Mobile devices are present in our daily lives, in particular smartphones and tablets, which contain sensitive, personal and professional information. We take them everywhere with us, all day, all the time. Since they are mobile the risk of losing it, being stolen, or attacked for being in many different environments is high.
Here are 8 best practices that can be implemented to improve the security of our mobile devices:
1. Updates
Mobile vendors update the operating system often. Every year they release a major update of their operating systems which brings new functionality and new security controls. Along the year, intermediate versions are released with patches to solve different issues, with security patches part of these updates. It is recommended to always keep your operating system up to date with the latest version available, in order to have the latest security fixes applied.
2. Install software only from known sources
Users should not install software from unknown sources. Installing software from an unknown source can lead to the installation of malware which might take control of your device and access privileged information.
3. You should only give the minimum permissions to an application
With major operating systems, applications need to request permission to access certain resources. For example, when an application needs to take a picture, it will request access to the camera sensor, or when an application needs to know your current location it will ask permission to access your geolocation information, or in case the app needs to access your photos it will ask for permission. In order to limit the access applications have on your device resources, you should only give permissions that are indeed necessary and limit the amount of time the access is granted (i.e. only allowing access once vs forever).
A good practice is to check upon the permissions already given to applications by browsing the types of permissions on your device and verifying if access is still applied.
In Android, there is a type of permission – Accessibility – that if given allows the application to control touch inputs given by the user and thus not allow the user to remove the permission or uninstall the application, making it permanent on the device.
4. Biometric Authentication
Biometric authentication allows the user to have a more secure passphrase for the device, making it harder to be brute-forced, guessed or known via shoulder surfing because the user doesn’t need to input the passphrase oftenly. The biometric authentication is as robust as your passphrase. A secure passphrase should be long and contain different combinations of case, digits, symbols. It is important to only have registered biometric data for the user that accesses the device.
5. Remove the attack surface on locked devices
When a device is locked, it should immediately request for the passphrase/biometric authentication as soon as it is to be unlocked. While locked, most devices allow the user (or an attacker) to interact with some functionalities: manage wireless connections, respond via text message when a call is not answered, use the voice recognition system, etc. While this brings some level of usability it also brings an exposed attack surface that is available for an attacker that finds/steals a device. By having a biometric form of authentication, the time to unlock the device is reduced, so this extra attack surface should be disabled when the device is in a locked state.
6. WiFi Connections
We have come a long way in regard to security of the communication channels that we use today in our mobile devices. A great part of the connections the device and applications perform are done using Transport Layer Security (TLS). Although network security is more mature these days, we should be careful in which networks we connect our devices to. An open WiFi network or a shared WiFi network might open the possibility for man-in-the-middle attacks that if coupled with social engineering attacks, gives the attacker the possibility to access and modify data that is exchanged between our device applications and their respective backends.
7. Virtual Private Networks (VPNs)
With a secure VPN connection we guarantee that our traffic can’t be intercepted between our device and the VPN server. A VPN should be used if we connect to unsecure networks or if we want to be sure that a 3rd party is not intercepting our traffic along the way. In case of using a VPN provider one needs to make sure that it is a reliable service, because as said above the VPN guarantees that our traffic is not intercepted between our device and the VPN server. The VPN provider could have access to some degree to our traffic.
8. Track your device
Both major operating systems implement mechanisms that allow the owner to keep track of their mobile device. Although this has the potential to be abused by the operating systems provider, it gives the ability to keep track of a stolen/lost device and even be able to perform a full wipe on the device if/when it gets connected to the Internet.
