With the number of mobile device users rapidly increasing and the growing saturation of mobile devices in the enterprise, mobile malware has become a topic of major concern. But even though mobile security has begun to get more attention, consumers are still under-informed about the dangers of malware. All smartphone users — as well as enterprise IT teams — need to be aware of the severity of mobile malware and take steps to avoid it. Here are some tips that can help.
1: Do some research
Research and test any apps in the market before downloading to your smartphone and always read reviews on the app before installing. Make sure you aren't getting an application that can expose your data. Always look at feedback from other users of applications that you are downloading, as they often comment on suspicious and malicious applications.
Android can be particularly vulnerable due to its popularity and the open ecosystem; you can get applications from diverse repositories. iOS follows a "walled garden" mentality, providing additional oversight into the applications that can be installed.
Consider a policy of application whitelisting. While this method presents increased administration, it can be worth the trouble. By allowing only whitelisted applications to be installed, you can fully test any software before it gets released to the user base.
2: Avoid risky app stores
Use only legitimate app stores that scan for and remove infected apps, and don't enable the setting to allow third-party applications. Stay informed on applications that have been removed.
Unless you have jailbroken your iOS device, Apple will have you covered on this point. You can't download anything outside the Apple app store. However, third-party applications and app stores are common for Android. The applications available via outside markets will not be vetted as well as native-market applications. At a minimum, stay with trusted markets, such as the Amazon App store, and avoid applications posted on Web sites that aren't available in the Android Market.
3: Turn off your Bluetooth/Wi-Fi
Do not leave Bluetooth or Wi-Fi on unless you're going to use it. When you're done, turn it off.
Ensure that Bluetooth is not in discoverable mode. Bluetooth has a range of about 10 feet for a mobile device. However, some high-powered devices can achieve a range of up to 300 feet. If your Bluetooth configuration is not secured properly, you're providing an opportunity for someone to gain access to your device.
Disabling Wi-Fi when you aren't using it will prevent your device from attaching to an unknown network. When you're on a public network, you're opening yourself to man-in-the-middle attacks and traffic snooping.
4: Use up-to-date AV software
Ensure that your antivirus protections are up to date and applied at the client, email server, and Internet gateways. When you connect your device to any mail server or Internet site, you are potentially exposing yourself to unwanted attacks and viruses. Make sure that you are securing your mailbox before a virus can reach your device. Just as you monitor the AV software on your PC, you need to apply the same practices to make sure that your mobile security software is as effective as possible.
5: Avoid weak passwords
Always use complex passwords to lock/protect your device, and set an idle timeout to lock it. If someone can get into your device, you're exposing not only what is stored locally, but also any Internet resources you're attached to. Using a complex password can help prevent your data from being made public from a lost or stolen device.
In addition to your device password, make sure you have a complex password protecting your iTunes or Google account. With the release of Apple's iCloud, when an application is installed on one device, that application can be automatically pushed to your other devices. So if you lose your iPod and someone installs malware on it, that application can get pushed to your iPhone without your noticing it. Strong passwords are the best defense.
6: Don't store passwords or sensitive data on your mobile device
If you're storing passwords on your device, you might be unknowingly exposing them to other applications. Be careful that you aren't allowing malware to transfer your passwords to the Internet for others to use. Also, be wary of any application advertising to store your passwords for you. If you find one you trust, check the permissions on the application to make sure it doesn't need any unexpected access to other nonrelated functions.
Many applications can access data stored on your device. Keeping sensitive data off of your device will help ensure that it doesn't become exposed to malware.
7: Encrypt your mobile device data stores
Encrypting data is especially important if you store sensitive company information on the device. In addition, use hardware encryption when possible. Hardware encryption uses your complex password to create an encryption key. This key and password are needed to decrypt the data on the device. Without any encryption, you are potentially opening up full access to your data.
With iOS, take advantage of the Find My iPhone application to locate and/or remotely wipe your device.
8: Be careful with permissions
Read the permissions you're granting an app before installing it. Always be aware of the level of access you're allowing an app to have. Anytime you install an application, you're granting it permission to take certain actions. Always review and understand exactly what you're allowing that application to do. And with Android, keep an eye on the applications you're granting administrative rights to.
If a simple application is asking for permission to send and receive SMS or MMS messages, consider that a red flag. Be sure that the requested permissions are commensurate with the expected function of the application.
9: Watch what you open
Just as you would with your PC, be careful of any emails, attachments, and URLs you open. This is just good Internet practice. Don't open suspicious attachments or follow links to unfamiliar Web sites. Remove emails from people you don't know. Be aware of your activity in email and on the Internet.
10: Don't jailbreak or root your device
Not only are you voiding your device warranty, but you are also exposing yourself to any malicious code that might be embedded in the application you use to jailbreak the device. You might be tempted to forgo security in favor of increasing functionality; however, you will remove the security architecture that was built into your smartphone. If you subsequently get malware onto your device, the mechanisms for protecting your device and data will have been weakened.
Ben Conner is a product manager at Virtela Technology Services Incorporated, a managed network, security, and cloud services provider.