In 2011 alarming reports surfaced that Ralf-Philipp Weinmann, a researcher at the Luxembourg University Laboratory of Cryptology and Security, had discovered a way to completely compromise unprotected smartphones.
Demonstrating his hack at the Vienna DeepSec conference, he showed how he could listen to conversations, intercept data, and run up huge bills calling and texting premium rate services – all without the alerting the phone’s owner.
With the ability to download and run apps, smartphones are now the main focus for a growing number of malicious hackers, and yet most devices are completely unprotected. For online criminals, the situation resembles that of PCs in the mid-1990s, except they now know how much money there is to be made from online crime.
Thanks to the deepest recession in living memory, straightforward theft and street muggings for smartphones are also at an all time high, so how do you protect your freedom to compute on the move?
Most people would never dream of using something as obvious as 1234 as the password to their important online accounts, but some will protect their smartphones with such a sequence and leave the online accounts it protects logged in for convenience.
Your first line of mobile defence should always be to select a password that’s both memorable for you and difficult for a thief to crack. For a few years now, the best advice on creating memorable and secure passwords has been to take the initial letters of a line in a song, poem, play or book, and to make a password from those letters.
You can test the strength of passwords you generate in this way using free online web security site services like How Big is Your Haystack.
Android OS supports not only gesture passwords, but also the more traditional text-based variety. To enable a password, click ‘Menu > Settings > Location and security > Screen unlock’. Also set the screen’s timeout to a short period by clicking ‘Menu > Settings > Display’.
You can combine a password with gesture recognition, but always ensure that you use a gesture that overlaps itself, otherwise the grease marks on the screen may give it away to anyone who steals your phone. It’s also a good idea to clean the screen every so often to prevent grit from scratching the gesture faintly into the screen’s surface.
To enable passwords, iPhone users should open the Settings app and select ‘General > Passcode lock’. Windows Phone 7 users should tap ‘Settings > Lock and wallpaper’, and BlackBerry users need to select ‘Options > Security options > General settings’.
You’d never buy a laptop and go online without installing at least a free antivirus product. The abilities of a smartphone or tablet computer are now approaching those of a laptop, but it seems that the vast majority of users have no form of protection, even though mobile computing devices are facing all the usual threats.
Spam containing malware attachments or links to attack sites, infected apps and code that exploit OS weaknesses are all starting to appear. Botnets made up of mobile devices are also becoming more common.
We’ve reached the point in the evolution of mobile computing where it has become just as necessary to install antivirus software on your phone as it is on every other online computing device. Most antivirus vendors now offer free versions of their commercial mobile offerings, and many offer handy package deals on their commercial versions, including protection for multiple PCs and a phone, for a yearly subscription.
It’s worth investigating these deals because they could save you money in the long run, but what’s the difference between free and commercial versions? Mostly, the difference is down to the facilities provided beyond basic protection. The ability to remotely wipe a lost or stolen phone, for example, is something that will give you real peace of mind, but it’s usually missing from the free versions of antivirus products.
Never be tempted to simply click a link that looks okay and install what purports to be a free version of an antivirus package. Check the URL; if it isn’t part of a vendor’s official website, don’t visit the page. Fake antivirus software, written to infect your device or make you think it’s protected when it’s not, has now made its way to smartphones. If you’ve found a package on an app store, click through to the software vendor’s website and download it from there.
So you have a secure password guarding immediate access to your phone, the screen lock activates after just a few minutes of inactivity and an antivirus package is watching out for malware in the background. However, if the worst happens and someone takes your smartphone either by stealth or by force, you may also want to protect your data by wiping files and contacts quickly and remotely.
Android, BlackBerry and Windows Phone users have a range of third-party, dedicated remote wipe applications to choose from, which enable you to contact the phone and have it wipe itself. These tend to be subscription services, but prices are usually less than $8 a month, which is good value for extra peace of mind.
