There’s never been a better time to lock it down
The more we use our smartphones, the more we open ourselves up to the possibility that the data stored on them will be hacked. The bad guys are getting better and better at finding ways into our phones through a combination of subtle malware and exploits. A quick scan of recent news stories should be enough to worry even the least paranoid among us:
- Malware-infested apps such as the Android banking Trojan Ginp are constantly being uploaded to the Google Play and Apple App stores, let alone other dodgy app stores. This is nothing new, and most of us are smart enough not to knowingly download malware. But Google has found fake copies of legit apps with hidden backdoors that are infected, taking things to a new level and making it harder for them to police their store, let alone for us to distinguish these phony apps from legitimate ones
- Bad Binder is an Android-based exploit that can happen if we visit a malicious website, even without clicking on any links. It can then allow a hacker to remotely control any infected phone.
- Mobile app software development kits (SDKs) are being infected with increasing frequency. This OneZero story on hidden tracking features in many app SDKs is just one example of what’s out there, and in November both Twitter and Facebook discovered compromised SDKs that collected private user data on the sly. SDKs have become a major infection vector for many websites, and there have been other exploits that target Github projects with similar privacy abuses and other security injections.
- A rash of website-based API-related security issues (such as what happened at Capital One bank, Panera Bread, and Twitter) makes phone browsers especially vulnerable, due to the treasure trove of personal data that could be available to a compromised app.
- Google’s Threat Analysis Group has tracked the phishing and other hacking activities of more than 270 targeted government-sponsored hacking groups. Most of these were the result of targeted credential attacks on mobile phone users.
- And many SMS authentication codes have been collected as a result of various breaches, including the latest one with a company called True Dialog. These codes are used in setting up advanced login authentications, giving users a false sense of security.
From these articles, we can observe two major issues. The first is a loss of privacy. Since we carry our phones everywhere, a hacker can track our movements in both the physical and online worlds and make correlations about our activities, interests, and personal connections. Second is a security issue: Hackers can gain access to our online accounts, steal money, and compromise our digital identities.
Part of the problem lies squarely upon our shoulders — or perhaps our fingers. We don’t pay enough attention when we are clicking on the links or reading our emails. Both could result in ignoring warnings that we are about to wind up in trouble. To prevent this means we need to be more mindful when we use our phones.
A good case in point and one thing most of us ignore is when we are installing a new app and viewing its warnings asking for various permissions, such as location tracking and access to the phone’s camera and microphone. App developers are rarely parsimonious when it comes to requesting particular permissions for their apps: An analysis by Symantec in August 2018 found that nearly half of the most popular Android apps and a quarter of the most popular iOS ones request location tracking, among other permissions that could be invasive and unneeded. (And recently, Brian Krebs has discovered that the latest iPhones will intermittently track your location no matter what your system settings may be, at least until Apple changes these settings in a future iOS version.) Again, you should pay attention to these warnings and choose the most restrictive options, such as only allowing permissions when an app is actually running.
Here are some other protective measures you can take to enhance your security and avoid being hacked. While nothing is perfect, using these tools will help.
First, you should always use a VPN no matter where you are or where you connect your phone’s Wi-Fi. I use ProtonVPN which comes in both free and paid versions for MacOS, Windows, iOS, and Android. This encrypts your online traffic and keeps your connections and passwords private. For additional security, you should also change out your phone’s DNS provider. I use a free public DNS: Warp from Cloudflare. This helps to prevent malicious apps from hijacking your browser sessions.
While it is nice to have this protection, you may have to back off both of them when you travel. I have noticed that many Wi-Fi hotspots in hotels and airports want you to use their own DNS and don’t like your VPN when you make your initial connection. Just don’t forget to turn your VPN back on after you are connected to these hotspots.
Opt out of ad tracking. This has one drawback: you will no longer get the most relevant ads on your phone. But it will make it harder for your apps to track your personal data as you navigate from email to your phone’s browser and other apps.
Finally, improve your authentication practice. Google has designed its Advanced Protection Program to help high-risk users such as journalists and human rights workers improve their security. But even if you don’t fit into these categories, you can improve your own authentication practice by using multifactor authentication tools such as smartphone apps like Google Authenticator and Authy and hardware security keys like Google Titan and Yubico. Notice I don’t mention using SMS codes as a second factor: avoid these as they are significantly less secure (as our news item above mentions).
Apple, Facebook, LinkedIn, Twitter, and Google all support these authentication tools, and while setting them up takes work, doing so will greatly decrease the chances that your accounts will be compromised. The TwoFactorAuth website keeps score of which websites support the various authentication methods.
Staying secure isn’t easy, but it beats having to clean up after a privacy or security breach.