Security to go: Three tips to keep your mobile data safe
Keeping your mobile gear secure while you’re zipping across the grid is tricky business. Laptops and tablets—veritable gold mines of personal information—are popular targets for thieves. Law enforcement officials, meanwhile, could confiscate your smartphone and then examine the data—merely as a result of a routine traffic stop.
If you’re packing an Android device, it gets even trickier, because with such a device, you stand a better chance of falling prey to the booming mobile malware market. Independent malware testing lab AV-Test had less than 10,000 Android malware samples in its database by late 2011. Now, two years later, that number has blossomed to around 1.3 million.
Data security is never easy, and security with mobile devices—smartphones, tablets, and, of course, laptops—is no exception. But you can take a few steps to meaningfully improve your mobile security. Join me as we walk through three of the best strategies. (Note: Click on the smaller images below, to enlarge them.)
One of the easiest things you can do to protect an Android or iOS device is to take advantage of built-in hardware encryption. This feature will turn the data on your phone into nearly unreadable junk—unless it's properly unlocked with your password.
Let's start with the easy one: iOS. Owners of iPhones or iPads can rest easy knowing the data is already encrypted, provided you create a passcode from the lock screen.
Here's how to password-protect your iPhone:
In Settings, tap on General > Passcode Lock.
You'll need to choose whether to use a four-digit numeric PIN or something more complex. Longer is always better. A four-digit PIN means some 10,000 possible passcodes—enough to deter amateur thieves (unless they get lucky), but not sophisticated attackers.
To set a harder password, slide the “Simple Passcode” setting to “off.” Keep in mind that you’ll have to enter any longer passcode every time you want to open your phone, so don’t overdo it. A six-character passcode will suffice for most people.
Once you’ve crafted your passcode, tap “Turn Passcode On” and enter your password. You'll be asked to enter it twice to confirm it.
Before you show off your super-secure phone, however, consider activating the
Erase Data setting at the bottom of the Passcode Lock settings screen. Once enabled, your device will erase all data after ten failed passcode attempts—a good safeguard in case your phone ends up in the wrong hands.
Android users face a slightly more complex, more traditional encryption procedure. The process is really pretty easy, but the one thing you need is time. Android devices have to go through a lengthy disk-encryption process, just as your PC or external hard drive does. Depending on the size of your device, encryption could take up to an hour or more. During the process, you need to have the device plugged in at all times, and the battery must be charged. Otherwise, the encryption process could fail, and you could lose some or all of your data.
Two more things to keep in mind: First, some users report that encryption on Android caused a performance hit on their devices during everyday use. Second, encryption is irreversible—short of a factory reset.
All that said, if you want to encrypt an Android phone, here’s how I did it on a device running the latest version of Android (4.3 Jelly Bean).
The screen at left shows paragraphs explaining exactly what Android app encryption involves. Once you’re okay with that, tap Encrypt phone.
If you don’t have a PIN or passcode set for your phone, you’ll see a warning to set a passcode first. To set a passcode or PIN, go back to Settings > Security and tap Screen lock at the top of the page. From there, choose the option for either a PIN or a password. Android allows PINs to be greater than four digits.
After you’ve set up your PIN or password, go back to the encryption page and tap Encrypt phone again.
You’ll be asked to enter your PIN, and then you’ll be given one last chance to back out. If you’re ready to commit, tap Encrypt phone one last time.
Now, all you can do is sit back and wait for your phone to encrypt itself. During the process, your phone could reboot several times. Don’t touch it until you see the lock screen return.
Keep malware at bay
Android users are particularly vulnerable to malware. Google, unlike Apple, doesn’t vet applications before they go live on Google Play. This has proven an easy way for malware creators to sneak malicious apps onto Google’s app store. Malware-laden apps range from those offering free device wallpaper to games, and even to impostors that try to look like popular apps.
That’s why security vendors such as Avast, Kaspersky, and Lookout offer antivirus and security apps for Android to help keep you secure online. But how good are these apps, really? Back in late 2011, results from the AV-Test lab found that the free solutions were nearly useless. The firm tested seven of the top free apps at the time and said that the best free solution detected only one-third of any malware present on a device. Even paid solutions weren’t doing that great at the time of the 2011 tests, with the top paid apps detecting only around 50 percent of malicious code.
