Mobile Phone Security: In a nutshell

First, some numbers….

According to statista.com there were approximately 3.8 billion smartphone users worldwide in 2020.

In January 2021, according to datareportal.com there are 5.22 billion unique mobile phone users, against a total population of 7.83 billion people. This translates that 66.6% of the world population are unique mobile phone users.

The same report highlights that 4.66 billion of the mobile phone users are Internet users, which is 59.5%.

Those active on social media are 4.20 billion, or equal to 53.6%.

What does this mean?

Well, imagine this: you want to get access to a lot of data for a lot of people. What would you do? You target a medium where most data is present.

In the present times, the largest attack surface is the mobile phone. This is fueled by a lot of specific reasons, the ones with the huge effect explained below:

• Email addresses – if you are reading this on your mobile device, you probably have at least one email address configured on it. When an attacker manages to infiltrate your device using one of the methods outlined below, they can easily have access to your email(s), those that send to you, your recipients. In concurrence, if it is a Gmail email, (which is usually true), they can then access almost every aspect of your phone, even locking you out permanently.
• Phone numbers – this usually comes as a result of a Gmail address being compromised. However, by just having access to your phone, your contacts re usually not secured anyways. They are ready to grab and go.
• Location data – if you are a fan of crime movies, you probably know that the majority of criminals use locations to plan and execute their acts. In Cyber Security, one of the most valuable pieces of information that any online user can have is their locational data. It is one of the most discussed topic, especially in mobiles. By simple an attacker having access to your locational data, they can manipulate it to mimic you, know where you live, where you work, where you usually go on weekends…. you get the idea.
• Trust – when attackers gain access to phones, they stay dormant for a long time collecting data. One reason they are successful is simply how we trust our phones. For instance, since you have a password, you assume that you are secure and un-hackable. Sorry to disappoint.
• Ignorance – the largest vector that aids malicious hackers is same to mobile phones as it is to computers: Ignorance. When Cyber Security experts tell you do not click that link, or do not open an unknown image, or don’t install random applications, they really mean it. Just don’t be reckless.

Any learning points then?

Oh yes, here they are…

• Public Wi-Fi – open Wi-Fi networks allow cybercriminals to easily distribute malicious software to everyone connected in the blink of an eye. While it doesn’t cross most consumers’ minds, it’s actually really simple for hackers to set up a fake malicious network and pretend to be the popular Wi-Fi. Always use a VPN (Virtual Private Network) when on your mobile device. A VPN protects you from connecting to the same unprotected network as multiple other users.
• Public charging stations – Charging a cellphone via USB from a public computer or charging station puts one’s data and device at risk. However, sometimes there is no other option. In such cases, the best thing to do is to find a wireless charger that will refresh the device’s battery but not endanger the smartphone or its data. For example, in addition to its wireless charging technology, Apple has recently added a feature that asks the user, when charging with a USB from a computer, if they trust the computer. If the user does not trust the charging computer, only the battery of the smartphone is charged and no data is transferred.
• Two-Factor Authentication – The best way to think about 2FA is this way: imagine someone gets your password without your knowledge. Then they try to access your account, and an access code is sent to your phone. They cannot access your account without the access code. This is what 2FA does; it adds an extra layer of security to your accounts.
• Avoid text previews on lock screen – Text previews are what you see on your lock screen when someone texts you. If these are enabled, it will show the content of the message. If disabled, then it will simply notify you that there is a message to view. The problem with text previews is they give a hacker access to your text messages, even if they don’t have the passcode to unlock your phone. Here’s one example of why this is an issue. Many websites now use two-factor authentication, which means when you log in to your e-mail account, social profiles, or bank, they send a four- or six-digit pin to your phone that you have to input to verify it is really you. With text previews, hackers are able to view these numbers. The best way to protect yourself from his vulnerability is to turn text previews off. The minor inconvenience is worth the major boost in security.
• Delete Old emails – If you never delete the probably hundreds of log-in e-mails from your e-mail account, you have created a gold mine for hackers. All they have to do is get into your e-mail, and then they have access to every service or website you’ve used.
• Avoid clicking unknown links on Social Media – While most of us would not click on a suspicious link in an e-mail, there are countless posts on our Twitter and Facebook timelines with links that we don’t even give a second thought to before clicking. It is a best practice to use URL shorteners like Bitly on social media, but for users, there is no way of knowing where these shortened links will take us until after we have already clicked on them. Clicking on links through our social-media accounts could take us to sites where we could be exposed to spyware or malware or even have our devices hijacked by hackers.
• Make sure you log out – This is the most common problem, which can lead to someone stealing your credit card information or other personal info. Don’t forget to log out from your PayPal, Amazon, eBay, and other sensitive accounts.
• Set your phone to automatically update software – Apple and Google routinely update their iPhone and Android software to fix newly discovered security vulnerabilities and to help prevent future ones. New security updates must sometimes be manually downloaded and almost always require you to restart your phone. The inconvenience is far outweighed by the benefits of doing this
• Be wary of sharing your location – In a blog post about security threats, Jolera.com advises against publicly sharing your location for both financial and physical security: “Hackers can use information about your location to spear phish you.” In other words, they can closely target you with phishing e-mails based around places you’ve been and regularly go. Criminals can also use your location to make robbery attempts where you are—or at your home when they know you’re away.
• Think twice before clicking texted links – Unless you are 100 percent sure of who the sender is, like a friend or family member, and at a minimum get confirmation that the link is OK, don’t click. Clicking links that might come from your phone carrier, a vendor, a merchant, or really anyone could be subject to malware infections, especially on an android phone.
• Use complex passwords – Many apps and websites require complex passwords, but many do not. It is always best to have passwords of at least 10 characters or more, mix uppercase and lowercase letters, and use special characters. Complex passwords are hard to remember. It may convenient to use the notepad on your computer or a mobile device to save them for easy copy/paste access, but exposing passwords to an insecure platform allows others to access them as easily as you do. E-mail and SMS are insecure platforms as well. The best place for storing passwords is inside your head.
• Confirm app permissions before you agree – Before installing an app, check whether it displays ads. It’s a safer option to pay a few bucks to get a version of an app that doesn’t show you ads if that is available. It’s a good idea to sanity-check the list of permissions before you enable them. While it makes sense for certain apps to ask for permissions [on things] that may seem sensitive, sometimes the list of permissions just seems too invasive and I will stop the product from installing. Or you may not want to enable all the permissions for apps that ask for them. For example, I don’t want the mobile app for my fitness devices to track my runs, so I’ve disabled location permissions for that app. I have a game that allows you to share photos, but I don’t want to do that with the app, so I’ve disabled those permissions. This was said by Lisa Myers, a Security researcher at ESET.

To wrap it up, we can never do away with mobile phones. They are a part of us nowadays, like an extra sense. But the more vulnerable we are. Being aware that your closest gadget can be the entry point to your life habits should be at least a motive to try and be more safe online.