Smartphone security 101?

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Post Reply
User avatar
nisiprius
Advisory Board
Posts: 36025
Joined: Thu Jul 26, 2007 9:33 am
Location: The terrestrial, globular, planetary hunk of matter, flattened at the poles, is my abode.--O. Henry

Smartphone security 101?

Post by nisiprius » Sat Jan 09, 2016 10:10 am

So we got Samsung Galaxy Stardust Android smartphones for Christmas... could someone point me to a good, well-thought-out guide to Smartphone security 101 for newbies who don't want to be either obsessively careful or unreasonably timid?

I don't mean the obvious phone-related stuff, and yeah of course I'm signed up with Google with a credit card so I can buy apps... I have a face-recognition screen lock, I'm leave Google set to require the full password, etc.

It's more about things like smartphone banking. My bank is all hot for everyone to download a banking app that allows paying for things with PopMoney etc. Is it insane to do that? What are the real risks if your smartphone is lost or stolen? How about apps that let you buy train tickets etc. How much danger is there of a stranger literally getting a free ride?

I only plan to buy through Google Play, no rooting my phone or sideloading things... do I need to find an Android virus scanner?
Annual income twenty pounds, annual expenditure nineteen nineteen and six, result happiness; Annual income twenty pounds, annual expenditure twenty pounds ought and six, result misery.

jchef
Posts: 263
Joined: Wed Aug 29, 2012 7:04 am

Re: Smartphone security 101?

Post by jchef » Sat Jan 09, 2016 10:25 am

Virus scanners aren't of much use on Android (or iPhones for that matter). Apps, including virus scanners, aren't allowed access to much of the phone. Meaning there is no way for them to scan much of the phone.


As well, Google actually has a built in scanner that most people don't know about it. It's called Verify Apps and it runs regular checks of the apps on your device. It's often turned on by default, but that's going to depend on the manufacturer. (Or does Google now ask permission to turn on Verify Apps the first time you install an app? I honestly not certain)

You should check to see if you have an app called "Google Settings", although it possibly may go by other names. Once that app is opened, click on security and see if the two checkboxes for Verify Apps are turned on.

As well, at the same place as Verify Apps you should check if Android Device Manager is turned on. This can allow you to locate, lock and/or wipe your phone if it's lost or stolen.

https://support.google.com/accounts/ans ... 2853?hl=en
https://support.google.com/accounts/top ... ic=3100928



If you have all these settings turned on, have a lock screen and are only downloading from the Play Store, your phone is fairly secure. The chances of someone getting access to your data or apps is quite low. You'll have to decide for yourself whether you feel this is enough security to perform financial transactions on your phone.
Last edited by jchef on Sat Jan 09, 2016 10:29 am, edited 1 time in total.

jpelder
Posts: 551
Joined: Mon Jan 26, 2015 3:56 pm
Location: Charlotte, NC

Re: Smartphone security 101?

Post by jpelder » Sat Jan 09, 2016 10:27 am

A couple of things from what I know:

1. Google doesn't vet everything on the Google Play Marketplace, so some shady apps do still exist
2. Only use a secured wifi or cellular data to access any financial service. There are programs that allow anyone on an unsecured wifi to intercept your usernames and passwords.
3. The banking apps still require a password (at least, all of mine do), so nobody can get in without your login credentials. Not sure about the transit apps
4. In general, it's good to use some sort of remote smartphone tracking app to protect you from a lost phone. I have a Samsung Galaxy S5, and using your Samsung account allows you to track the phone, as well as do a factory reset (logging out of all accounts and wiping all personal data) from a desktop. I'm guessing that the stardust has this same capability. Use it!
5. Antivirus isn't strictly necessary for Android like it is for Windows, but it's a good idea. I use CM Security, but there are lots of good free ones out there. See http://www.androidauthority.com/best-an ... ps-269696/ for up-to-date reviews

earlyout
Posts: 1353
Joined: Tue Feb 20, 2007 5:24 pm

Re: Smartphone security 101?

Post by earlyout » Sat Jan 09, 2016 11:03 am

You might want to buy gift cards for the Play store and use those rather than a credit card to buy apps.

jebmke
Posts: 8030
Joined: Thu Apr 05, 2007 2:44 pm

Re: Smartphone security 101?

