There is no doubt that technology brings with it many advantages. However, there are also attendant risks which need to be carefully managed, to ensure that all its advantages can be enjoyed with the risks minimised as far as possible. Nowhere is this, perhaps, more important than in the case of mobile phones, where data can be accessed and compromised with relative ease.
In a two-part article, we will focus on security best practices for cellphone users.
Introduction
With almost everyone having cellphones nowadays, and with most of these being smartphones, one of the questions most commonly asked is, “What is the most secure cell phone/cellular handset available?”
Leaving aside various technical aspects, the two most popular devices are the Apple iPhone 6 and BlackBerry (Business Range), provided that:
- screen locks are in use
- encryption is enabled on the Blackberry and, of course
- software is constantly updated
Your data should be adequately secured.
However, the importance of updating software cannot be over-emphasised.
If not done regularly, “grabbing” devices can dump data from cellphones. As settings are generally six months behind the development cycle of the manufacturer, if you update the software regularly, your cellphone should be relatively secure for six months.
Smartphones
With the wide usage of smartphones, it is critical to understand just how much information is stored on these and how quickly it can be accessed. Using appropriate software, for example Link Analysis, it is possible to dump the data from a cellphone within two to three minutes of accessing it, and then use the software to overlay call patterns and identify links to common persons, communication habits and GPS patterns.
The majority of cellular handsets require e-mail addresses linked to the device to track and store much of this information. It is, therefore, best practice that a new e-mail address (used for no other purpose) is used for device registration.
A user’s actual e-mail address (the one or ones commonly used) can obviously be added as a mailbox or mailboxes. The device link address should, however, be unique, alphanumeric and not owner-specific. For example, rather than joesmith432@gmail, use cell834c2@gmail to register the device.
Registering Your Handset
In terms of device registration, it is also important to understand the abilities of tools such as Google’s Android Manager, which allows “Track and Trace” amongst other options, for any handset which has a Gmail address attached to it.
Unless this option is considered essential, this should be disabled completely.
Do not rely on this tool for recovery of your handset.
The risk of someone potentially using it to track and trace you versus the option of recovering your cellphone, makes this an unattractive option. For device security and recovery, the standard would be an App such as KnightFox (Android only at present), which allows you the ability to stop someone from switching power off on the handset to stop it being traced.
This is due for Apple release later in 2016 and is a must-have for anyone serious about his/her cell phone’s security and integrity.
Monitoring
In order for someone to place a monitoring App onto your handset, there are various options.
Option 1 is to send what appears to be a PDF file to the e-mail address associated with the handset. By opening the PDF file, the user may run the App and have access to eavesdropping on calls, monitoring of e-mails, messaging and so forth.
To avoid this, do not open attachments from untrusted sources and have your handset screened regularly (twice a year) for TSR applications.
Option 2 is physically to get a “victim’s” cellphone into your hands, navigate to a URL and install from there. It takes less than 90 seconds for a person to load spyware with no visible trace if he/she has an unlocked handset in his/her possession. Option 3 also requires physical possession of your cellphone, as it involves inserting a key-fob into the data port to allow for the retrieval of critical data. Again, this takes only seconds.
Best practice dictates that anyone who regards his/her cellphones or data as confidential, should never, under any circumstances, allow any third party to handle his/her cellphone, even with the screen lock in place.
It is equally easy to access a cellphone which is using a public Wi-Fi hotspot with low security levels.
As a result, never allow your handset to be set to auto-join free hotspots and do not use public hotspots. Rather, pay for the data and the security that comes with it.
Public hotspots are notoriously easy to access and give someone ready access to your cellphone and online storage (iCloud and so forth).