC counterparts, supporting multitasking, external peripherals, keyboards, mice, and large external displays. Phones and tablets are somewhat slower than PCs, primarily because they are optimized for low power consumption.
Another difference lies in how you install applications onto phones and tablets. Whereas PC software may be delivered to you on a disk, or through an online download that you run, mobile software comes from app stores that are integrated with the operating systems and facilitate the installation process for you. The application stores ensure the applications you install abide by the standards of the operating system, are compatible with your version of the operating system, and screen for potentially malicious behavior. While not perfect, these measures greatly reduce the amount of malicious software available for smartphones and tablets.
Another difference has to do with systems administration of smartphone and tablet operating systems. On a personal computer, the user is frequently the “administrator,” able to not only install programs but also to manipulate and reconfigure the operating system at will. The computer has little protection against a malicious, negligent, or careless user reconfiguring it to turn off security protections. With mobile devices, however, the user does not have such systems administration privileges, limiting their ability to reconfigure the device or adjust the operating system (on mobile device operating systems, this is called “rooting”). While this administrative privilege restriction gets in the way of some desired activities like customizing icons, display formats, or built-in applications, it also provides significant protections to the device from unintentional operating system changes that jeopardize necessary functionality.
Another difference with smartphones and cellular-connected tablets has to do with the network. When a computer is connected to a home or work network, the “big, bad internet” is just outside the network firewall, and can be easily accessed either for good or for harm. When a smartphone is connected to the cellular network, it is connected to a private network operated by the cellular company. While the cellular companies do not stop your phone from being hacked, they do screen the network traffic in and out of the cellular network, and protect your phone from being scanned from the internet. The cellular companies may also block malware attempting to spread beyond your phone.
Protecting Your Smartphone or Tablet
Modern smartphones and tablets pack tremendous computing power, storage, and connectivity into a beautiful form factor that is, in some cases, entirely made out of glass. Drops, scratches, and bodies of water are ever-present threats to our mobile devices, with expensive and life-disrupting consequences. Also, if your phone is lost or stolen, a treasure trove of personal data contained on it becomes vulnerable to theft or abuse. Not only do you want your data to be safe from loss, but you need your personal data to be safe from compromise as well.
To protect your smartphone or tablet from loss, damage, or theft, you should consider the following:
–PIN protect your device. Put a screen lock on your device using a password, a personal identification number (PIN), biometric authentication, or facial recognition, so your device will be locked should it be lost or stolen. Lock screens also give you a space to put an emergency phone number or other personal information in case of an emergency or if a Good Samaritan should find your device.
–Buy a case and screen protector. Cases are available for almost every brand of smartphone or tablet, with varying levels of coverage and protection. Screen protectors can protect the device screen from scratches; hardened glass screen protectors can protect it from shattering as well.
–Back up your device. Assume your device will get lost, stolen, broken, or damaged. Consider using cloud services (protected by a strong password), so your photos and contacts are backed up when you create them. Regardless, make sure everything else important on your phone or tablet is backed up somewhere as well.
–Set up “find my phone.” Mobile operating systems include features to allow you to locate your phone if it is lost or stolen, and also to remotely delete the data on your phone if it is connected to the cellular network. Activate these features to protect your data and privacy if your phone is stolen.
–Consider insurance or ruggedized devices. Phone carriers have insurance to cover device replacement if your device is lost or damaged. You may also be able to get similar coverage cheaper from phone manufacturers or third parties. Also, it used to be that ruggedized phones were relegated to niche industries like construction and the military, but now such phones are in the mainstream. Consider if your favorite phone platform is available in a ruggedized or water-resistant form factor that may survive the rigors of life.
Addressing Mobile Operating System Vulnerabilities
The Finnish telecommunications company Nokia reported in 2017 that they found mobile device infection rates to be 1.35%, or 135 infected mobile devices out of every 10,000. Considering that corresponding PC infection rates are typically between 10% and 30%, mobile device infection is a much smaller problem than it is for personal computers. There are a number of reasons for this lower infection rate, including the facts that mobile devices operate on private cellular networks; mobile operating systems are generally more secure than their PC counterparts; mobile device users do not usually have administrative control; and mobile devices are newer, with better protection features built-in and automatically enabled.