Post by jebmke » Sat Jan 09, 2016 11:57 am

Do you really need to do banking on your phone? I find that I am home often enough -- at least once a day most weeks -- that it isn't necessary. I suppose if you travel a lot for long stretches, some type of device may be necessary. But I do my VG transfers, bill pay etc in one sitting so there isn't much chance that I would be gone for over a month.
When you discover that you are riding a dead horse, the best strategy is to dismount.

dumbmoney
Posts: 2268
Joined: Sun Mar 16, 2008 8:58 pm

Re: Smartphone security 101?

Post by dumbmoney » Sat Jan 09, 2016 12:55 pm

Set up everything involving payments to require a password or number each time. That protects you not only from strangers, but also from accidental purchasing.
I am pleased to report that the invisible forces of destruction have been unmasked, marking a turning point chapter when the fraudulent and speculative winds are cast into the inferno of extinction.

jebmke
Posts: 8030
Joined: Thu Apr 05, 2007 2:44 pm

Re: Smartphone security 101?

Post by jebmke » Sat Jan 09, 2016 1:04 pm

dumbmoney wrote:Set up everything involving payments to require a password or number each time. That protects you not only from strangers, but also from accidental purchasing.
Just don't access a 2FA account from the phone that is registered for the second factor. :oops:
When you discover that you are riding a dead horse, the best strategy is to dismount.

mhalley
Posts: 5820
Joined: Tue Nov 20, 2007 6:02 am

Re: Smartphone security 101?

Post by mhalley » Sat Jan 09, 2016 1:08 pm

I don't do banking shopping etc etc on my phone, and I don't have a lock on it. I figure if the phone is lost or stolen the most I could be out is sme apps on the App Store and long distance phone calls which I would dispute with the carrier. Example of someone disputing stolen phone charges:
http://www.tbtam.com/2007/05/what-to-do ... pFL2SaDmrU

User avatar
jhfenton
Posts: 2995
Joined: Sat Feb 07, 2015 11:17 am
Location: Ohio

Re: Smartphone security 101?

Post by jhfenton » Sat Jan 09, 2016 1:15 pm

jebmke wrote:
dumbmoney wrote:Set up everything involving payments to require a password or number each time. That protects you not only from strangers, but also from accidental purchasing.
Just don't access a 2FA account from the phone that is registered for the second factor. :oops:
I don't see the issue. If you use a 2FA-account app, the phone would normally have been a trusted device anyway. And I consider my phone fairly secure, unless they cut off my thumbs. (10 incorrect tries on my passcode wipes the phone.)

If you use 2FA, though, you should set it so that messages don't appear on your lock screen.

jchef
Posts: 263
Joined: Wed Aug 29, 2012 7:04 am

Re: Smartphone security 101?

Post by jchef » Sat Jan 09, 2016 1:25 pm

mhalley wrote:I don't do banking shopping etc etc on my phone, and I don't have a lock on it. I figure if the phone is lost or stolen the most I could be out is sme apps on the App Store and long distance phone calls which I would dispute with the carrier. Example of someone disputing stolen phone charges:
http://www.tbtam.com/2007/05/what-to-do ... pFL2SaDmrU
Is your main email account available on your cell phone? Because you can do a lot with an email account.

For example if you tell Amazon you forgot your password, they'll send the replacement password to your email account. Then someone can log into your Amazon account. And so on...


There's a well known story of how someone had a lot of damage done to their digital accounts because hackers got access to a bit of info: http://www.wired.com/2012/08/apple-amaz ... n-hacking/

mhalley
Posts: 5820
Joined: Tue Nov 20, 2007 6:02 am

Re: Smartphone security 101?

Post by mhalley » Sat Jan 09, 2016 3:04 pm

I don't do email on my phone either. I do that on my tablet, and that rarely leaves my house and I manually input the pw each time.

Mudpuppy
Posts: 5889
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Smartphone security 101?

Post by Mudpuppy » Sat Jan 09, 2016 4:11 pm

The most important thing to remember is smartphones are inherently insecure. The vulnerabilities are mostly due to "oops" sort of mistakes (e.g. not a sign of incompetence but truly just human error). However, when Microsoft finds an "oops" mistake, they can push out patches as soon as it is fixed. When Google or Samsung finds an "oops" mistake, they can put out a patch, but that doesn't mean the patch propagates to your phone. That's all up to your cellular provider. For example, it took AT&T months to push out the Stagefright patches to my previous phone, perhaps because it was a nearly 3 year old phone.

