Securing your phone

[Lark]

Can anyone point me in the direction of any good, succinct, webpages or youtube videos about android phone security, how to tell if you've been cloned, hacked or spied upon and how to fix that and protect against it happening?

Also is the security for tablets much different to an android phone? What about Kindles? Including the classic ones?

I know the more technology you have the greater the vulnerability to this kind of thing but I dont want to go off grid or anything.

 

[Coriolis]

I don't have much to offer by way of advice, but will be reading this page with interest as I have the same concerns. In fact, that is what has kept me from getting a smartphone for so long, even though almost everyone around me has one. I finally got one for my INTP last winter and have done my best to set it up with security in mind, but I'm sure I have only scratched the surface.

For one, neither of us has a google account, so all apps are sideloaded, replacing nearly all of the apps originally included. I have been trying to determine whether it is worth rooting it, but have held off so far.

 

[highlander]

A couple things that would be important are encrypting the device and having remote wipe capability. I have been predicting the smart phones are going to get hacked like PCs for the last 15 years when the earlier 3g phones were coming out in Japan. For whatever reason the malware attacks haven't gotten critical mass as quickly as I thought. Androids are much more likely to be targeted than iphones though and I think we will hit that inflection point soon when the mobile devices get hacked more because mobile traffic is eclipsing non mobile. It's really about economics and which platform being attacked will yield more revenue for the bad guys. You want to hack a device which is used to access other sensitive systems because that's where the money is. Though there is stuff on it that is worth something, the endpoint is just an entry point to bigger and better things for the most part. If someone crytolockers my phone for example maybe I don't care that much. If they get access to my bank account it is a much bigger deal.

I don't install a lot of software on my phones because it just increases the chance of adding vulnerabilities. Also there is software which will check your phone apps to detect if they have been tampered with.

As to tablets they are as vulnerable as the OS which I think is mostly the same as the phones. So like an iPad is a lot less likely to get hacked than an android based tablet. I don't know about kindles but would guess they are a less lucrative platform to attack and therefore less likely to be a concern. For sure android is the higher risk device to use (though I think they are a little better to use)

 

[Tater]

mobile platforms have less known vulnerabilities than pcs, but out of all the mobile platforms, android harbors the largest number of exploits and more are found as time goes on.

in the u.s., law enforcement goes through a lot of effort to use mobile activity as a resource. they don't have access to all your data, but it's become progressively easier for them to know your habits without needing a warrant. in fact, if you personally use any tunneling protocols to encrypt your traffic, they don't need a warrant to confiscate your device as of earlier this year. however, i would still use ssl when i'm using a public access point because you never know who's in a public network, or who's managing it.

i turn my wi-fi off until i'm at home, because when it's on, your phone pings wireless access points, creating a trail.

being spied upon comes with the territory, at this point.

however, to prevent being hacked, i would install the mcafee antivirus app (or, really, any one that you prefer) to prevent/detect known threats. i wouldn't download any apps from places other than the google play store. i would avoid using your phone to visit sites that have a higher risk factor. additionally, i would ignore false-positive claims from rando sites that 'you've been hacked, now give me your number so we can fix it'. you also want to avoid phishing scams by verifying that you're using your login credentials on the correct sites / apps. moreover, generally follow the same rules you would on your personal computer, with the caveat of wireless risks.

here are some links that may be of interest:

WiGLE: Wireless Network Mapping

Which Mobile OS is Most Secure; iOS, Android, or Windows? [SLIDESHARE] – NextLOGiK

Mobile Security News, Analysis, Discussion, & Community - Dark Reading

 

[Coriolis]

A couple things that would be important are encrypting the device and having remote wipe capability.

I set up remote wipe, but did not encrypt. Exactly what info on the phone is encrypted when one does this? Is there any downside - e.g. extra passwords to enter, or delay in retrieving info?

I don't install a lot of software on my phones because it just increases the chance of adding vulnerabilities. Also there is software which will check your phone apps to detect if they have been tampered with.

Can you recommend examples of this kind of SW? I agree about the apps - just installed only what he really needs.

 

[highlander]

I set up remote wipe, but did not encrypt. Exactly what info on the phone is encrypted when one does this? Is there any downside - e.g. extra passwords to enter, or delay in retrieving info?


