Security Tips for Smartphone Users

Most computer users worry about securing their PCs, but few people pay the same sort of attention to their smartphones. That's a bad situation, according to some experts.

Smartphones, such as iPhones, BlackBerrys or Android-based phones, are actually handheld personal computers. Especially powerful devices such as Motorola's Atrix phone, which functions as the "brains" of a lightweight laptop, show that smartphones have the potential to replace PCs in the coming decade.

"The challenge is that basically, these smartphones are becoming computing devices," said Don DeBolt, director of threat research at Islandia, N.Y., security firm Total Defense.

Yet many consumers are careless about smartphone security, even though they install software, open email attachments, update Twitter feeds and Facebook pages and even bank online using their handheld devices.

Those are actions that only a PC could have done a few years ago. But just because they're done on a smartphone instead doesn’t mean that they're any less immune from hackers.

Apple and its iTunes store offer some measure of safety because apps available there are on a "whitelist" — Apple won't make them available to users without checking them out first. (This safety feature doesn't apply to "jailbroken" iPhones, which can install non-authorized apps.)

In contrast, Google uses a "blacklist" for its Android Market apps — it'll remove them only if there's a demonstrated problem , and there's nothing to prevent users from installing "off-road" Android apps from other sources.

It's not clear how long Google can continue a security policy that's essentially "release first, ask questions later."

With the explosion of smartphone software came an explosion of smartphone malware. Apple's iPhones have mostly been spared, for reasons noticed above, but the number of viruses and Trojans targeting Android phones

Most smartphones have an optional locking feature that requires a password or passcode to use the phone. Android phones also offer a "pattern lock" that allows you to create your own connect-the-dots diagram instead of a password.

But beware: Don DeBolt, director of threat research at Islandia, N.Y., security firm Total Defense, notes that pattern locks are especially vulnerable to people who keep an eye on the smudges your fingers leave on the phone's screen.

It’s actually a variation on an old hack. Back in the days of prepaid phone cards, thieves would stand near banks of payphones in airports and "shoulder surf." They'd watch callers punch in their passcodes, which was all you'd need to make a discounted long-distance call. They'd even use binoculars for longer distances, or watch the reflections of callers in runway-facing windows instead of looking directly at the victims.

Nowadays, a shoulder surfer need only take a high-resolution photo of you using your phone. In the right light, your finger streaks on the phone's screen will show up and reveal the full pattern you traced with an accuracy rate of 68 percent, according to researchers at Penn State University.

In near-darkness and with imperfect smudges, the pattern could be fully deciphered 14 percent of the time. And of course, a thief who actually steals a phone can examine it even more closely.

Passcodes and passwords are also vulnerable to shoulder surfing, but not to still images, because the dot-like smudges can’t tell an attacker if you repeated a letter or number.

Many smartphone social-networking apps automatically upload photos to the Internet. Sounds harmless, right? It is until you remember that many phones embed location tags, also called "geotags," right into the photo files themselves.

Anyone with the right software can look at your Facebook or Flickr photos and determine where you've been. If you're auto-uploading images, it'll tell them where you are at that very moment.

Thankfully, the geotagging feature can be turned off on most phones. If you'd rather keep the geotags, for example to document your hike across the Yosemite Valley, then turn off auto-uploading of photos instead. (Disabling that feature also lessens the possibility that you'd mistakenly post something you'd regret later.)

Similarly, a lot of apps, such as Foursquare and Facebook , ask for constant updates of your physical location. Not that many apps really need that information. There is no reason to tell someone where you are when you’re ordering something online or streaming music. If you don’t want to tell the world — including the neighborhood burglars — that you're not home, then disable this option.

Accessing email accounts and social networks often relies on stored passwords, usually in a "keychain" file, which lets the various apps automatically log into those accounts.

Convenient as that may be, it's better to simply not have the keychain file on your phone at all. The safest place for passwords is always in your head. Recalling and typing in a dozen different passwords may be cumbersome, but how many accounts do you really need to access from your phone?

Pressing a button on a website to restore your smartphone to its factory state, thus erasing all user data, is the single simplest way to make sure your information doesn’t fall into the wrong hands if your phone is lost or stolen. It isn’t foolproof, as forensic examiners with expensive and sophisticated tools (i.e., the police) can usually retrieve "erased" data.

But Debolt notes that the first thing anyone should do when he or she loses a phone is to hit the remote-wipe button from a PC, especially if the phone is lost in a public place . It doesn't take long to get to a public terminal in an airport or hotel.

All the major smartphone operating systems offer this feature (and if you are a BlackBerry corporate user, you probably know of it already).

If you're using Wi-Fi in a public place, anyone with "packet sniffing" software can eavesdrop on your transmissions to and from with the wireless router. That's why it's best to encrypt as many communications with websites as you can.

Not every online service offers encryption — for example, Facebook , Twitter and Gmail do, but Yahoo! Mail doesn't. Going to websites with "https" in the address is good, but those sites don’t always encrypt everything you do.

There are several third-party apps available to provide firewalls and encryption (or both) to your smartphone for use on public Wi-Fi networks. (It also doesn’t hurt to turn off the Wi-Fi and Bluetooth radios when you aren’t actively using them.)

And don’t depend on the app to encrypt the data. DeBolt said many studies showed that a majority of apps don’t even encrypt passwords.

references: securitynewsdaily.com