A decade later, has my mobile security advice changed?
A decade ago, I appeared on the 361 Podcast to give my advice about mobile security.
This was the era of the iPhone 5 and Android KitKat. BlackBerry was trying to have (yet another) resurgence and Nokia was desperately trying to keep Windows Phone alive. What advice did I give then, and is it still relevant?
Stay Sceptical
In at number five is just stay sceptical. I mean, quite often, lots of mobile viruses and mobile scams spread by text message, by email, by Twitter. And these are all things that we get on our phone. But for some reason, because they seem to come from people we trust, all of our savvy just goes out the window. When you see a message from someone which purports to be your friend, just think, does this sound like them? Is what they're asking me to do a rational thing to do? And when you go and click on a link that someone has sent, check to see if it's actually taking you to where you expect to go.
Still entirely relevant, sadly. You've probably received an SMS saying "Mum, I've dropped my phone. This is my temporary number." Or accidentally clicked on an advert which prompts you to hand over your credentials.
Scams are everywhere. One of the best things you can do to protect yourself and your data is to be less trusting.
Browsers are getting better at sharing real-time blocklists. So clicking on an extremely dangerous website is likely to generate a scary warning. But these technologies aren't perfect.
Don't just change your password
So what can I do if I have ended up putting my password into a fake site?
The most important thing you have to do is, if it's something like Twitter, go to settings and you'll see all the applications which have authenticated against that. You just need to go and delete all of those and then change your password.
This is something that a lot of sites still get wrong. If a baddie has got your password, they can use OAuth to connect your account to their service. Changing your password doesn't sever the link!
2FA
If you want to be really security conscious, you can turn on something called two-factor authentication. This means you give your mobile number to the social network. When you try to log in, what will happen is you type in your username and your password and then Twitter will send you a text message and it says your one-time password is 12345. You type that code in and you're logged in. That way, if someone does manage to get your username and password, it doesn't matter because they don't have your phone as well.
I encouraged people to use SMS as their preferred way of enabling Multi-Factor Authentication. Back then, that was pretty much the only choice for normal people. Facebook wouldn't introduce non-SMS MFA until 2018.
Nowadays, I'd probably recommend using an authenticator app which generates TOTP codes. SMS is basically fine for normal people - yes, it can be spoofed or hacked at a network level, but that's unlikely unless you're specifically targetted.
Official App Channels
Don't download apps outside of the official app store. Now, the app stores aren't perfect. You can get dodgy apps in there, but there is some safety in numbers.
Reluctantly, I think I still agree with this. Back in the day, it was too easy to install dodgy apps. Drive-by downloads were common, and Android had a particularly poor model of security.
I value independent app stores like F-Droid and Aurora - but there's no doubt that they are generally for the more advanced users. And, yeah, app stores aren't perfect, but they're still less likely to completely infect your phone and send premium rate messages.
Virus Checkers
you can download apps which are virus checkers of a sort. I'm quite keen on Lookout, which is a great Android app. Whenever you install something, it will check it and it will look through the list of permissions, alert you, but it will also look at the app and see whether it's been reported that it's a scam or a virus.
These days, I think virus checking apps are less useful. The permissions model of Android and iOS are much improved, and it's harder for apps to do bad things in the background.
If you have a corporate device (or personal device with work mode) an app scanner is usually mandatory as part of your employer's Mobile Device Management policies. Again, I'm not totally convinced they're a brilliant idea. They can be useful for peace of mind, or to prevent certain classes of attacks.
Password Managers
Lots of people use really short passwords. Why? Because they're easy to remember and they want to be able to type them into their mobile phone. And this means that people quite often have the same password for Twitter as they've got for Facebook, as they've got for email, as they've got for everything else. This is a real security nightmare because it means that if your Twitter password gets hacked, those hackers have access to everything, all your accounts. So my top tip is use a password manager.
Yup! No notes. Get a password manager. I like BitWarden - but pick whichever meets your needs.
Physical Security
This is my number one tip for mobile security. Buy a wrist strap.
On your phone, you probably have a case. It's got a little hole and you can buy a lanyard, a bit of string or a bit of leather that you clip onto your phone and you wrap around your wrist while you're using it.