However, a challenge for mobile devices is users can not simply click “update now” to ensure their mobile devices have the latest operating system patches and are configured securely. Mobile device operating systems are controlled by carriers, and may not get updates in a timely fashion. Older mobile devices that are no longer supported may not get updates at all. As a consequence, if mobile device operating systems are vulnerable and no longer being supported, then they are more susceptible to being “fundamentally more insecure” than PCs.
To address mobile operating system vulnerabilities for your smartphone or tablet, you should consider the following:
–Know your operating system and version. Know if you are running Google’s Android or Apple’s iOS operating system, and what version it is. Newer versions are generally more secure.
–Make sure your operating system is up-to-date. Go into your operating system and “check for updates.” If an update is available, install it. If your operating system has not been updated lately, check with your carrier or device vendor to see if it is still being supported.
–Use caution if it is no longer being supported. If your device is no longer being supported, understand that it could be vulnerable. Use caution when you use it to surf the web, open e-mail, or install apps. Make sure the apps you install are from the official app stores and are reputable.
–Consider retiring out-of-date devices. If your device is no longer supported, consider retiring it for a more up-to-date device. Most likely it is getting a little slow to run the latest mobile games, anyway.
Addressing Smartphone or Tablet “Rooting”
One of the greatest security measures on mobile devices is the fact the user does not have “administrator” privileges, so all configuration changes are controlled and protected by the operating system. “Rooting” bypasses this protection by exploiting a flaw in the operating system to break the operating system’s security and give the application complete control of the device. Another term for this is “jailbreaking” on iOS. Once you have rooted your device, you can change operating system parameters, install new versions of the operating system, change operating system icons, or replace the overall look and feel of the device.
Rooting is a very powerful tool in the hands of a skilled computer scientist, and developers may use rooting to install completely different operating systems on their devices, as well as to enable external peripherals. Once a device is rooted, it becomes much like a PC with endless expansion and customization possibilities. The problem is once a device has been rooted, applications can run with administrator privileges as well, and a malicious app can reconfigure the device at will. For many malicious apps, checking if the device has been rooted is the first thing they do after they have been installed. The most dangerous malicious apps will root your phone on their own, so they can take complete control of it.
To address the risks associated with rooting your smartphone or tablet, you should consider the following:
–Do not root your primary device. Understand that rooting makes your device extremely vulnerable. For your primary mobile device that contains your contacts, photos, messages, and passwords to be rooted is generally not a good idea.
–Occasionally check that your device is not rooted. Android and iOS app stores have applications that can tell you if your phone or mobile device has been rooted or jailbroken. Use them occasionally—perhaps a couple times a year—to make sure your primary device continues to be secure.
Reducing Smartphone or Tablet Malicious Apps Risk
Android and iOS phones and tablets come with the Google and Apple app stores built-in and are easily accessible. However, the app stores are not the only ways to install applications. There are alternative app stores, like the Amazon app store, and many app stores in China. Early Android tablets made extensive use of these alternative stores, because tablet manufacturers were not sanctioned by Google for use of the official app store.
Downloading apps from non-sanctioned app stores allows you to bypass the protection provided by the official stores. Google and Apple filter applications for malicious content, and while those filters are not perfect, they tend to work fairly well. In fact, the most malicious mobile applications frequently require bypassing the app stores, because they contain code for “rooting” your device or performing other activity that is not allowed by Google or Apple. However, this filtering also means some potentially useful applications are not available through the app stores. Filtering or not, it is entirely possible to install malicious applications onto your phone or tablet, and you must use caution.
To reduce the risk of malicious applications on your smartphone or tablet, you should consider the following:
–Stick with the App Store. You are always safest sticking with the app store, but malicious apps do sneak into these environments on an occasional basis. Malicious apps tend to masquerade as utilities, tools, gadgets, or free games.
