5 Essential Mobile Security Tips
Consider this expert security advice to lock down your smartphone or tablet--plus protect your related apps and data.
Security firms have long predicted that cybercriminals would focus efforts on smartphones and tablets. Well, this year that prediction might finally come true for mobile users.
The increasing importance of smartphones and tablets in the lives of consumers and workers has made the devices more attractive to attackers. In 2010, for example, more mobile devices--such as smartphones and tablets--were sold than PCs and laptops, according to Forrester Research.
More Security Insights
- Getting a Grip on Mobile Malware
- Get Actionable Insight with Security Intelligence for Mainframe Environments
White PapersMore >>
Though the same general advice applies to securing a laptop as it does for a desktop, the ultra-mobility of smartphones and tablets has led to different threats and different recommendations for securing these smaller devices.
"The only way to truly, fully secure a smartphone is to protect the device, protect the data, and protect the apps on the device," says John Dasher, senior director of mobile security at security firm McAfee. "If you don't do all three, inherently, the device is not secure."
In a report on the malicious-software landscape for the second quarter of 2011, McAfee noted a continued increase in the amount of malware encountered by mobile users, with the Android platform becoming the most targeted for the first time.
With malware on the rise, and lost phones with sensitive data still the No. 1 issue, security experts offer five essential steps to protect popular mobile devices.
1. Lock the device. Lost and stolen devices continue to be the most serious threat for businesses and consumers.
On average, North American and European companies lose 11 smartphones every year, according to Forrester Research. Consumers and companies worried about the sensitive data on the phone should make an easy-to-type password their first line of defense, says Andrew Jaquith, the former Forrester analyst who authored the report and is now chief technology officer for Perimeter E-Security.
However, the password needs to be long enough so "you can pair it with an auto-destruct policy--fail eight times to enter the right password and it deletes the data on the phone--to be sure your data will be safe," says Jaquith.
If the phone can be remotely wiped using mobile-device management software or a similar service, then the auto-destruct policy can be more lenient, he says.
2. Avoid questionable apps. Almost every piece of malicious software that has infected a phone has been a Trojan horse. DroidDream, the most successful malicious app, infected a quarter million Android phones in March by posing as real applications.
Users should download apps only from trusted app stores and stick with the more popular apps, says Michael Sutton, vice president of research for cloud security firm Zscaler.
"Encourage people to install their apps through vetted platforms," he says. "Some are better vetted, such as Google's Android Marketplace and Amazon's and Verizon's app stores."
Although Google's store did offer DroidDream for a time, the software giant can automatically uninstall bad programs and clean up a user's phone.
Android users also can benefit from the wisdom of the crowds by downloading only apps that have a significant number of reviews and comments, says Neil Daswani, chief technology officer of Web anti-malware firm Dasient.
"Trojans don't get to the point where they rack up millions of users, so look at the comments left by the other users," he says.
3. Accept the patches. Similar to PCs, mobile phones need to be patched often to eliminate vulnerabilities found since the phone's release. The good news is that unlike security vulnerabilities in Android, which can take time to make their way to the phone, updates are done over the air. Users should always accept the updates, says Kevin Mahaffey, chief technology officer for mobile security firm Lookout.
"When you are prompted on Android, update," he says. "For iPhone users, it's a bit more complex. You need to plug in and update your apps."
Until Apple's iOS 5 arrives for iPhones, Apple users should synch their device regularly to get updates.
4. Back up your data. Mobile devices are easy to back up, a characteristic users should make the most of.
Users who back up regularly are less likely to lose data even if their company has a strict auto-destruct policy for lost or stolen phones, says Zscaler's Sutton.
"Now that there is over-the-air syncing and updates, it's really easy to restore your phone," he says. "If your phone gets taken or the data deleted, it takes 30 minutes and your phone is back to normal."
5. Stay safely behind bars. Finally, though some compelling reasons exist for consumers to jailbreak their phones, security experts advise users to just say no.
So much of a phone's security is tied to code signing and software sandboxing that jailbreaking a phone--removing the digital-rights management that locks it to a certain carrier--means significantly weakening the security of the device.
"When you look at what happens with the security of your phone, there are some pretty significant consequences from jailbreaking," says William Enck, an assistant professor at North Carolina State University who recently presented research into the Android platform at the USENIX Security Conference.
One step that users may do without: Installing antivirus software.
Many of the functions of antivirus software, such as blacklisting bad applications and giving the thumbs up to good applications is baked into the app market models, Enck says. Until antivirus companies offer more features than just blocking bad apps, consumers can risk not buying the software, he says.
"I don't think it's necessary yet, but I hold the right to change my mind," Enck says.
Security professionals often view compliance as a burden, but it doesn't have to be that way. In this report, we show the security team how to partner with the compliance pros. Download the report here. (Free registration required.)