“When our report was published in 2011 the AV industry and the threat landscape was in a very early stage on Android,” says Hendrik Pilz, director of AV-Test’s technical lab. “Only a few malware existed but there were already several apps pretending to be an essential utility on each Android device.” (Full disclosure: PCWorld regularly teams up with AV-Test to examine security software for PCs and mobile devices).
Nearly two years later, however, the usefulness of many free solutions has improved dramatically. During its most recent look at Android security apps in July, well-known security apps for Android, including those from Avast, F-Secure, Kaspersky, Lookout, and TrustGo all earned high marks from AV-Test. The lowest score in that group went to Lookout, which still earned an impressive 98.6 percent detection rating.
Besides antivirus and malware scanning, security apps for Android also offer a full
security suite with features such as device location, remote wipe, backup, and suspicious-URL blocking. These extra features usually require a premium subscription, but most apps offer a minimal, basic level of protection for free, including malware scanning.
Even if you do pay for the full security experience, there’s only so much an app can do. It can’t stop a thief from nabbing your device, for example, or prevent a thief from raiding your phone’s data if you didn’t use a screen lock. However, a security app’s backup features can save your data if that data is not automatically backed up to Google. And remote lock and wipe features can prevent a thief from getting in even after your device is stolen.
Google also offers remote wipe and lock for free for Android users running a device with Android 2.3 and up, via the Web-based device manager.
Security apps for Android may have come a long way in the past couple of years, but they still have room to improve. In March, researchers at Northwestern University and the University of North Carolina showed that they were able to build a piece of malware that Android security apps couldn’t detect, Network World reported.
You might think that the minute you land at JFK from a trip overseas that your rights are immediately protected under the U.S. Constitution, but you’d be wrong. Special rules apply at border crossings into the United States, as well as other countries, that give border agents leeway to interrogate you and search your belongings. That includes confiscating any mobile devices and laptops you might have with you or copying their contents.
While these laws are primarily meant to deter terrorism, they've also been used to pull aside activists like Jacob Appelbaum, a computer security researcher and member of the TOR project, and journalists like NPR’s Sarah Abdurrahman. Wind up on the wrong list, and you could be, too.
You can’t do much to prevent yourself from being interrogated, but you can protect your data from being nabbed by an agent and downloaded into some massive data silo in the Utah desert. The Electronic Frontier Foundation suggests an interesting option: Leave the hard drive at home and boot your laptop from an SD card.
(We've also published full instructions on how to create a Ubuntu boot disk or USB boot drive in our Ubuntu guide for displaced Windows users.)
By turning your SD card into a secret Ubuntu boot card, you can leave the country with a “clean” installation of Ubuntu, with no user data on it at all, and your boot drive looks like an innocuous DSLR memory card. Use Ubuntu overseas, connect to your secure cloud accounts for important documents, and simply wipe the SD card of any files before you head home.
Even if you don’t have any sensitive data to protect, this is such a great, secret-agent-style use for your laptop that you might want to try it simply for the cool factor. But you do have to ensure that your laptop’s BIOS cooperates.
The easiest way to install an OS onto an SD card is to create a Live CD of Ubuntu Linux, or some variant, such as Mint. Ubuntu is the best choice, because this Linux distribution gives you step-by-step instructions on how to create a live CD. From there, installing Linux is no different from installing Windows: Just pick the drive on which to install Ubuntu (that 32GB or 64GB SD card), then follow the on-screen instructions.
Make sure your laptop’s BIOS can boot from the SD card reader. We already have a tutorial on how to enter your BIOS settings, so in the BIOS utility, look for a category that says "boot order," "boot priority," or something similar. Then make sure your card reader is first in line.
Note that even if your BIOS lets you put the SD reader in your boot order, your peripheral may not be capable of booting the PC. Check with your device manufacturer to confirm this capability.
Even if you can’t boot from the SD card reader, you can still install Ubuntu onto an SD card and just use an inexpensive SD card-to-USB adapter, many of which look just like USB drives with a slot for the SD card.
Once you’re up and running, do a few test runs at home with your hard drive removed. The last thing you want to deal with after a red-eye flight to London is a snazzy, secret-agent setup that doesn’t work. But if the test runs go without a hitch, you should be all set.