Recent reports said 10,000 phones are stolen in London every month, 120,000 a year. That's just in London. Across the UK, it's hundreds of thousands. If you're wearing a wrist strap, it is much more unlikely that someone will be able to yank the phone away from you, because if they do yank the phone away from you, chances are it's unlocked because you are making your call, you're looking at Google Maps and hey presto, they've got access to all of your email, all of your documents. They can start making premium rate phone calls straight away.
I still stand by this. In London, a phone is stolen every 6 minutes - only 2% of them are ever recovered.
Strap your phone to you. Don't leave it on the table when you're in a pub. If you need to check directions, turn away from the street and hold it in both hands.
Phones are now worth thousands of pounds. They are a high-value target. You probably have a banking app on your phone - or contactless payment set up. Treat your phone as though you were carrying a big wodge of notes.
Another part of physical security is:
The other thing that you need to do is set a PIN or a password on your phone. You can use facial recognition or a thumbprint scanner. Anything to stop a casual thief being able to get into your phone is of paramount importance.
If your phone is stolen while it is unlocked, you're shit out of luck. If it's locked, it is much harder for all but the most determined attacker to get in to it. Make sure all your banking apps have passwords on them.
Similarly, a SIM lock is essential. You don't want someone ejecting your SIM card and making expensive calls on it.
I also suggested:
Set up Find My Phone. If you're on Android, Android Device Manager, this means that if your phone is stolen, you can find out where it is. But much more importantly, you can click a button and have your phone be completely wiped
Again, solid advice. Perhaps all that will happen is you'll see your phone visit China. But at least you'll be able to prevent the thieves getting into your data.
VPNs
One of the hosts made this comment:
If you're not familiar, a VPN is when you make a secured connection back to a server and all the data through that pipe is encrypted. And the reason for doing that is that when I'm in a coffee shop or I'm on a public Wi-Fi network or something like that, it keeps my data secure because it doesn't matter whether the app does a good job of securing it or not. It gets it all encrypted as it goes over the network.
Nowadays a VPN is less useful than it was. Let's Encrypt launched later that year and with it brought a dramatic increase in the number of Internet services which used HTTPs. The popularity of HSTS increased, which means that most apps refuse to connect to non-secure versions of their site.
VPNs do protect you if unencrypted data is flowing through your device - but that is becoming rarer. I lean slightly towards the opinion that a VPN is usually a bad idea. They are, effectively, an untrusted connection between you and your destination. A malicious VPN - or one ordered to behave in such a way - is worse than no VPN.
What would I add to the list?
I think there are a few sensible additions.
- Back up your data. Accept that, at some point, your phone will be compromised or stolen. Ensure you have safe backups of all your stuff.
- Actually test your backups. For most people, that means regularly look inside them to make sure all your photos are still there.
- Activate your phone's emergency features. Learn which buttons to press to automatically lock and/or disable your phone.
- Practice using them. You may need to use them in an emergency.
- Make sure your Password Manager and MFA tokens can be accessed from another device.
- Once your phone has gone, you will still need to get into accounts to lock them down.
- Install an ad-blocker. Not only will it protect your sanity; you're less likely to see dodgy content.
- Do it on mobile and larger devices.
Stay safe out there!
Chris Adams said on code4lib.social:
@Edent my argument for recommending stronger MFA these days is that it’s built in (i.e. on iOS/macOS it’s slower to setup & use SMS/TOTP than FIDO) and it prevents phishing attacks. SIM swapping is rare but the phishing attacks where they try to get people to enter one-time codes are not that much harder to run than regular phishes.
jleedev@mastodon.sdf.org said on mastodon.sdf.org:
@Edent Authentication has gotten *so* much more complicated. I use my wife's Target account. The app prompted me to create a passkey on my phone. Their system forced a password reset for some reason. My passkey kept on working.
geraldew said on fosstodon.org:
@Edent crikey! I would have listened to that, because as far as I know I've heard every episode of 361.
Basil said on sarcasm.stream:
@Edent I had completely forgotten about the android sweet codenames. 😲
Duncan says:
Has anybody got a recommendation for ad blocking on android? I've struggled to find anything that doesn't look like scamware without changing to an alternative browser
@edent says:
I use uBlock Origin and the Firefox browser on Android. Very fast and works with every site.
More comments on Mastodon.