Security

10 ways to combat the threat of mobile malware

Mobile malware is on the rise, but user awareness is lagging behind. These preventive measures can help safeguard mobile devices.

With the number of mobile device users rapidly increasing and the growing saturation of mobile devices in the enterprise, mobile malware has become a topic of major concern. But even though mobile security has begun to get more attention, consumers are still under-informed about the dangers of malware. All smartphone users -- as well as enterprise IT teams -- need to be aware of the severity of mobile malware and take steps to avoid it. Here are some tips that can help.

1: Do some research

Research and test any apps in the market before downloading to your smartphone and always read reviews on the app before installing. Make sure you aren't getting an application that can expose your data. Always look at feedback from other users of applications that you are downloading, as they often comment on suspicious and malicious applications.

Android can be particularly vulnerable due to its popularity and the open ecosystem; you can get applications from diverse repositories. iOS follows a "walled garden" mentality, providing additional oversight into the applications that can be installed.

Consider a policy of application whitelisting. While this method presents increased administration, it can be worth the trouble. By allowing only whitelisted applications to be installed, you can fully test any software before it gets released to the user base.

2: Avoid risky app stores

Use only legitimate app stores that scan for and remove infected apps, and don't enable the setting to allow third-party applications. Stay informed on applications that have been removed.

Unless you have jailbroken your iOS device, Apple will have you covered on this point. You can't download anything outside the Apple app store. However, third-party applications and app stores are common for Android. The applications available via outside markets will not be vetted as well as native-market applications. At a minimum, stay with trusted markets, such as the Amazon App store, and avoid applications posted on Web sites that aren't available in the Android Market.

3: Turn off your Bluetooth/Wi-Fi

Do not leave Bluetooth or Wi-Fi on unless you're going to use it. When you're done, turn it off.

Ensure that Bluetooth is not in discoverable mode. Bluetooth has a range of about 10 feet for a mobile device. However, some high-powered devices can achieve a range of up to 300 feet. If your Bluetooth configuration is not secured properly, you're providing an opportunity for someone to gain access to your device.

Disabling Wi-Fi when you aren't using it will prevent your device from attaching to an unknown network. When you're on a public network, you're opening yourself to man-in-the-middle attacks and traffic snooping.

4: Use up-to-date AV software

Ensure that your antivirus protections are up to date and applied at the client, email server, and Internet gateways. When you connect your device to any mail server or Internet site, you are potentially exposing yourself to unwanted attacks and viruses. Make sure that you are securing your mailbox before a virus can reach your device. Just as you monitor the AV software on your PC, you need to apply the same practices to make sure that your mobile security software is as effective as possible.

5: Avoid weak passwords

Always use complex passwords to lock/protect your device, and set an idle timeout to lock it. If someone can get into your device, you're exposing not only what is stored locally, but also any Internet resources you're attached to. Using a complex password can help prevent your data from being made public from a lost or stolen device.

In addition to your device password, make sure you have a complex password protecting your iTunes or Google account. With the release of Apple's iCloud, when an application is installed on one device, that application can be automatically pushed to your other devices. So if you lose your iPod and someone installs malware on it, that application can get pushed to your iPhone without your noticing it. Strong passwords are the best defense.

6: Don't store passwords or sensitive data on your mobile device

If you're storing passwords on your device, you might be unknowingly exposing them to other applications. Be careful that you aren't allowing malware to transfer your passwords to the Internet for others to use. Also, be wary of any application advertising to store your passwords for you. If you find one you trust, check the permissions on the application to make sure it doesn't need any unexpected access to other nonrelated functions.

Many applications can access data stored on your device. Keeping sensitive data off of your device will help ensure that it doesn't become exposed to malware.

7: Encrypt your mobile device data stores

Encrypting data is especially important if you store sensitive company information on the device. In addition, use hardware encryption when possible. Hardware encryption uses your complex password to create an encryption key. This key and password are needed to decrypt the data on the device. Without any encryption, you are potentially opening up full access to your data.

With iOS, take advantage of the Find My iPhone application to locate and/or remotely wipe your device.

8: Be careful with permissions

Read the permissions you're granting an app before installing it. Always be aware of the level of access you're allowing an app to have. Anytime you install an application, you're granting it permission to take certain actions. Always review and understand exactly what you're allowing that application to do. And with Android, keep an eye on the applications you're granting administrative rights to.

If a simple application is asking for permission to send and receive SMS or MMS messages, consider that a red flag. Be sure that the requested permissions are commensurate with the expected function of the application.

9: Watch what you open

Just as you would with your PC, be careful of any emails, attachments, and URLs you open. This is just good Internet practice. Don't open suspicious attachments or follow links to unfamiliar Web sites. Remove emails from people you don't know. Be aware of your activity in email and on the Internet.

10: Don't jailbreak or root your device

Not only are you voiding your device warranty, but you are also exposing yourself to any malicious code that might be embedded in the application you use to jailbreak the device. You might be tempted to forgo security in favor of increasing functionality; however, you will remove the security architecture that was built into your smartphone. If you subsequently get malware onto your device, the mechanisms for protecting your device and data will have been weakened.

Ben Conner is a product manager at Virtela Technology Services Incorporated, a managed network, security, and cloud services provider.

8 comments
IT Pixie
IT Pixie

While I think the points mentioned are basic common sense to me (and those who are tech savvy), I thought it still offers some good reminders to the mere mortals and non-geeks, especially those who know just enough to get themselves into trouble, but not enough to get out of it. Mobile security awareness is still low among those who don't follow the industry, so may be this article can serve as a wake-up call to those who have no concept of mobile security. If you know someone who is planning on "doing something stupid with his phone", you could do him a favor and pass this along (instead of you preaching to him)...

Will O'Neal
Will O'Neal

You could just recommend a phone with no malware problems - like an iPhone.

radleym
radleym

I thought this was going to be a realistic article about real threats. Instead its an ad for the antivirus industry.

Free Webapps
Free Webapps

There's that bubble again. Any phone can get maleware. Especially if Jailbroken and rooted. The beauty part of rooting is there is a community out there to help fix androids bugs. Yes also a very small community to hindering it as well. As for the Iphone, same applies but more to hurt it and few to fix it (not including Apple engineers). Well once maleware is on it, one cant really tell if it infected or not. I happen to come across a few that apple still haven't detected but they arent doing much damage other than spamming sms. The point is: Dont keeps sensitive info on the devices unless the whole device has a custom encrypted OS designed by your work security team (Dell and Microsoft do really well in that department) on it and be cautions of what you install. Every OS has its weaknesses to a point. Each is better in its own way, go with what you like. Dumb article IMO!

wizard57m-cnet
wizard57m-cnet

by adding "at present" or "not withstanding Charlie Miller"!

seanferd
seanferd

You need to back up your assertion.

AnsuGisalas
AnsuGisalas

But it's not all that useful, either. It's a "don't take responsibility for your own security, but refrain from everything"-sermon. It won't help the ones who're going to do something stupid, and it won't help the ones who have to go outside the comfort zone of the vendor/carrier hothouse. It would help someone that has gotten malware via an official market, since they won't be using their device for anything, so it's no big loss.

pfeiffep
pfeiffep

I don't see this as an ad for the AV industry. That stated, I also don't think the article is all that helpful, having the magic # 10 is always eye-catching!

Editor's Picks