ITRC Fact Sheet 146
The increasing use of smartphones for daily activities, such as emailing, banking, web browsing, shopping, bill tracking, social networking, file storage, and entertainment gives your mobile device the ability to know everything about you. Not only do you know your smartphone, but your smartphone knows you. Your smartphone’s knowledge, if not protected, is a potential risk to your security and privacy. The ultimate question to ask: Is my privacy and security at risk?
Mobile malware is a rising threat to privacy and security. What is mobile malware?
Mobile malware is a program specially created to infect your mobile phone or device. Once installed on your device, it may disrupt the phone’s system, in order to gather information stored in the device. It may also gain access to the device’s operating system, and take over the phone.
Mobile malware may present itself through fake mobile applications, web-browsing, and SMS/Text messages.
- App-based malware attacks can target a user’s financial information. This might include bank account numbers, passwords, and PINs. The access of such information may result in the loss of money and/or account take-over.
- Web-based Smartphone attacks can be a result of clicking on an unsafe link. This may potentially give rise to “Phishing” scams or download infected files.
- SMS/Text message-based attacks can be used to spread malware through unsolicited SMS/texts that request the user to reply or click on a link. Unbeknownst to the user, malware may be installed on the device, leading to unauthorized access to the device’s information.
Securing your Smartphone device
- Passcode: A passcode is a simple step you can take to protect your smartphone. If it is stolen, with all of your personal information, this simple step may be the key to protecting your information from unauthorized users.
- Antivirus software: Use mobile security antivirus software. There are Smartphone apps designed to monitor and protect your device against malware and spyware.
- Software updates: Updating your smartphone’s operating software is another step towards securing your device. Software updates are designed to fix problems in the device’s operating program, which may include fixing security vulnerabilities or other bugs that may diminish your smartphone’s performance. Therefore, stay up-to-date on any software updates and make sure to install the latest version.
Important Note: Do not allow your device to remember passwords. If your device is lost or stolen, the information is now compromised.
Android or iPhone: Which one do you have?
- Regardless of whether you use and Android or an iPhone, your privacy and security may be at risk. Understanding the operating system of your smartphone will require work on your part. This knowledge will help you understand the capabilities of your device and help you understand potential threats to privacy and security.
- Both platforms have their own App Stores and both employ different security measures to monitor and vet the apps that are allowed to be on the Android Market or the Apple App Store:
- Android’s Google Market runs an open market. As the smartphone industry grows, it attracts more malware developers to organize attacks and put smartphone privacy and security at risk. The Android Market has been criticized by the industry several times for not vetting its mobile applications before they are added to the Android Market. What does this mean for you Android phone users? You will need to exercise caution when downloading apps to your device.
- If you are an iPhone user, Apple reviews applications before they are added to the App Store. According to Computerworld, “When Apple reviews an app, it tries to verify several things, including these: Does the app do what it says it does? Does it function reliably? And does it respect the limitations that Apple has put on developers?” However, despite tighter security measures, it does not exempt the iPhone user from privacy and security threats.
Ever wonder if the apps that you download put you at risk? If not, you probably should. Many apps are designed to capture a wide range of information. Did you know that apps can:
- Read phone state and identity?
- Track your location?
- Read owner data?
- Read contact data?
- Record audio – your calls?
- Take pictures?
- Modify or delete SD card content?
- Edit SMS/text or MMS messages?
- Write sync settings?
- Send SMS messages?
- Write contact data?
- Fully access the internet?
The best security practices when downloading apps are exercising caution and reviewing the app’s ratings, regardless of whether the app is free or paid.
You should carefully examine and pay attention to the permissions the app is requesting to access:
- Android Market apps require the user to either grant or deny access – if you deny access you will not be able to download and install the app.
- iPhone apps will not disclose what the application has permission to access. When downloading an app whether free or paid, Apple requires the recognition of consent by having the user sign in using their Apple account. The primary reason behind Apple’s non-disclosure of the information, according to Computerworld, is because “Apple tries to prevent developers from having full-scale access to all of the data and hardware” on a device running on Apple’s operating system. However, apps still have access to certain system components.
Because apps have access to a lot of your personal information and data on your Smartphone, familiarize yourself with what the app really needs in order to run. If you feel it requires more than it really should, reconsider installing it.
Only download applications you trust. Android users are allowed to download apps from third-parties, whereas, iPhone users are only allowed to download apps from the Apple Store; unless, of course, the iPhone has been “jail-broken.” Jail-broken iPhones can download applications from the “Cydia App Store” (apps that have not been approved by Apple).
Location (GPS) and WiFi
- Many applications request permission to access location. Consider turning off the location services (GPS) on your phone to protect your location privacy, unless it is necessary to perform the desired function. Keep in mind that you have the ability to enable and disable the location services on your phone.
- Have you ever taken photographs with your smartphone and posted them online? What’s the worst that can happen? As careful as you may be, if your GPS is enabled, your personal information may be exposed through a process called “geotagging.”
- According to PCmag.com, “Geotagging adds the current geographic location of the camera or smartphone to an image or message, or adds the static geographic location of a street address.”
- This information most often includes latitude and longitude coordinates which are derived from a global positioning system (GPS).
- While it sounds complicated, it really isn’t. It simply means the marking of a video, photo, or other media with an embedded location of where it was taken.
- Smartphones featuring GPS have made this “tagging” possible.
- “Geotagging” has been considered an infringement on public privacy and problems can arise if the information is given out unknowingly and/ or pulled by the wrong people. So, the photograph you took in front of your computer, at your doorstep, etc. has been recorded and may have possibly given your location.
- To protect yourself, you can:
- Turn the geotagging feature off.
- Download disabling software (it will search for geotagging information and delete it before sending).
- Be aware and educate yourself. Understand the information you are sharing.
- Consider what you post on the Internet. You never know who has access to it.
- Protect your privacy and security by exercising caution while doing financial transactions or checking banking information while connected to public wireless networks (WiFi). Credit card and personal information transmitted through public WiFi may be up for grabs by identity thieves.
- If you are a Smartphone user, it is highly recommended to use your Provider’s 3G or 4G Network to conduct any financial business. After all, you are paying for the service.
This fact sheet should not be used in lieu of legal advice. Any requests to reproduce this material, other than by individual victims for their own use, should be directed to firstname.lastname@example.org.
Watch our Hands-On Privacy Videos
Hands-On Privacy with Your Mobile Apps
Hands-On Privacy on Your Mobile Device
Hands-On Privacy on Your Social Media