–Watch out for apps that are removed from the store. If your favorite utility app has been removed from the store, it may have been malicious. Consider removing it from your smartphone or tablet, or at least researching its legitimacy and safety.
–Use Mobile Security. There is antivirus software available for mobile devices from mainstream vendors like Norton and Symantec. These tools tend to detect malicious apps faster than the stores might.
–Watch out for excessive permissions. Malicious apps tend to ask for permissions that are excessive and should be unnecessary. An emoji program does not need to access your camera or location. Beware of apps that ask for administrative privileges, or access to storage, keyboard, or location information that should be unnecessary. Deny the request and uninstall the app.
–Watch out for rooting or battery drain. Malicious apps may root your device or drain your battery running in the background. If you find your battery performance has deteriorated after installing an app that should not be running all the time, be concerned.
–If in doubt, factory reset your device. If you have installed a mobile app that rooted your device, your best bet is going to be to do a factory reset. You may not be able to successfully uninstall the malicious app.
Securing Bluetooth and Wi-Fi Networking
Mobile devices have a variety of wireless technologies built in, including cellular, Bluetooth, and Wi-Fi networking. Noncellular tablets still tend to include Bluetooth and Wi-Fi for local networking. Bluetooth networking is primarily used for connecting to peripherals like headphones, headsets, and personal computers. Wi-Fi networking is used to connect to home networks, high-speed internet, and also to create local cellular hotspots. While powerful, when these wireless networking technologies are enabled, others can see and potentially connect to your devices. Malicious users can use these connections to potentially exploit your devices, if they are vulnerable.
To securely use Bluetooth and Wi-Fi networking on your smartphone or tablet, you should consider the following:
–Disable when not using. When you are not using Bluetooth or Wi-Fi networking, you should disable them in the control panel. This precaution makes your device more secure, while also reducing battery drain.
–Use trusted peripherals. For your Bluetooth peripherals, use trusted devices from known vendors. Be concerned if your speaker wants to access your keyboard, or other weird behavior. If you encounter a malicious peripheral, stop using it and seek out a replacement from a more reputable vendor.
–Configure a hotspot password. If you use wireless hotspot features, make sure they are protected with a secure password. You do not want to operate an insecure hotspot that allows anyone to use your cellular data bandwidth.
–Watch out for public Wi-Fi. When you connect to a public Wi-Fi network, your device may be visible to everyone else at the same location. Be cautious at coffee shops, hotels, or conventions. Disable “automatic Wi-Fi connection” and only connect to public Wi-Fi when necessary.
Protecting Your Smartphone and Tablet Location Privacy
Perhaps a greater concern than wireless connectivity is location service. Many mobile devices include global positioning service (GPS) that allows them to calculate rapidly where on the planet you are, using satellite signals. While this capability does not generally work inside a building, once a device goes outside it can rapidly figure out where it is. This service is at least partially enabled all the time, so you can make an emergency call (using 911 in the United States) to request assistance. The emergency call automatically transmits your GPS coordinates to emergency responders, in case you are unable to tell them yourself.
Other services like Google Maps, Apple Maps, and Waze provide navigational services that automatically track your location and estimate traffic flows and density. This feature is sometimes called location reporting. In addition to these apps, your devices may record your location periodically during the day, and then store that information locally in a file. This feature is sometimes called location history. The problem with all of this location information is it means that your devices know where you are and may be reporting that information to others. Often, this location reporting is occurring without your knowledge or attention.
To configure location services to protect your privacy on your smartphone or tablet, you should consider the following:
–Know big data is watching you. Assume your device is tracking you and reporting your location to “big data,” unless you have taken measures to turn such tracking off. If you’re going someplace confidential, leave your phone at home or turn it off.
–Check location reporting and history. Go into settings on your phone and disable location reporting. You may also be able to do this on a control panel, but you should double-check in “settings” to be sure. Leave location reporting off unless you need to do navigation. You may also delete your location history this way, but it depends on your particular device.