So color your interactions with the phone with this thought in mind. I think of my phone as an entertainment and communication device, not a pocket computer. I do no financial related business on the smartphone beyond phone calls or text message alerts. No Apple Wallet or Google Pay or any of that. No checking bank or credit card account websites. No buying stuff. No checking the email address used for financial websites.

I also only have my Google Play account linked to prepaid Google Play cards. You can pick those up all over the place, and it really places a limit on accidental in-app purchases (or young kids not understanding how much money they're racking up by clicking "ok" if you let kids play games on your phone).

jchef
Posts: 263
Joined: Wed Aug 29, 2012 7:04 am

Re: Smartphone security 101?

Post by jchef » Sat Jan 09, 2016 4:57 pm

Mudpuppy wrote:You can pick those up all over the place, and it really places a limit on accidental in-app purchases (or young kids not understanding how much money they're racking up by clicking "ok" if you let kids play games on your phone).
Both iOS and Android have options to always require your password when making purchases (including in-app purchases).

FedGuy
Posts: 1223
Joined: Sun Jul 25, 2010 3:36 pm

Re: Smartphone security 101?

Post by FedGuy » Sun Jan 10, 2016 1:11 pm

I don't use my phone for financial transactions. The only banking app I ever installed was when I was out with a friend in an unfamiliar part of town who was looking for a local branch of her megabank--when the bank's mobile website didn't seem to work properly, I downloaded the app, fired up the branch locator, took her there, and deleted the app. But I'd never do any financial transactions on the phone. I'm just not convinced that they're secure enough.

joebh
Posts: 1708
Joined: Mon Mar 02, 2015 3:45 pm

Re: Smartphone security 101?

Post by joebh » Sun Jan 10, 2016 1:45 pm

jchef wrote:Virus scanners aren't of much use on Android (or iPhones for that matter). Apps, including virus scanners, aren't allowed access to much of the phone. Meaning there is no way for them to scan much of the phone.
This is simply incorrect.

2015
Posts: 1615
Joined: Mon Feb 10, 2014 2:32 pm

Re: Smartphone security 101?

Post by 2015 » Sun Jan 10, 2016 5:32 pm

Mudpuppy wrote:The most important thing to remember is smartphones are inherently insecure. The vulnerabilities are mostly due to "oops" sort of mistakes (e.g. not a sign of incompetence but truly just human error). However, when Microsoft finds an "oops" mistake, they can push out patches as soon as it is fixed. When Google or Samsung finds an "oops" mistake, they can put out a patch, but that doesn't mean the patch propagates to your phone. That's all up to your cellular provider. For example, it took AT&T months to push out the Stagefright patches to my previous phone, perhaps because it was a nearly 3 year old phone.

So color your interactions with the phone with this thought in mind. I think of my phone as an entertainment and communication device, not a pocket computer. I do no financial related business on the smartphone beyond phone calls or text message alerts. No Apple Wallet or Google Pay or any of that. No checking bank or credit card account websites. No buying stuff. No checking the email address used for financial websites.

I also only have my Google Play account linked to prepaid Google Play cards. You can pick those up all over the place, and it really places a limit on accidental in-app purchases (or young kids not understanding how much money they're racking up by clicking "ok" if you let kids play games on your phone).
+100
Emphasis added

User avatar
nisiprius
Advisory Board
Posts: 36025
Joined: Thu Jul 26, 2007 9:33 am
Location: The terrestrial, globular, planetary hunk of matter, flattened at the poles, is my abode.--O. Henry

Re: Smartphone security 101?

Post by nisiprius » Mon Jan 11, 2016 7:46 pm

Thanks to all who replied.
Annual income twenty pounds, annual expenditure nineteen nineteen and six, result happiness; Annual income twenty pounds, annual expenditure twenty pounds ought and six, result misery.

snowball
Posts: 6
Joined: Wed Dec 17, 2014 7:31 pm

Re: Smartphone security 101?

