Last month we shared our 5 tips for securing your mobile device in the post-pandemic world.
The inspiration for writing this article came from witnessing all the ways the covid-19 pandemic had altered our mobile usage habits. We saw that the threat landscape had changed and that new gaps had opened up.
But the process of writing that article led us to think about even more ways to secure your phone from hackers.
In fact, we decided we needed to share a sequel. So, here it is - introducing 5 bonus tips for securing your smartphone.
Don’t install mobile apps from untrusted places
As a general rule, you should only download apps from the Play Store (if you have an Android phone) or the App Store (if you have an iPhone). In the last year or so, cybercriminals have exploited our anxieties about the covid-19 pandemic to trick people into downloading apps from elsewhere.
Phishing emails or text messages use social engineering techniques to convince you to click on a link.
And the act of clicking on that link can sometimes enable a malicious app to be downloaded onto your device.
This is how the Flubot phishing scam worked and spread around the globe earlier this year. Android users who clicked on the link within the SMS message were shown instructions for how to install a parcel tracking app via an APK. It’s not easy to download apps outside of official app stores (as we’ll explain in our next tip), but there was an explanation within the message for how it could be done. Those who did download it saw spyware spread throughout their phone.
You might think people would be naturally cautious of downloading an app outside of Google Play. But hackers are skilled at playing on our emotions. Phishing messages make it clear that you have to do something urgently to fix a problem. That could be an issue with your bank account or getting an expected parcel delivered on time. Often people will panic and decide they simply have to take action.
Recent Ofcom research found that 45m people in the UK have received at least one fraudulent message in the last three months. If you receive an SMS asking you to click on a link to download an app, think twice. Contact the company in question directly instead.
It’s also worth exercising caution when scanning QR codes. Do you really trust the place you’re being asked to scan the code and download an app?
Don’t root or jailbreak your phone
Phishing attacks like Flubot are often aimed at people who are unaware of the dangers of downloading apps outside of official app stores. But some people actually choose to alter their phones so it’s easier for them to do just that.
Rooting is the term more commonly associated with Android devices. This is where you hack your Android phone to take it outside of Google’s in-built restrictions. Jailbreaking is similar but sounds more severe because it’s associated with Apple devices. And Apple’s famed walled garden approach to security means it’s generally a lot more difficult to break free of the protective measures the company has put in place.
But these very measures are what encourage some users to jailbreak their device. They want the freedom of being able to download apps that can’t be found on the App Store. The thing is, there are often very good reasons for those apps not being listed there.
Downloading apps from random websites can significantly increase your chances of ending up with malware on your device.
One of the reasons we were eagerly following the Apple vs. Epic Games legal case is that it set an interesting security precedent. By encouraging gamers to download Fortnite outside of the App Store (and Android Play Store) bubble, might Epic Games have been putting their users at risk?
There are legitimate arguments for both end users and developers to question the power of Silicon Valley giants like Apple and Google. We explored this ourselves in a recent article about Google’s shift to using Android App Bundles to upload apps to the Play Store.
But right now the landscape outside official app stores is murky and dangerous. It’s much safer to stay within the protective bubble.
Use strong passwords and biometric data
If we go back to phishing scams for a second, not all of them are sent with the goal of getting you to download an app. Some want you to fill out your login details in a form - including your password - so those details can be recorded. Again, the ruse here is typically that there’s something wrong with your account that needs to be fixed urgently.
This is one way cybercriminals try to get your password. Other methods use software to guess your password. One is called a brute force attack - here the attacker tries a variety of combinations until they hit on yours. Another, called a dictionary attack, is where a prearranged list of words is used.
The best way to avoid falling victim to these two attacks is to come up with longer, more obscure passwords.
But obviously you also need to be able to remember them. A password manager is one solution. It means you don’t have to create or remember a password at all. But if you’d rather not use one, here are some ideas for how to create more complicated passwords that still mean something to you:
- Use a series of unconnected words that have some kind of meaning to you
- Create a password with some of your favorite song lyrics, or a favorite line from a movie or book
- Try the Bruce Schneier Method - here, you think of a random sentence and then transform it into a password by applying a rule to it. One example is to take the first two letters from each word. So, “Gracia is my favorite neighborhood in Barcelona” would become GrismyfaneinBa.
If certain apps allow it, then it’s also a good idea to use biometric logins (your fingerprint or face). While these aren’t completely invulnerable and might face challenges in an age of augmented reality and deep fakes, they’re still pretty secure. And as we said in our first tips article, make sure you set up multifactor authentication.
Always keep your apps up to date
We stressed the importance of updating the OS on your phone in part one of our tips for securing your smartphone. But updating the individual apps on your device is just as important.
That’s because in the same way that OS updates fix bugs and security issues, so too do individual app updates.
As the threat landscape evolves, app developers become more aware of gaps that need to be plugged.
Updates are there for a reason, then - to counter the latest cyber attacks.
And so having old apps on your phone that haven’t been updated in a while can be dangerous. They might only have protection that was acceptable two or three years ago but now isn’t up to the task.
It’s worth doing a regular audit of your device to understand which apps need to be updated. You can decide whether or not to set up automatic updates or whether you’d prefer to manage the process manually, as well as whether to wait until you’re connected to wifi.
If there are some very old apps on your device that haven’t been updated in a long time and which you don’t use, it might be worth deleting them. One app with weak security can be like an open window an attacker can climb through to access the rest of the house.
Make use of anti-malware solutions
There’s a common assumption that you don’t need to install anti-malware on your smartphone - that in-built platform security alone is enough. While this is largely true if you own an iPhone (owing to the walled garden approach to security we mentioned earlier), it isn’t the case for Android.
The open-source nature of Android means that it’s easier for bad actors to exploit gaps in security there compared to iOS.
And so it’s more important for Android device owners to consider adding an extra layer of security on top of standard OS security (and the protection developers apply to their apps).
Something else to bear in mind is that if you have an older Android device, then it might not actually receive Android security updates. Last year, Which? reported that a billion Android devices around the world weren’t supported by security updates.
Anti-malware solutions can analyze installed apps and downloaded files. Google Chrome and other web browsers do checks to analyze whether files and webpages are dangerous or not, but they can’t help if another app downloads a file. That’s where an anti-malware solution can help.
These days anti-malware products are pretty sophisticated. Most use machine learning to develop artificial intelligence algorithms. These can recognize and quarantine malicious code before it has the chance to run on your device.
So, there we have it. 5 bonus tips for blocking hackers from your cell phone. Use the recommendations here - together with those in Part I of this series - and you’ll make it much more difficult for attackers to access your personal data.