Can you recommend examples of this kind of SW? I agree about the apps - just installed only what he really needs.

On the encryption question, do you want anyone picking up your phone to have access to all your email and downloaded attachments? That's the primary risk

On anti-malware software, here are some examples.

15 best antivirus Android apps - Android Authority

 

[Tater]

I don't install a lot of software on my phones because it just increases the chance of adding vulnerabilities. )

this is salient.

before all else, it's important to determine what you really need the phone for, and avoid adding content or functionality that exists outside those parameters. for instance, if you don't need to use the phone for e-commerce, don't. if you don't need to store sensitive data on it, don't. extra apps just increase the attack surface.

 

[Coriolis]

On the encryption question, do you want anyone picking up your phone to have access to all your email and downloaded attachments? That's the primary risk [/url]

That wasn't the question. I wanted to know exactly what is encrypted when your phone is encrypted - everything, including the apps? Or just your personal data (emails, contact lists, downloads)? How about your browsing history? Or can the user specify what to include and exclude? And how does this affect performance and access to the information?

 

[1487610420]

I don't have much to offer by way of advice, but will be reading this page with interest as I have the same concerns. In fact, that is what has kept me from getting a smartphone for so long, even though almost everyone around me has one. I finally got one for my INTP last winter and have done my best to set it up with security in mind, but I'm sure I have only scratched the surface.

For one, neither of us has a google account, so all apps are sideloaded, replacing nearly all of the apps originally included. I have been trying to determine whether it is worth rooting it, but have held off so far.

Why?

 

[1487610420]

A couple things that would be important are encrypting the device and having remote wipe capability. I have been predicting the smart phones are going to get hacked like PCs for the last 15 years when the earlier 3g phones were coming out in Japan. For whatever reason the malware attacks haven't gotten critical mass as quickly as I thought. Androids are much more likely to be targeted than iphones though and I think we will hit that inflection point soon when the mobile devices get hacked more because mobile traffic is eclipsing non mobile. It's really about economics and which platform being attacked will yield more revenue for the bad guys. You want to hack a device which is used to access other sensitive systems because that's where the money is. Though there is stuff on it that is worth something, the endpoint is just an entry point to bigger and better things for the most part. If someone crytolockers my phone for example maybe I don't care that much. If they get access to my bank account it is a much bigger deal.

I don't install a lot of software on my phones because it just increases the chance of adding vulnerabilities. Also there is software which will check your phone apps to detect if they have been tampered with.

As to tablets they are as vulnerable as the OS which I think is mostly the same as the phones. So like an iPad is a lot less likely to get hacked than an android based tablet. I don't know about kindles but would guess they are a less lucrative platform to attack and therefore less likely to be a concern. For sure android is the higher risk device to use (though I think they are a little better to use)

information overload, low sensitive use adoption and higher security standards?

 

[Coriolis]

Why?

Because I want to make sure I know what I'm doing and don't brick my phone. I want to minimize this risk, and weigh it against the benefits, which means I need to understand both.

 

[Lark]

A couple things that would be important are encrypting the device and having remote wipe capability. I have been predicting the smart phones are going to get hacked like PCs for the last 15 years when the earlier 3g phones were coming out in Japan. For whatever reason the malware attacks haven't gotten critical mass as quickly as I thought. Androids are much more likely to be targeted than iphones though and I think we will hit that inflection point soon when the mobile devices get hacked more because mobile traffic is eclipsing non mobile. It's really about economics and which platform being attacked will yield more revenue for the bad guys. You want to hack a device which is used to access other sensitive systems because that's where the money is. Though there is stuff on it that is worth something, the endpoint is just an entry point to bigger and better things for the most part. If someone crytolockers my phone for example maybe I don't care that much. If they get access to my bank account it is a much bigger deal.

I don't install a lot of software on my phones because it just increases the chance of adding vulnerabilities. Also there is software which will check your phone apps to detect if they have been tampered with.

As to tablets they are as vulnerable as the OS which I think is mostly the same as the phones. So like an iPad is a lot less likely to get hacked than an android based tablet. I don't know about kindles but would guess they are a less lucrative platform to attack and therefore less likely to be a concern. For sure android is the higher risk device to use (though I think they are a little better to use)

What about the "apps", and I'm not sure if they are apps you download or if they are embedded already within the operating system, which were talked about a whiles back which the tabloid press had exploited in the UK to hack the phones of celebrities and read their text messages?