Post by snowball » Tue Jan 12, 2016 3:14 pm

jpelder wrote:2. Only use a secured wifi or cellular data to access any financial service. There are programs that allow anyone on an unsecured wifi to intercept your usernames and passwords.
This is not accurate. Your connection to your financial institution is encrypted with SSL regardless of the network it is traveling on. Secured wifi networks are about preventing people from using the network and not protecting the data on the network. Indeed for "secured" public networks the password is not a secret so there's no security anyway.
2015 wrote:
Mudpuppy wrote: The most important thing to remember is smartphones are inherently insecure. The vulnerabilities are mostly due to "oops" sort of mistakes (e.g. not a sign of incompetence but truly just human error). However, when Microsoft finds an "oops" mistake, they can push out patches as soon as it is fixed. When Google or Samsung finds an "oops" mistake, they can put out a patch, but that doesn't mean the patch propagates to your phone. That's all up to your cellular provider. For example, it took AT&T months to push out the Stagefright patches to my previous phone, perhaps because it was a nearly 3 year old phone.

So color your interactions with the phone with this thought in mind. I think of my phone as an entertainment and communication device, not a pocket computer. I do no financial related business on the smartphone beyond phone calls or text message alerts. No Apple Wallet or Google Pay or any of that. No checking bank or credit card account websites. No buying stuff. No checking the email address used for financial websites.

I also only have my Google Play account linked to prepaid Google Play cards. You can pick those up all over the place, and it really places a limit on accidental in-app purchases (or young kids not understanding how much money they're racking up by clicking "ok" if you let kids play games on your phone).
+100
Emphasis added
Sure, people said the same thing about using computers for financial transactions 20 years and today it is the norm. The reality is that using mobile devices for financial transactions is only going to become more prevalent and more secure. Indeed services like ApplePay already have better data security than typing your credit card number into a random web page.

quantAndHold
Posts: 1701
Joined: Thu Sep 17, 2015 10:39 pm

Re: Smartphone security 101?

Post by quantAndHold » Tue Jan 12, 2016 4:00 pm

Computer security person here....

Your phone is arguably safer than your laptop, with one exception...losing it. A determined person who gets physical access to your phone (or your laptop) will eventually be able to do bad things. Knowing how to remotely wipe the phone if it gets stolen is probably the best defense.

Otherwise, the rules are pretty much the same as with your laptop. Require a password on the lock screen. Different strong passwords for every important account. 2FA. Set your apps up to require the password every time. Protect your email like it's your firstborn child, etc.

We make all sorts of compromises between convenience and security in lots of areas. The best way to protect your smartphone from malicious access is by not having one in the first place. I like the convenience of having the phone, though, so I'm willing to take the risk.

curmudgeon
Posts: 1530
Joined: Thu Jun 20, 2013 11:00 pm

Re: Smartphone security 101?

Post by curmudgeon » Tue Jan 12, 2016 4:26 pm

I regard typical smartphones as being only loosely secured. I think the Windows phones are a bit more secure, but still not great. Even though I have never lost a cell phone (and almost never lost track of one for any significant time), I still prefer to keep arms length on any significant financial transactions with it. Like many things on the internet, there is a tradeoff between increased utility and increased risk. Just like in investing, it is a good idea to consider your own balance. With my usage, I don't find a need to expose financials to my phone, so I don't. I primarily use my phone for email access. Some degree of map/traffic, photos, and occasional web lookups. I have a few games, but nothing that has costs associated.

I choose not to have financial information on my phone, or directly accessible there, so no banking apps (I may, though haven't yet, put one on my tablet to allow photo deposit of checks). I did have a credit card in one of the phone accounts once, but it was one that was expiring soon, and I haven't updated that after I closed that CC account. If I need spendable money in a phone account, I will buy one of the cards from a store.

The Wizard
Posts: 11896
Joined: Tue Mar 23, 2010 1:45 pm
Location: Reading, MA

Re: Smartphone security 101?

Post by The Wizard » Tue Jan 12, 2016 5:44 pm

I've had Android smartphones for like five years now.
Never bought an app.
Most apps are free (from business connections) or have ads that aren't too annoying.
There isn't much that old Nisi needs to do security wise to join the future.

I scan & deposit checks with my smartphone, do Vanguard and Ally bank transactions, check and pay my CC bills, buy stuff from Amazon.com, all with no issues.
Welcome...
Attempted new signature...

Mudpuppy
Posts: 5889
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Smartphone security 101?

