Gallery

Ten simple steps to secure your smartphone

Posted on 7 Sep 2012 at 16:00

Davey Winder separates the reality of smartphone insecurity from the myths

We’ve become a mobile nation. The smartphone has revolutionised personal and corporate communication, with email on the move and social networking wherever we may be. The boundaries between consumer and business use have become so blurred that BYOD (Bring Your Own Device) has become the security buzzword of the year, and you’re as likely to hear talk of “apps” in the boardroom as the living room.

But it isn’t just new words that the smartphone revolution has introduced. It's also a new age of IT security risk. We’re long past the days of mobile security being little more than a sales gimmick for security vendors looking to push unnecessary products: so what are the real risks and what can you do to mitigate against them?

Myth busting

One of the big smartphone security myths that needs to be busted to bits before going any further is that of “my platform is safer than yours” – or, as it has somewhat erroneously been dubbed, the iPhone versus Android debate.

A walled garden doesn’t prevent SMS spam, handset theft, social engineering

"It’s misleading to focus on platform-specific guidance, because this isn’t a game of averages,” says BT’s global head of business continuity, security & governance, Jeff Schmidt. “You don’t accept countermeasures that ‘probably’ work – you enforce policy restrictions against known weaknesses."

This rule of thumb completely destroys the idea that iOS is the safest platform because of the App Store development walled garden; a walled garden doesn’t prevent SMS spam, handset theft, social engineering and so on. Deciding to opt for Apple over Android, or BlackBerry over them both, because it's “safer than the rest” is just creating a false sense of security that will soon come back to bite you. Yes, RIM has some of the best security controls, clearances and standards for smartphone use in the enterprise out there, but that still counts for little if you apply the Schmidt equation above.

The same goes for the argument that the platform with the greatest market share will be the most vulnerable to attack. The truth of the matter is that all platforms have their respective strengths and weaknesses, but ultimately, the weakest link in the smartphone security chain is the user. As Andrew Wild, CSO at Qualys, eloquently puts it, “the security of the smartphone is impacted more by the choices of the user than by the actual smartphone itself."

The main smartphone security threats

PC Pro asked a panel of mobile security experts to explain the most common smartphone security risks you should be looking out for. Not surprisingly, the same threats surfaced again and again.

1. SMS trojans

SMS trojans will often pose as a genuine application, which is why the threat also goes by the name of “rogue applications”; the catch-all of “mobile malware” probably best covers it. You’d have to have been in a coma for the last few years to believe such malware exists only in the research labs of the security vendors.

David Emm, senior security researcher at Kaspersky Lab, told us of one particular SMS trojan that was distributed on the Android platform. "Foncy was spread via a file-hosting website, advertised as a program for managing SMS messages. This trojan determines the country of the infected device from the SIM card: depending on the region, it selects an appropriate number to which it will silently send SMS messages subscribing to online services. It suppresses any incoming message confirming the subscription. On top of this functionality, however, subsequent versions of Foncy also came bundled with an IRC bot and a root exploit."

2. SMS spam

Probably the biggest growth area when it comes to smartphone risk is that of SMS spam. It’s often thought of as a vehicle for SMS trojan distribution, but is actually a much broader risk than just being a malware channel.

Gareth Maclachlan, co-founder of AdaptiveMobile, was formerly at GCHQ with responsibility for advising the government on new mobile threats. "These unsolicited messages,” he explains, “are designed to trick or coerce users into either unintentionally revealing their personal information, or clicking links that appear to be genuine but are in fact built with the sole purpose of defrauding users. Whether this is through a simple message suggesting you’re owed compensation from a recent accident or missed the delivery of a parcel, or a text message asking to give your bank a call, new SMS scams are being created on a daily basis to exploit users and generate income for the cybercriminals. This could be through the abuse of premium SMS or numbers, or simply by selling on users or the company’s personal information to third parties."