Your mobile device is so much more than a phone or even a way to access the internet. Apps have access to you identity, your bank account, your personal and work emails (and documents!), collaboration services and many aspects of your work and personal life. Compromise of credentials or access to these apps may lead directly for harm to you (like identity theft, fraud or theft of funds) or to your workplace (theft of trade secrets, social engineering attacks, compromise of business systems / applications).
You should take the security of your mobile device seriously. Modern handsets are high-value targets for muggers and thieves, just for the value of the device. Any data the criminal can then use to commit further attacks on you or your workplace are a bonus, whether the thief uses them directly or sells them on through the dark web and other markets to be combined with other data at some future point in a more sophisticated attack.
Here are six things you can, and should, do to enhance the security of your mobile device.
- Make sure the lock screen is set, and use stronger authentication methods like biometrics to unlock the device, and choose as long an unlock code as you can for other uses. Make sure the lock screen comes on within a short time of the device being idle – the shorter the lock time, the less opportunity a bad actor has to get any useful information from the device before it locks. For important apps, like banking or email, set a further PIN and a biometric unlock to protect them.
Don’t forget to make sure that your lock screen widgets don’t leak things like One-Time Pass codes or confirmation codes by showing text messages or emails without the phone being unlocked!
- Secure bluetooth and NFC apps when you’re not using them. Don’t leave your wallet / payment app running all the time – worst case, that’s as good as a thief taking a wad of cash out of your pocket – recognize that the few extra seconds to activate a ppayment app is a lot less inconvenient that a casual thief tapping on payment terminals until the payment limit is reached.
- Make sure you know how to access important apps like work or banking through a channel that doesn’t require the phone, and know how to disable the phone if you don’t have access to it. If your phone or service provider supports features like ‘find my phone’, ‘remote lock’ and ‘remote wipe’ make sure you’ve got them set up and know how to use them. Useful tip: if you’ve set up other online accounts to use an authentication app on your phone, consider keeping your old handset wiht addtional access to services like Google Authenticator or Microsoft Authenticator in a safe place, and test it every so often to make sure it still works. You don’t want loss, theft or damage of your shiny new handset to leave you locked out of online accounts.
- Keep your phone up to date with operating system patches and security upgrades. Don’t have a main (or spare/fallback) phone that is so old as to not have security patches any more. Many banking and other security-conscious apps will refuse to install if your phone doesn’t meet a baseline security standard.
- Be careful what you install, and where it comes from. Don’t trust unofficial app stores, and remember that even apps from the official stores may not be entirely trustworthy. Best case, a bad app will just try to nag you into making in-app purchases or show you huge numbers of ads. Worst case, a bad app will try to spy on you and get information to compromise you identity and try to rob you. Above all, don’t jailbreak your primary phone. Development environments for mobile are a whole different conversation, but it’s not a good idea to bypass core security on a device you’re trusting to keep your banking and other important personal apps secure.
- Sadly, the time when mobile devices were effectively free of viruses and malicious apps are long gone. Anti-virus / Anti-malware apps from reputable vendors are available across all modern mobile device platforms – get one, install it and use it!