Alternatively, you can examine the facilities offered by different antivirus packages. Free versions, like AVG’s Mobilation Free, offer local wipe facilities. However, it’s not always clear if remote wipe is included or just a local wipe facility, so check with the software vendor before you part with your cash.
iPhone users can install Apple’s free Find My iPhone app. This gives you the ability to sign into another iOS device with your Apple ID, locate the missing or stolen device, display a rather satisfying message to the robber, play a sound, lock the device and then erase it. The only proviso is that your iPhone must have been enabled in the iCloud settings in order to locate it.
Beware Rogue Apps
There’s enough space on the average smartphone to contain all the apps you want and plenty more besides, but you must take care when buying or downloading new ones. With the overwhelming number of apps on offer, it’s unsurprising that malware writers have turned their hands to crafting rogue versions and slip them past the checking processes at legitimate app stores.
The race to get the latest gadget without thinking about security is also letting criminals resurrect old scams, particularly the porn dialler con, which is experiencing a surge in popularity among online criminals targeting mobile devices. In the days of slow dial-up modems, porn diallers would wait until the phone line wasn’t in use, and then call a premium rate line to make you pay for a supposedly legitimate service. Only when the phone bill arrived was the infection discovered.
The smartphone version of the scam sees malware silently sending SMS messages to premium rate numbers instead. All that’s changed is the medium – the result remains the same.
To encourage you to install them, some rogue apps masquerade as free levels or trials of popular commercial games, and may appear to be such when running. Others claim to be security tools. In the background, however, they may be emptying your bank account in payment for premium rate services, listening to your calls, stealing or sending text messages, or sending spam to encourage others to infect their devices.
How do you avoid dodgy apps? First, never install an app just because a friend tells you to do so in an email, text or on Facebook. After all, it may be the app sending you the request to spread its malicious payload.
Similarly, never follow a link in a text or email encouraging you to install anything. Incredibly, Chinese hackers have also begun to set up entire online stores stuffed with fake apps that ape the real thing. When you install an app from what looks like a real app store, examine the URL of the link from which you are being asked to download. If it isn’t an official store for your phone, forget it.
Your friend may believe that he or she has found a store that sells cheaper versions of famous apps, but this alone should be enough to raise your suspicions. It’s cheap or even free for a reason.
Even at legitimate app stores, it’s easy for rogue apps to slip in. The government’s Get Safe Online website advises you to check the developer’s information before downloading, and look for reviews of the software and comments left by other users. If anything looks dodgy, forget it.
Rogue apps sometimes drain your battery quickly due to the extra activity, so check this to ensure that your shiny new app isn’t doing something nasty in the background.
Share and Share Alike
Another aspect of security is the amount of information apps share about you and your whereabouts. When you install an app, you give it access to information like your location, contact details, personal ID and other data. Some apps even want full internet access.
Always pay close attention to the information an app says it needs, either at the app store itself, in the user agreement, or (depending on your phone’s operating system) during installation. Some legitimate apps, including antivirus software, have a long list of required permissions. Make sure you read the entire list.
In the Android app store, for example, remember to click ‘Show all’ at the bottom of the permissions page to see more. If an app demands too much access to your phone and the information it contains, don’t use it. There’s no reason why downloaded wallpaper needs your location, for example, or why a single-user game needs access to your contacts.
The Get Safe Online site claims that nearly 60 per cent of smartphone users acquired their devices in the past 12 months. A large and relatively naive user population excitedly exploring the new world of mobile computing is fuelling a boom in hacking not seen since the 1990s.
This time, however, we know the risks of going online unprotected, which leads us to an uncomfortable question: will telecom providers and banks be so willing to reimburse frauds this time around?
TechRadar loves tech and is unashamedly geeky about it. They’ll tell you what they think in a fair, unbiased way. They’re able to promise this because they’re the largest UK-based consumer technology news and reviews site (and now rapidly growing in the US and Australia), their editorial independence is backed by the weight of technology publisher Future Publishing plus objective test data from the TechRadar Labs. TechRadar will tell you about the coolest new stuff. They’ll review it more thoroughly and carefully than anyone else. They’ll explain how it works and why you should care (or not). You can follow them on Twitter @TechRadar.