The Enemy Within – Part III: Securing Your “Smart” Phone

One of the largest technology trends sweeping the globe over the last ten years is the “smart” phone.  These hand-held computers have far more power than the massive computers once used to send astronauts to the moon – and they make phone calls too!  But how smart are they, really?  And . . . how secure?

In prior articles we’ve talked about securing your home network and computers, but one of the greatest security risks found in many of our homes is carried around in our pocket or purse.  The latest and greatest smart phones are loaded with handy tools that keep track of our lives for us – they also listen as we talk and share information with the world that we might prefer to keep private.  Many of us have had experiences where we were talking to someone and then our topic of discussion appeared later in our Facebook news feed, or as a pop-up advertisement while we surfed the Internet.  For my wife, a side comment to a friend about making cake pops led to weeks of content related to cake pop recipes, presentations, places to buy cake pops, etc.  In my case, a friend was talking about the drive-in theater in Leeds AL, and the next time I signed in to Facebook, there was an advertisement for the drive-in — which I had never heard about before my friend mentioned it!

As mentioned in Part II, “Closing Digital Windows”, there are lots of critters that can get into our computers and send information out to other folks – adware, spyware, and the like.  When it comes to smart phones, the wicked ‘wares are often built in to the applications that come pre-installed on new phones, and also in the applications that we install ourselves.  Those awesome games that keep us coming back to play again and again might also be looking at our text messages or keeping track of our location – usually just to show us targeted advertising, but in some cases, our information is also being sent out to third parties.  And just because we were not aware does not mean that this is illegal – by installing and using these applications we are implicitly granting permission to other people and companies to collect and use our data as they see fit.

In many cases, the vulnerabilities in smart phone applications are not malicious, but rather the result of a sloppy development process, where programmers “borrow” coding frameworks as a starting point for their own application, and don’t bother to change the default settings in the base code, which often starts out with wide-open security and full permissions.  This is especially common in games or applications from individual or “named” developers – when you install an application from a big company, it’s more likely to have access restricted to only what it needs to operate.

So now that I’ve got you good and scared, let’s talk about ways to secure your smart phone. Unless you’re using a company phone that has been locked out (in which case, you are probably already secured!), you should have access to everything I’m about to suggest.

  1. Clear Old/Unused Applications

If you have lots of applications (especially games!) that you installed once upon a time and you don’t use any more, get rid of them!  It’s easier to remove an entire application that you don’t need than to try and remove permissions on something that you are not using anyway.

On most Android-based phones, open the Applications screen and select the “more” option ( three stacked dots, usually in the top-right corner).  Select the option to Uninstall Apps, and then in the Apps screen, click the red ‘X’ on each application you wish to remove.  (Unfortunately, there will be some applications embedded by the carrier or phone maker which you will not be allowed to uninstall – for these, be sure to check permissions in step 3!)

On iPhones, go into Settings => General => Storage & iCloud Usage => Manage Storage.  On the list of applications, click the right arrow for more options and delete anything you no longer want.

  1. Scan for Critters

Your home and work computers have anti-virus and anti-malware applications running on them?  Why not your smartphone?  After all, smartphones are really just compact computers.

If you are using an iPhone, Apple will tell you that you don’t need an anti-virus or anti-malware application, because their device is already optimized against viruses.  For the most part, that is true – and yet, there are anti-virus applications available for the iPhone.  If you choose to install antivirus on your iPhone, a named software (Norton, McAfee, etc.) will probably cost you some money, and I would not recommend installing off-name products of this type on iPhone.

If you are using an Android-based phone, or if you have one of the remaining Windows phones, you will probably want to install some anti-virus and anti-malware software.  There are a variety of products available, both free and paid, and I am not a sales rep for any particular product – my personal choice is AVG Antivirus (basic version is free to download, but comes with a lot of advertisements.  You can pay for additional features or to remove ads).  Most anti-virus or anti-malware applications will offer to clean up your phone and/or boost performance – note that these features are often ineffective or may cause unintended harm by removing application files.  So, as with all applications, install and use at your own risk! 

  1. Deny Permissions

Up above I mentioned that many applications are built on open frameworks – so the application “inherits” all of its rights from the framework, which requests all possible permissions by default.  So what can we do?  Fortunately both Android and iPhone allow the owners to deny access to applications – so if you don’t want Candy Crush Saga to have access to your location, you can turn that off!

In general, most applications do not need to access your location, your contacts, your messages, your e-mails, or your camera and microphone.  Obviously, an application like FaceTime needs access to Contacts, Camera, and Microphone – but it probably does not need access to your text messages or location.  A little common sense and taking the time to deny access can go a very long way towards securing your smart phone.

On Android-based phones, you will probably have to Deny access for each application.  This can be time-consuming, but is definitely worth it!  Under the Settings menu, you should find the Application Manager.  In the Application Manager, you can click on each application to configure it.  I’m going to pick on my AVG AntiVirus application since I plugged it above … when I select the application, it has a section for “Permissions” that tells me it wants access to my Calendar, Camera, Contacts, Phone, SMS (text messages), Storage, and Location.  Calendar it needs for scheduling, Storage is needed to scan.  The other permissions (Camera, Contacts, Phone, SMS and Location) are NOT something that the anti-virus needs unless it wants to show me a lot of advertisements ( which it does, as I mentioned above ).  By clicking on the Permissions group, I can turn off any access that I don’t want the application to have – so I turn off everything except Calendar and Storage.  As I expected, when I began to Deny access, the phone warned me that the application might not work correctly without these permissions – but I denied them anyway because it’s my phone, not the other way around!

Oddly enough, after turning off the access permissions, the application works just fine – only now I know it is only seeing what it needs to see to operate.  And that’s the way it needs to be!

On iPhones, most applications will ask you to Allow or Deny access to features the first time that you try to use the feature, and if you Deny permission, the application usually won’t ask again.  Presuming you allowed access a long time ago, there are two ways to take it back. Under the Settings menu, click on Privacy.  You can click into any of the features to see which applications have requested access, and you can turn off access from this screen.  For example, click on Location and you’ll probably see that quite a few applications request your location – but you can adjust settings here to remove access – does your Calendar really need to know your location?  Some apps are more specific – on my phone, I changed the Maps setting to only access my location “While Using” – this keeps the map from tracking my location in the background.

A final note that applies to both Android and iPhones – when you go to the application store to install an application, it almost always tells you what permission the application wants to have before you install.  Keep this in mind and you can look for applications that do not require elevated permissions, or you can adjust the permission as soon as you install the application and save yourself a lot of worry in the future. 

  1. Lock it Down

I cannot stress this last item enough – if you use your smartphone, you never want to lose your smartphone.  However, good intentions are no match for bad luck.  If you value the contents of your phone (which may include passwords, credit card numbers, all of your friends’ phone numbers and e-mail addresses, etc.), set a screen lock on your phone.  Make sure that the screen lock is not something that can be easily guessed – birth dates are a commonly-used numeric passcode, and one of the first things that a hacker will try!

On my phone, I use a six-digit number (that is not my birthday!), and I’ve added a twist – the numbers appear in a different place each time, so I actually have to look to enter my access code.  This sounds silly, but if you don’t clean the screen on your phone very often, you may be leaving clues to your access code just by fingerprint smudges on the screen.  (“1111” is a terrible screen code, by the way!)

Last word – smart phones are not really that smart, but letting a smart phone have access to all of the important details of your life and then not securing that phone . . . is really dumb!  Take care out there!

  

J.P. Brueggen is a computer programmer with 15+ years experience in enterprise computing. 

Share
Posted in EHP Blog.