Post by Mudpuppy » Tue Jan 12, 2016 11:14 pm

snowball wrote:Sure, people said the same thing about using computers for financial transactions 20 years and today it is the norm. The reality is that using mobile devices for financial transactions is only going to become more prevalent and more secure. Indeed services like ApplePay already have better data security than typing your credit card number into a random web page.
I'm not talking about 20 years from now, I'm talking about today. And while cellular providers insist on being middle-men between the OS vendor and the end device, we're going to have problems with timely propagation of patches. That means more exposure time for vulnerable systems. I would hope that changes 20 years, even 2 years, into the future, but every layer between the OS vendor and the phone, as is common with Android, creates delays in getting the phone patched.

investingdad
Posts: 1333
Joined: Fri Mar 15, 2013 10:41 pm

Re: Smartphone security 101?

Post by investingdad » Tue Jan 12, 2016 11:57 pm

You can encrypt both the phone and SD card and require a pin to unlock it each time you go to use it.

User avatar
Bustoff
Posts: 1979
Joined: Sat Mar 03, 2012 6:45 pm

Re: Smartphone security 101?

Post by Bustoff » Wed Jan 13, 2016 6:40 am

The Wizard wrote:I've had Android smartphones for like five years now.
Never bought an app.
Most apps are free (from business connections) or have ads that aren't too annoying.
There isn't much that old Nisi needs to do security wise to join the future.

I scan & deposit checks with my smartphone, do Vanguard and Ally bank transactions, check and pay my CC bills, buy stuff from Amazon.com, all with no issues.
Welcome...
Have you you used "Android Pay" yet?
I didn't realize this app was available for my Android until my wife started using Apple Pay with her iPhone 6.

Angelus359
Posts: 845
Joined: Tue Mar 04, 2014 12:56 am

Re: Smartphone security 101?

Post by Angelus359 » Thu Jan 14, 2016 8:49 am

If you want a secure device, use a nexus phone or iOS phone. On Android, use antivirus. Sophos does pretty well.
IT-DevOps System Administrator

User avatar
Toons
Posts: 12790
Joined: Fri Nov 21, 2008 10:20 am
Location: Hills of Tennessee

Re: Smartphone security 101?

Post by Toons » Thu Jan 14, 2016 9:20 am

I keep folders on my Samsung android phone.
One of them is "Finances".
Inside of that are all my banking and investing apps.
Vanguard,,Cap360etc.
I have been doing banking and investing transactions with these apps for years.
I have no virus scanner installed
I Use a Pin to unlock phone .
No problems. :happy
"One does not accumulate but eliminate. It is not daily increase but daily decrease. The height of cultivation always runs to simplicity" –Bruce Lee

donfairplay
Posts: 128
Joined: Mon Oct 06, 2008 8:16 pm

Re: Smartphone security 101?

Post by donfairplay » Thu Jan 14, 2016 9:24 am

- You have jelly bean? Android before Lollipop isn't default encrypted. Encrypt the entire phone. Encryption is a major PITA for an something like a 4TB HDD connected to a computer or a RAID array, but on a smartphone it doesn't take long. It will set it up to unlock with a pin or unlock code.

- install Lookout (anti-virus, app scanner) free version

- if you do lose your phone, go to google's android device manager to locate it via gps/ring it/lock it/remote wipe it. https://www.google.com/android/devicemanager

Mudpuppy
Posts: 5889
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Smartphone security 101?

Post by Mudpuppy » Thu Jan 14, 2016 11:25 am

Toons wrote:No problems. :happy
At the danger of this coming across like arrogant geek snark, saying you have no problems with that setup is like someone saying "I've always left my doors and windows unlocked and I've never been robbed".... Just because it hasn't happened to you does not make it a good practice.

The Wizard
Posts: 11896
Joined: Tue Mar 23, 2010 1:45 pm
Location: Reading, MA

Re: Smartphone security 101?

Post by The Wizard » Thu Jan 14, 2016 11:35 am

Bustoff wrote: Have you you used "Android Pay" yet?
I didn't realize this app was available for my Android until my wife started using Apple Pay with her iPhone 6.
I have not.
I've noticed it is installed on my Nexus 5 now after a system upgrade a while back.
Perhaps I'll toy with it and see what it does better than other methods.

Oh, and I also use an app on my smartphone to pay for gas at Cumberland Farms for 10 cents a gallon off...
Attempted new signature...

Silence Dogood
Posts: 705
Joined: Tue Feb 01, 2011 9:22 pm

Re: Smartphone security 101?

Post by Silence Dogood » Thu Jan 14, 2016 12:01 pm

I use an app called "Lockwatch."

