Smartphone Security: How to Keep Your Handset Safe
Trojan Horses, Malware, and Viruses
"As there gets to be hundreds of millions of smartphones out there, that becomes a bigger target for attackers," says Ahmed Datoo, chief marketing officer for Zenprise. His firm creates software that enables a large company's IT department to scan all devices in the system at once, remotely, to make sure no malware has snuck in.
"We have seen a rise in malware across the board for all platforms. Lately it’s been focused on the newer devices with greater adoption: iOS, Android," he says.
And if you’re thinking that kind of thing results only from installing pirated software from sketchy Websites, be forewarned that attacks can also occur in official app stores.
What should you do? Consumers should turn to third-party apps once more. If you're on Android, BlackBerry, or Windows Phone 7, again consider Lookout: It scans your phone for malware and spyware, even examining any application you download. That said, it could still miss a nasty SMS or MMS script, so think twice before you open an MMS item from someone you don't know. Symantec, which makes business-level products for virtually every mobile platform, also creates consumer-level tools for Android and Windows Phone 7; more software like Mobile Defense is emerging, too.
iOS doesn't really have antivirus apps available on a consumer level, relying instead on Apple's stringent App Store policies to keep out malware. Considering the scale and speed at which apps are submitted and approved, though, things are bound to slip through the cracks. The potential for human error is just too great to deny. On iOS you can use the Trend Smart Surfing app, which blocks access to Websites known to contain malware or potential phishing attacks. It would be nice to see more protection for various inboxes, though.
Third-Party Apps That Share Too Much
When you install a third-party app, you grant it certain privileges. Those privileges may include access to your physical location, contact information (yours and that of others), or other personal data. Most of the time an app will be fine, but how do you know what its makers are doing with those privileges and your information? The short answer: You don’t.
Most phone OSs try to handle this problem with a centralized application-store screening process, attempting to weed out any bad eggs before they get in. Again, however, undesirable things slip through.
Android takes a different approach, having looser central control but providing the end user with more information. Before you install an application on Android, the app must ask you for specific permissions. Don't simply ignore such messages. If you're just trying to install a simple wallpaper, ask yourself why it needs access to your contacts and your location. Be judicious when granting permissions.
Additionally, with all platforms, always pay close attention to app ratings and read the comments to see what other users have said. If an app has merely 50 downloads and a two-star rating, do a little digging and find out why. The best protection here really is common sense. Failing that, Lookout Premium can provide you with an overview of the permissions you have granted.
Even major companies including Facebook and Pandora have been sharing (read: selling) more user information than was commonly thought. Your options are pretty much limited to avoiding these applications or starting a letter-writing campaign.
Which OS Is the Most Secure?
There is no easy answer to this question. All of the major smartphone OSs have made significant strides in the last year.
"From an enterprise control and security standpoint, BlackBerry is still the gold standard," says Khoi Nguyen, director of product management for mobile security at Symantec. RIM's phones also feature advanced, devicewide encryption--including for the SD Card--that's cleared for usage at some of the highest levels of government.
Yet in the last six months Apple and Android have expanded support for security management, and more companies appear comfortable using them, Nguyen adds. Also, to enable further security, device manufacturers such as HTC and Motorola have added proprietary software on top of the various OSs their phones support.
With Windows Phone 7, Microsoft is following a similar strategy to that of Apple and Google in that it's starting out by keeping its mobile OS consumer-focused. The company is likely to add more business-friendly security in days to come, however.
One of the biggest holes in Android's security that's slowing its mass adoption in the business world is its lack of encryption, especially on the SD Card. That's a significant risk for business users, who save their e-mail attachments on unencrypted SD Cards.
BlackBerry phones offer the option to encrypt SD Cards, whereas iOS and Windows Phone 7 do not currently support removable storage. That said, many companies are willing to accept phones with unencrypted SD Cards, as long as remote wiping is set up. This arrangement will be fine for most consumers, too. It's important to note, though, that in order to wipe a phone remotely, it must be powered on and have a data connection. So if someone pulls the battery out of your Droid before you wipe it, you cannot erase your SD Card.
Smartphone Security For the IT Crowd
The enterprise ecosystem has changed dramatically in the past year. Each end user wants to stick with the device they prefer personally, and they want to use it for work. Denying them that freedom doesn't always go over so well.
"The days of the IT department trying to regulate what devices users can and can't have--that battle is lost. So they should focus on their real mission, which is providing security to their users," says Datoo of Zenprise.
With so many platforms and new devices flooding the market, how can the IT pro at a small company possibly develop software to track them all, and keep them virus-free? More companies are turning that job over to software developers such as NotifyMDM, Symantec, and Zenprise, which enable management of a company's devices from a single interface.
Third-party software allows an IT admin to search all devices at the same time--whether for 5 or 57,000 users--while still accommodating the latest, most cutting-edge phones.
It's a brave, new, constantly evolving world out there. While we have yet to see an attack on smartphones that rivals the scale of PC attacks, attempts are becoming more and more frequent, and they will continue to proliferate. Critical thinking and your browser's search button may always be your best line of defense.
Products mentioned in this article