It seems like every week we hear about a new smartphone security flaw. Whether it’s a massive bug in iOS, apps leaking your location data to the public, or insecure passcodes on our phones, smartphone security isn’t taken seriously. Yet it should be: In a lot of cases, you can access someone’s entire life with just their phone.
The Problem: Your Life Is On Your Phone
If I lose my phone and some ne’er-do-well picks it up, they can get access to pretty much anything they want in a matter of minutes. My home address is right in the Maps app. My bank accounts have apps on my home screen. They can reset all my passwords with access to my email account (even if they have two-factor authentication enabled). While they’re at it, I’m sure a quick search of my Dropbox account would reveal something sensitive. Good thing I have two-factor authentication turned on to secure my passwords. Wait, with my phone they can get the authorisation tokens for those apps too.
With just my phone -- or even just remote access to it -- you could see to every important piece of information about me. I don't want to huddle beneath a thick layer of aluminium foil, but every time I read about a smartphone-related hack I add more rolls of Reynolds to my Amazon wish list.
There are so many ways to access this data too. Apps can leak your private data to the public. Hackers can attack your phone on public Wi-Fi networks. Or you can just lose your phone at a party and accidentally give a stranger access to your entire life.
When I talk with self-described "non-techies" they tend to differentiate their phone from their computer. They're not worried about things like man-in-the-middle attacks on their phone because they don't see it as a threat. Yet the recent Apple bug allowed dedicated hackers to capture all the secure data you transfer without you having any idea. This sounds paranoid but as we've pointed out before it just takes one hacker in a coffee shop. And since you have your phone with you all the time, it's even more likely with your phone than your computer.
What You Can Do to Beef Up Your Phone's Security
If you're not willing to give up your smartphone for a dumbphone you can make your smartphone a bit more secure without losing too much convenience.
First off, a few general rules: Stay off of public Wi-Fi on your phone, avoid unofficial versions of popular apps (such as Flappy Birds knock-offs), avoid apps that need permissions that don't make sense (like an alarm clock that needs access to your phone), and follow the usual precautions with spam or nefarious-looking links.
From there, it's all about removing the pieces that make it easy for a hacker to get your personal info. Here are a few ideas on how to do that:
- Get rid of your home address: If you're using Google Maps then you probably have a home and work address set up so you can navigate home. Remove that information so it's not so obvious to someone who picks up your phone. If you have a contact card with your own information on it in your contacts get rid of that too. Oh, and your phone logs everywhere you go, so you might want to disable that as well .
- Set up anti-theft software: If someone steals your phone, the first thing you'll want to do is make it so nobody can get into it. Apple's Find My iPhone and Google Device Manager are good places to start, but any of these apps will help you do that and track down your phone. Just make sure you set it up before someone steals your phone.
- Use a secure password manager: It's tempting to use something like iCloud Keychain on iOS or Chrome on Android to save your passwords right in your browser, but it's a terrible idea from a security point of view. If you have to access your passwords on the go, use a password manager with a mobile app like Lastpass or 1Password.
- Don't save your password in sensitive apps: It's tempting to save your password in your bank app, but don't. You'll need to log in every single time, but at least you're not openly handing your private information over to the first person to grab your phone. Unfortunately, your email is sensitive too, since anyone with access can reset your password on your other accounts. For total security, you'll need to log out of your email completely every time.
- Use a passcode lock: Even though we already mentioned they're often easy to get around , that doesn't mean you shouldn't have a passcode enabled on your phone. On an iPhone, go for a longer passcode instead of a pin and on Android customise your lockscreen for security.
- Pay attention to what you install and audit your app permissions: We give all kinds of permissions to apps without paying attention as we click through agreements and as users we're pretty terrible at our own security. Every couple weeks, go through your apps and make sure they only have access to data you approve of.
- Encrypt your private data in the cloud: If you're going to keep an app like Dropbox installed to give you access to your private data from your phone, make sure you encrypt that data. You don't have to encrypt everything, just anything with personal information on it like tax returns or document scans. It's super easy to do, and once it's set up you won't have to worry about someone happening on your private info. Android users also have the option to encrypt everything on the phone, but it will slow things down a bit.
- Customise your phone to make it harder to use: A few months ago, I had my jailbroken iPhone confiscated by a bouncer (long story). With a custom lock screen, app icons (not to mention the fact I removed app names), and all the default apps removed, the bouncer couldn't get access to what he wanted on my phone without my help. Customising your phone isn't enough to stop a real hacker, but it's enough to confuse and confuddle a random person who grabs your phone.
- Always update your phone's software: The recent Apple security bug fix is the best example of why it's important to keep your firmware up to date.
Obviously few of you are going to sign out of your email every time, delete your home address from your maps apps, or audit your apps every week. So here's the important part: use a passcode, enable remote wipe and keep a backup of your phone.
So, smartphone manufacturers, OS developers and app creators, here's my proposition: I'll do my part and fix my lapses in security if you will too. Like everyone else out there, I love new features, great-looking apps, and cool new system-level functions. However, I also love knowing my private data is private and my identity is secure. If you want me to track my habits, my movements, my exercise, and everything I do with my smartphone, then you need to give me the security and knowledge that my information is safe.