October 3, 2019

Mobile device security basics

Mobile device security basics

With the blogs in this series I want to reach not only my typical  audience, security professionals, but especially less security aware  people to help them improve their personal security. If you think the content is helpful for people you know, share it with them!

The mobile devices you carry with you give access to your entire digital life. That's why you should protect them in the best possible way. In this post I will list some best practices to protect your device against unauthorized people accessing it.

Never leave your devices unattended in public places

Would you deliberately leave your wallet unattended in a restaurant, at the airport or in a train?

The answer is no. Well, the same applies for your mobile phone and tablet. But no one leaves his mobile device unattended in these public places, right?

Well, not so long ago I experienced this:

Imagine what I could have done in that few minutes of time if I had bad intentions. First of all I could have stolen his phone. But even without stealing it I could have learned a lot about this person and caused all sorts of damage. I could have accessed, stolen or deleted his contact data, text messages, pictures or inspect and post on his social media accounts, infect his device with password stealing malware, steal money from his bank account via his mobile banking app and so much more. At the moment you have access to someones smartphone or tablet you have access to his digital identity, simple as that. That's why you should keep your devices close to you in public places.

Enable screen locking

In case of loss, theft or accidentally leaving your mobile device unattended you want the data on it to be protected. That's why you should enable screen locking on all your mobile devices. Mobile operating systems like Android and iOS offer this option. When enabled, it implies you need to authenticate every time you turn on your device or wake up the screen.

Also enable automatic screen locking. Both on Android and iOS you can specify the auto-lock time of your device. When your device is not used for the length of time you specified it will lock itself. Keep this short enough to minimize risk, but such that it's not harming your user experience.

Auto-lock on iOS

More information on how to set up screen locking for Android and iOS can be found here and here.

Configure the best available authentication

Each time you turn on your device or wake up the screen, you will need to unlock it. Both on Android and iOS you can configure different ways to unlock your device.

On Android you can configure either a swipe pattern, a PIN or a password. Both the PIN and password can be maximum 16 characters long. Android also foresees options to keep your device unlocked in particular circumstances, for instance when you're at home. If your Android phone has a fingerprint reader you can configure unlocking via fingerprint. It's safer to use fingerprint to unlock then using a PIN or password. Both a PIN or password, certainly when they are predictable, might be guessed or could be observed by people looking over your shoulder.

If you don't have a fingerprint reader on your Android phone configure a random PIN or password. Don't actviate swipe patterns as they can also easily be discovered by other people and additionally fingerprint trails on the device can reveal the swipe pattern.

If you have an iPhone or an iPad, you must set a passcode which is typically a 4 or 6 digit code. But if you want you can change it to a longer numerical or alphanumerical code on the most recent iOS devices.

Whether you use an Android or iOS device, if you use a code or password to unlock, keep in mind that you might need to enter it regularly, so a 6 or 8 digit code is a good middle ground between security and usability.

If you have a recent iPhone or iPad enable Touch ID and/or Face ID. It's a lot more secure than relying on a passcode only.

Backup your data

Make sure you backup your data. In case of theft or data loss backups are your last resort to get your data back. If you have an iPhone or an iPad you can use either iCloud or iTunes. More info can be found here. Preferably use iCloud backup because it's by default end-to-end encrypted or like Apple puts it:

"This means that only you can access your information, and only on  devices where you’re signed into iCloud. No one else, not even Apple,  can access end-to-end encrypted information"

Android users can find more information about backup and restore here.

Additional data protection in case of theft

Data loss is not your only concern in case of theft. You also don't want that the criminals can access the personal and sensitive data that's on your device. If you have an iOS device you can remotely wipe it via the Find My iPhone feature.

If you have an Android phone, read here how you can locate and remotely lock or wipe your device.

If you missed yesterday's post with tips on how you can securily backup your data from your computer, you can find it here. Stay tuned for more actionable security tips tomorrow!