I paid for the premium version, mostly to support the developer for making a great app, but also for the additional features.

Here's a link to the app on the Google Play store:

https://play.google.com/store/apps/deta ... atch&hl=en

lightheir
Posts: 2273
Joined: Mon Oct 03, 2011 11:43 pm

Re: Smartphone security 101?

Post by lightheir » Thu Jan 14, 2016 12:45 pm

Mudpuppy wrote:
Toons wrote:No problems. :happy
At the danger of this coming across like arrogant geek snark, saying you have no problems with that setup is like someone saying "I've always left my doors and windows unlocked and I've never been robbed".... Just because it hasn't happened to you does not make it a good practice.
At the same time, given how long phones/android has been out there now, unless there's a rash of phone exploits and virus hacks, you have to wonder the usefulness of seeking out extra layers of protection beyond what's already built into the system.

Of course, systems always change and new risks come out, but as a whole, Android as a whole has been a fairly secure environment thus far. VERY different from the PC-virus/trojan days in the 90s-2000s where this stuff was rampant.

Most people I know have been running android with no extra security measures, and have done everything on it - banking, shopping, etc., with no adverse effects due to phone security breaches.

I used to be wary of using banking features, but I started reconsidering when I noticed that almost all major banks have rolled out their on apps to facilitate online banking, including (gasp!) cash checking via cellphone photos. If they are ok with that level of openness, I started asking myself whether I was being paranoid about doing so myself, much as I was hesitate to use online shopping in the early days of the internet (where plenty of people said they would NEVER EVER use a credit card online, and that it had no future because of security issues.)

User avatar
Toons
Posts: 12790
Joined: Fri Nov 21, 2008 10:20 am
Location: Hills of Tennessee

Re: Smartphone security 101?

Post by Toons » Thu Jan 14, 2016 12:50 pm

Mudpuppy wrote:
Toons wrote:No problems. :happy
At the danger of this coming across like arrogant geek snark, saying you have no problems with that setup is like someone saying "I've always left my doors and windows unlocked and I've never been robbed".... Just because it hasn't happened to you does not make it a good practice.

No Problemo :happy
"One does not accumulate but eliminate. It is not daily increase but daily decrease. The height of cultivation always runs to simplicity" –Bruce Lee

User avatar
powermega
Posts: 1133
Joined: Fri May 16, 2014 12:07 am
Location: Colorado

Re: Smartphone security 101?

Post by powermega » Thu Jan 14, 2016 1:42 pm

1. Make sure your phone storage is encrypted.
2. Require a PIN to unlock the phone.
3. I like Lookout for virus scanning. Many good options here, a matter of preference.
4. Make sure you are able to remote lock and wipe your phone. Both iOS and Android support this, just be aware of how to do it.

A side note:
AndroidPay and ApplePay are more secure than using your physical card at a payment terminal.
Even a stopped clock is right twice a day.

User avatar
Epsilon Delta
Posts: 7423
Joined: Thu Apr 28, 2011 7:00 pm

Re: Smartphone security 101?

Post by Epsilon Delta » Thu Jan 14, 2016 3:13 pm

powermega wrote:1. Make sure your phone storage is encrypted.
2. Require a PIN to unlock the phone.
Use a PIN for sure. It protects against nuisance attacks. But how does encrypting help? Knowledge of the PIN is enough to decrypt, unless you've got a 20+ digit PIN it can be brute forced. For a 4 digit PIN the force doesn't have to be brute, just blow on it lightly and the house of cards will fall over.

User avatar
powermega
Posts: 1133
Joined: Fri May 16, 2014 12:07 am
Location: Colorado

Re: Smartphone security 101?

Post by powermega » Thu Jan 14, 2016 4:22 pm

Epsilon Delta wrote:
powermega wrote:1. Make sure your phone storage is encrypted.
2. Require a PIN to unlock the phone.
Use a PIN for sure. It protects against nuisance attacks. But how does encrypting help? Knowledge of the PIN is enough to decrypt, unless you've got a 20+ digit PIN it can be brute forced. For a 4 digit PIN the force doesn't have to be brute, just blow on it lightly and the house of cards will fall over.
If your phone is encrypted, then someone wouldn't be able to access the files on the phone's storage if they have physical access to the phone. A PIN can keep the phone locked, and in the case of Android (I have to imagine iOS has something similar), if you attach the phone to a computer with a USB cord, you can't browse the phone's storage unless you unlock the phone. One way to get around this is to boot the phone into "recovery mode", which every Android phone can do (I'm sure iOS has something similar), and use some common tools to examine the phone's storage. (This is the mechanism people use to "flash" a custom ROM/OS onto their phone.) Having encrypted storage prevents that possibility since the storage contents need to get decrypted when the phone powers on. This isn't just a phone/tablet issue. All of the employees where I work that have a laptop computer are required to use BitLocker to encrypt the laptop's drive(s).