–Check application permissions. Check your applications, as many of them may ask for location data but not need it to work properly. That stargazing app needs your location to show you the night sky, while that emoji app probably does not.
Using SMS-Based Messaging and Authentication Safely
Another powerful capability of smartphones is short message service (SMS) messaging, otherwise known as text messaging. With text messaging, we can quickly send short text messages to each other, and receive them from others. With more advanced multimedia messaging service (MMS) we can also send and receive pictures and videos to multiple recipients simultaneously. Some websites use SMS or MMS as an additional, multifactor, authentication method to allow us to use our phones to prove our identities, providing additional protection beyond username and password. Unfortunately, the protocols underlying SMS and MMS are not inherently secure, so it is relatively easy to “spoof” or send fraudulent SMS or MMS messages to recipients.
To safely use SMS-based messaging and authentication on your smartphone or tablet, you should consider the following:
–Watch out for fraudulent texts. Attackers may attempt to reach you via text message generated from their computer and appearing to be business-related or from friends or family. Do not respond to text messages from people you do not know or that were unsolicited, to avoid validating your phone number to potential scammers. Scammers who can validate your phone number may then follow up by trying to call you for personal information. Do not open links embedded in text messages, unless you know exactly what they are and who sent them.
–Know how to send from e-mail to text. Major cellular carriers have special e-mail services that allow you to send an e-mail to your phone number, and have it appear on your device as a text message. Find out if you have this capability for your carrier and send yourself a text, so you know what it looks like.
–Use SMS authentication with caution. SMS authentication is generally better than simple username/password authentication, but it is by no means foolproof. Attackers may attempt to intercept, spoof, or otherwise attack website multifactor authentication that uses text messaging. Determined attackers may even hijack your phone, just so they can get access to banking accounts protected by SMS. If large amounts of money are at stake, consider multifactor authentication methods that are stronger than SMS, like physical tokens or mobile authenticator apps.
Using BYOD and Mobile Device Management
Using your personal mobile device for work is called “bring your own device” or BYOD. It involves being able to access your enterprise e-mail, contacts, and other data from your personal mobile device. Enterprises like allowing this capability because it means they do not have to pay for mobile devices and cellular service for their employees. Employees like doing BYOD because it means they only have to carry around one device, and also because they may be able to get reimbursement for some or all of their mobile expenses. To do BYOD securely, enterprises may use mobile device management (MDM) technology.
MDM establishes a secure “bubble” on the mobile device, and keeps most enterprise data segregated within the bubble. Enterprise e-mail, contacts, documents, and web browsing may be conducted within the bubble. Data transferred using MDM is encrypted over the internet and authenticated to protect it from being intercepted. Data stored on the device using MDM is encrypted and stored in a secure area of the device. For additional security, MDM may establish a second password or PIN that you must enter to get into MDM-protected applications and data. MDM may also enable the enterprise to remotely “wipe” its data from your phone, or even erase your phone completely, should it be lost or stolen.
To use BYOD and MDM on your smartphone or tablet, you should consider the following:
–Comply with your organizational policy. To use BYOD and MDM, you are going to need to comply with your organizational policy regarding your personal mobile device. This policy may include establishing a strong PIN code on your device, turning on device storage encryption, or establishing additional device administrators.
–Understand the impact of MDM. In addition to subjecting your personal mobile device to an external policy, MDM may use up storage, resources, and battery on your device. Do not be surprised if your battery life is impaired due to the additional overhead of having MDM software constantly running on your device.
–BYOD may not be for everyone. If you are a senior executive, or if you operate a personal business on the side, mixing your personal mobile activity with your business mobile activity may not be a good idea. Also, if you have an older personal smartphone, the performance impact of MDM may simply be unacceptable.
–Do not rule out getting a second device. There are advantages to keeping your work life and home life separate. Using your personal cell phone for work may mean your personal phone number ends up on call lists for telemarketers and spam, which may be undesirable. If your personal life is complicated enough as it is, asking your employer to get you a second phone just for work may be a simpler approach.