Or the other sorts of hacking which involved something called "smurfs" (pretty sure its a slang term) like nosey smurf, sleepy smurf etc. which apparently would allow others to switch off phones, restart phones, switch on listening apps etc. remotely and again read your text messages?

I'm concerned about this because of recent discussions about the targetting of different professionals in my part of the world by information governance scams and claims, some of this is the actions of criminal elements who're interested in the bottom dollar but some of its other sinister or obsessional elements too which appear to afflict my part of the world unfortunately.

 

[Lark]

mobile platforms have less known vulnerabilities than pcs, but out of all the mobile platforms, android harbors the largest number of exploits and more are found as time goes on.

in the u.s., law enforcement goes through a lot of effort to use mobile activity as a resource. they don't have access to all your data, but it's become progressively easier for them to know your habits without needing a warrant. in fact, if you personally use any tunneling protocols to encrypt your traffic, they don't need a warrant to confiscate your device as of earlier this year. however, i would still use ssl when i'm using a public access point because you never know who's in a public network, or who's managing it.

i turn my wi-fi off until i'm at home, because when it's on, your phone pings wireless access points, creating a trail.

being spied upon comes with the territory, at this point.

however, to prevent being hacked, i would install the mcafee antivirus app (or, really, any one that you prefer) to prevent/detect known threats. i wouldn't download any apps from places other than the google play store. i would avoid using your phone to visit sites that have a higher risk factor. additionally, i would ignore false-positive claims from rando sites that 'you've been hacked, now give me your number so we can fix it'. you also want to avoid phishing scams by verifying that you're using your login credentials on the correct sites / apps. moreover, generally follow the same rules you would on your personal computer, with the caveat of wireless risks.

here are some links that may be of interest:

WiGLE: Wireless Network Mapping

Which Mobile OS is Most Secure; iOS, Android, or Windows? [SLIDESHARE] – NextLOGiK

Mobile Security News, Analysis, Discussion, & Community - Dark Reading

This is interesting and probably corresponds a lot to the mobile phone as increasingly an IT application but is this the same sort of thing as the phone hacking scandals in the UK which afflicted celebrities and allowed them to access the phones of users and access, read, delete etc. their text messages?

I think that was a scam which afflicted mobiles other than the latest smart phones too, if I remember correctly it even had consequences for an ongoing police investigation when one of the newspapers accessed and deleted the text messages on the mobile phone of a missing person.

As you say a lot of the exploits or vulnerabilities are "presumably" unknown but I wonder sometimes are they really that unknown, I'd not be surprised if the authorities knew more than they were prepared to divulge but I'm not really that concerned about the authorities so much as I am about criminals and other types of a very similar nature, security cultures are often thinking about the wrong threats when they focus solely upon the authorities.

 

[Lark]

On the encryption question, do you want anyone picking up your phone to have access to all your email and downloaded attachments? That's the primary risk

On anti-malware software, here are some examples.

15 best antivirus Android apps - Android Authority

Good link. Cheers.

I am not that concerned about anyone discovering google e-mails since I dont use my google account (I even have an earlier google account which I forgot the password for and is now unuseable) for anything besides the mandatory set up to access the google app store, never use other e-mail accounts from my phone etc. I always thought that the idea of one platform for accessing everything wasnt a good idea security wise.

I think it would be a good if an app was developed to allow stolen property to report itself for a period of time and then somehow wipe itself and other interfaced tech, although I could see it backfiring through user error and becoming unpopular with users.

 

[Lark]

this is salient.

before all else, it's important to determine what you really need the phone for, and avoid adding content or functionality that exists outside those parameters. for instance, if you don't need to use the phone for e-commerce, don't. if you don't need to store sensitive data on it, don't. extra apps just increase the attack surface.

Yeah, I agree with that, I recently did a wipe of all the apps but have discovered a need to reinstall two or three because of interfacing with sites being more difficult without them. I was surprised to discover the true access facebook apps get to your content but then without them you're going to have a big of difficulty using facebook itself.