Always with the phone!
Today’s challenge – Smartphone Security II – Direct Link to Guide Page
Following on from yesterday’s Challenge, this time we’re looking at the software that runs on your smartphone. Whilst “apps” have been incredibly convenient solutions to many problems, they can introduce significant vulnerabilities to our devices. This is particularly the case for Android devices, because the apps that are in the Google Play store are not vetted to anywhere near the standard that apples in the Apple Apps Store are. We can get all philosophical about this, the “walled garden” vs “my device my rules” debate, but let’s bypass that and just say this: Android apps are by and large less secure than iPhone apps, but that doesn’t mean you’re safe on iPhone. So what to do about it?
Today’s Challenge isn’t difficult technically, all of our participants completed it themselves without any technical support. No, today’s Challenge is difficult because it makes you ask yourself some hard questions, and introspection is usually fraught with danger.
One of the key concepts in information security is called “attack surface”. It describes how many avenues a would-be hacker has to attack you and your data. The greater your attack surface, the more avenues the hacker has to try to comprise you. Part of a good information security plan is to limit the attack surface as much as possible, which includes only installing software or apps which are necessary for you to function. You can see where this is heading can’t you.
The biggest part of today’s Challenge is to uninstall any apps you don’t need, or disable them if they shipped with your phone and you can’t uninstall them.
Once you’ve removed/disabled the unnecessary apps, you then have to restrict the things that the apps that are left can do on and to your device. You might be surprised/worried what apps want access to which parts of your phone.
Lastly, we’re removing any WiFi access points from the phone memory that we no longer need (eg that Starbucks that you visited 3 years ago). The list of WiFi access points you’ve connected to is like a fingerprint for your device, so whenever you turn on your WiFi (because you have WiFi turned off at all times until you need to use it right!?!?) you’re broadcasting to anyone that wants to listen everywhere you’ve been. Which could be awkward…
Geoffrey: As noted earlier I’ve only recently upgraded my mobile phone so I haven’t had time to fill it up with garbage apps that I don’t need. Nevertheless I had 6 apps on my device which I don’t really need, the info from which I can get through a web browser on the device which is much more secure. My app permissions were pretty good (although there were a few that needed to be tweaked). I had three WiFi access points that I needed to delete, so all in all, I was quite happy with my outcome.
Juan: There is no way to say this nicely – Juan is an app whore. He seems to have taken the “There’s an app for that” mantra to the extreme. I’ve never seen a device which wasn’t owned by a teenager with as many apps on it. And just like a teenager, taking away of the apps induced pouting, tantrums, cold stares, bargaining and lots of bribing to achieve compliance. It got to the point of me threatening to double my invoice until he finally acquiesced to deleting a game that he had in fact never played. Thankfully the permissions and WiFi bit was much easier. And yes, constant followup will be required.
Diana: I’m beginning to fall a little bit in love with Diana. She only had 2 non-standard apps installed on her phone, both absolutely essential to her work so that was pretty easy (particularly compared to her husband). App permissions and Wifi were also straightforward.
Priscilla: Landed in the middle here, quite a few unnecessary apps on the device, but many had been installed by her kids so getting rid of them was a relief. App permissions and WiFi were also pretty straightforward.
Previous Days Here:
Day 0 – Introduction to the Team
Day 1 – Installing Operating System and Application Updates
Day 2 – Set Up A Standard User Account
Day 3 – Review Privacy Settings
Day 4 – Setup Private & Secure Email
Days 5&6 – Weekend Project #1
Day 7 – Install a Password Manager
Day 8 – Change Your Passwords
Day 9 – Browser Security
Day 10 – Firefox Security Add-ons
Day 11 – NoScript Security Suite
Days 12&13 – WiFi Security Checkup
Day 14 – Virtual Private Network
Day 15 – Two Factor Authentication
Day 16 – Smartphone Security I