I think iOS8 already encrypts user data. I know the latest Nexus phones have encryption by default too.
Even a stopped clock is right twice a day.

User avatar
ixohoxi
Posts: 117
Joined: Fri Nov 22, 2013 2:58 pm

Re: Smartphone security 101?

Post by ixohoxi » Thu Jan 14, 2016 4:38 pm

For Facebook and other apps, the login is SSL (to protect the password itself) but then the rest of the communication is not. There is a hacking tool called FireSheep that can be used to hijack the victim's session when the unencrypted portion is snooped over unsecured wifi (restaurant, etc) so relying on SSL is not enough.
snowball wrote:
jpelder wrote:2. Only use a secured wifi or cellular data to access any financial service. There are programs that allow anyone on an unsecured wifi to intercept your usernames and passwords.
This is not accurate. Your connection to your financial institution is encrypted with SSL regardless of the network it is traveling on. Secured wifi networks are about preventing people from using the network and not protecting the data on the network. Indeed for "secured" public networks the password is not a secret so there's no security anyway.
Henceforth, content shall be my aim, and anticipation my joy. -Alfred Billings Street

inbox788
Posts: 5229
Joined: Thu Mar 15, 2012 5:24 pm

Re: Smartphone security 101?

Post by inbox788 » Thu Jan 14, 2016 9:42 pm

Mudpuppy wrote:I'm not talking about 20 years from now, I'm talking about today. And while cellular providers insist on being middle-men between the OS vendor and the end device, we're going to have problems with timely propagation of patches. That means more exposure time for vulnerable systems. I would hope that changes 20 years, even 2 years, into the future, but every layer between the OS vendor and the phone, as is common with Android, creates delays in getting the phone patched.
The solution today is to go with iPhone or Nexus phones and bypass the middlemen. Both are excellent choices in their own right, and faster security patches is an additional benefit.

FedGuy
Posts: 1223
Joined: Sun Jul 25, 2010 3:36 pm

Re: Smartphone security 101?

Post by FedGuy » Fri Jan 15, 2016 7:42 am

Does anyone here use a Blackphone or Blackphone 2? I read an article about the latter a few weeks ago. The whole point of the phone is to be secure, resist surveillance, and so on. It almost sounds like a phone for the paranoid, if the concerns weren't so legitimate.

User avatar
VictoriaF
Posts: 18301
Joined: Tue Feb 27, 2007 7:27 am
Location: Black Swan Lake

Re: Smartphone security 101?

Post by VictoriaF » Fri Jan 15, 2016 9:40 am

Mudpuppy wrote:
Toons wrote:No problems. :happy
At the danger of this coming across like arrogant geek snark, saying you have no problems with that setup is like someone saying "I've always left my doors and windows unlocked and I've never been robbed".... Just because it hasn't happened to you does not make it a good practice.
Mudpuppy,

I highly appreciate your comments. Please keep sharing your recommendations and urging caution!

Yesterday, I attended a conference PrivacyCon organized by the FTC. The conference was targeting the space at the intersection of Academia, Law, and Policy. Most presentations were university research, notably Berkeley, Carnegie Mellon, University of Pennsylvania, and a few others. Most people in the audience I talked with were lawyers. And the organizers, sessions moderators, and paper discussants were policy makers from the FTC.

My general take-away is "Be Afraid." The press, the social media and our families and friends promote a gung ho approach to online and mobile security. The experts who understand the risks are FAR more cautious.

Companies find ways to exploit the tiniest loopholes. For example, Android does not allow unauthorized applications to access its cache, but it tells apps if a file already exists in the cache. And so apps are asking Android a battery of questions in the form "Does this image exist?" Images in the example were of expensive antidepressants, and a 1-bit response (Yes/No) enables companies to target advertisements. Nothing in this process violates any policies or rules.

Victoria
WINNER of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)

inbox788
Posts: 5229
Joined: Thu Mar 15, 2012 5:24 pm

Re: Smartphone security 101?

Post by inbox788 » Sun Jan 17, 2016 12:32 pm

FedGuy wrote:Does anyone here use a Blackphone or Blackphone 2? I read an article about the latter a few weeks ago. The whole point of the phone is to be secure, resist surveillance, and so on. It almost sounds like a phone for the paranoid, if the concerns weren't so legitimate.
No, haven't used it, but do your research, especially if you're paranoid. Using a high security device is a red flag for attackers that you've got valuable data and is worth going after. It's probably been cracked by numerous government agencies and hackers that are quietly monitoring everything. Sometimes security by obscurity works better. And who's to say the phone isn't developed by the Chinese government with hidden backdoors. Just look at their web address http://www.blackphone.ch :wink:

The conventional wisdom is that iOS is more secure than Android. Unless you're stuck on Android, moving to iOS should be considered.

ParkersPaPa
Posts: 101
Joined: Sun Jun 14, 2015 9:16 am

Re: Smartphone security 101?

Post by ParkersPaPa » Sun Jan 17, 2016 1:42 pm

Mudpuppy wrote:The most important thing to remember is smartphones are inherently insecure...when Microsoft finds an "oops" mistake, they can push out patches as soon as it is fixed. When Google or Samsung finds an "oops" mistake, they can put out a patch, but that doesn't mean the patch propagates to your phone. That's all up to your cellular provider.
BINGO! Why I would never use Android for anything needing security. On Android, you have to have a security app, and then you have to have sub-security apps to watch your security app...[continue recursively].

SittingOnTheFence
Posts: 289
Joined: Sun Sep 27, 2015 5:30 pm

Re: Smartphone security 101?

Post by SittingOnTheFence » Sun Jan 17, 2016 1:52 pm

inbox788 wrote: And who's to say the phone isn't developed by the Chinese government with hidden backdoors. Just look at their web address http://www.blackphone.ch :wink:
Never been to that site but .ch is Swiss, not China

inbox788
Posts: 5229
Joined: Thu Mar 15, 2012 5:24 pm

Re: Smartphone security 101?

Post by inbox788 » Sun Jan 17, 2016 3:58 pm

SittingOnTheFence wrote:
inbox788 wrote: And who's to say the phone isn't developed by the Chinese government with hidden backdoors. Just look at their web address http://www.blackphone.ch :wink:
Never been to that site but .ch is Swiss, not China
Shh! Conspiracists don't know that or don't believe it or believe the Swiss are working for the Chinese.

http://www.bloomberg.com/news/articles/ ... wiss-franc

2015
Posts: 1615
Joined: Mon Feb 10, 2014 2:32 pm

Re: Smartphone security 101?

Post by 2015 » Mon Jan 18, 2016 1:39 pm

Mudpuppy wrote:
Toons wrote:No problems. :happy
At the danger of this coming across like arrogant geek snark, saying you have no problems with that setup is like someone saying "I've always left my doors and windows unlocked and I've never been robbed".... Just because it hasn't happened to you does not make it a good practice.
Yea, Toons, your post tripped me out. :shock: No way would I ever put my retirement or financial accounts on my phone. I disagree with what was said above that phones are more secure than laptops. And yes, chances are much higher you will lose your phone than your laptop.

Financial theft prevention means never having to say you're sorry.

User avatar
Toons
Posts: 12790
Joined: Fri Nov 21, 2008 10:20 am
Location: Hills of Tennessee

Re: Smartphone security 101?

Post by Toons » Mon Jan 18, 2016 1:54 pm

Mobile Banking Is Safe. :happy
"One does not accumulate but eliminate. It is not daily increase but daily decrease. The height of cultivation always runs to simplicity" –Bruce Lee

joebh
Posts: 1708
Joined: Mon Mar 02, 2015 3:45 pm

Re: Smartphone security 101?

Post by joebh » Mon Jan 18, 2016 4:17 pm

FedGuy wrote:Does anyone here use a Blackphone or Blackphone 2? I read an article about the latter a few weeks ago. The whole point of the phone is to be secure, resist surveillance, and so on. It almost sounds like a phone for the paranoid, if the concerns weren't so legitimate.
No matter how secure a system is designed to be, it remains vulnerable to security flaws.
https://www.sentinelone.com/blog/vulner ... -takeover/

Post Reply