Mobile phone security: how safe is your phone?

mobile phone security©iStock.com/scanrail

ACCORDING to research from Deloitte, 10% of us check our smartphones immediately upon waking and right before we settle down for the night, with about half of us checking in within 15 minutes.

As mobile phone usage has become an unconscious act, the security of mobile devices and the personal information they contain within is now of the utmost importance.

For most users, mobiles and smartphones contain more intimate personal information than ever before, in one place, and often are protected by little more than a PIN or pattern.

Our guide covers three important areas of mobile security:

Being secure in the mobile world doesn't have to be expensive, time-consuming or difficult, as we hope to show.

Privacy and theft

Device and personal data theft

Futurologist Ben Hammersley refers to smartphones as our "robot brains". They have eliminated the need for people to have to remember anything ever again (except perhaps a charger).

It's little wonder then, that for most people, losing a smartphone would be like losing a small, shiny, rectangular limb.

Besides the (increasingly high) monetary value of our mobile phones, there is a wealth of personal information on each device.

Many of us set up our phones to stay logged in to our email, Facebook, Twitter, and other accounts, giving any dastardly criminals instant access.

Should we be unfortunate enough to be a victim of theft, the first step is to inform the police right away. This is even more important if we have mobile insurance, which may be invalidated if we don't file a report at the first opportunity.

While we're waiting for the police to trace our phone, or for our insurance to help us replace it, there are plenty of ways to secure the data it contains, as well as preventing thieves from being able to use the device.

Apple device owners can use the Find my iPhone function, part of iCloud, to help them locate their missing iPhone or iPad on a map, and remotely lock it to prevent unauthorised access.

The service features the ability to send a message to the lock screen containing an alternative contact number; whoever has the phone can call the number displayed and that number only.

Even if the device is taken offline, it is possible to setup an email alert to notify us when the device is reconnected to a wi-fi or mobile connection.

If the device has been stolen, make sure a canny thief doesn't turn off location services before the phone can be locked.

This can be done by protecting the settings for location services within the Restrictions menu in Settings. Set a password by going to: Settings > General > Restrictions, then under Privacy select Location Services > Don't Allow Changes.

Once this is done, the location based services settings can't be altered unless the user knows the passcode.

ios restrictions settings

The truly nervous can always use Apple's Remote Erase to wipe all of the data contained on the device and return it to its factory settings. Once we're been reunited with our iPhone or got a new one, we can restore it all using our most recent iCloud backup.

Depending on their manufacturer, most Android devices have similar security features; we can access similar remote finding, locking and wiping features as Apple offer by logging into Google and heading to My Account > Sign-in and Security.

We'll also be able to see when our account was last accessed on that particular device, and can set up alerts to warn us of suspicious access or behaviour relating to our accounts.

There are plenty of apps available to track stolen phones for Android as well as iOS.

Android Device Manager is built into newer Android devices and offers a mobile version of Google's anti-theft and security features listed above. Owners of older devices can download it from Google Play.

Cerberus, Anti Droid Theft (both free), and the free version of Prey Anti-Theft, are popular and well regarded choices for Android; Prey is also available for Windows, iOS and MacOS devices. NotMyPhone (free) and Hidden (£14.99 per year) are solid choices for the iPhone; the latter works on iPads and Macbooks as well.

The big security and anti-virus firms like Norton (£29.99/year), Lookout (£1.99/mth or £19.99/year) and Kaspersky (£9.99/year) also offer all-encompassing mobile security packages.

Each offers free, limited, versions of their app; they charge for access to the more advanced security features.

All of these apps do much more than lock the phone if it is stolen.

Some of the best features are: secretly taking photos of the person using the device, remote wiping the phone, remote control via SMS, alarms, even placing a block on the device rendering it useless.

Even if we can't get a stolen device back, there is at least a little peace of mind in knowing that the thief has gained not so much a smartphone as an expensive beer mat.

Privacy and app permissions

Never give personal information to an untrusted source.

Additionally there are extra hurdles to be aware of when it comes to protecting personal information on a mobile phone.

Many applications like Facebook and LinkedIn like to connect us to as many people as possible.

Often, on first use, or after an update, an app will ask if we would like to sync our contacts with our account.

While this can be very useful - as with syncing our phonebook with an online email account such as Gmail - it can lead to such apps sending out emails soliciting connections from people in our phonebook.

Legitimate apps will usually explain what syncing can lead to, and give us a yes/no tickbox option; ticking "no" won't affect the app's usability.

Should we choose to sync, it should also be possible to "disconnect" again by within the phone's account settings dialogue.

Facebook also asks to sync photos too - which could be much more bothersome and more than a tad embarrassing. It is at least an "opt-in" service rather than one we have to choose to opt out of, so it isn't on by default.

To check or disable it, see Facebook's help center page here.

Bear in mind, however, that while we can be as careful as possible with our private data, apps can still gain access to at least some of it if someone with our contact data chooses to sync their data with their app.

Permissions

If that wasn't concerning enough, various apps - including Facebook - often require access to our call logs, photos, location and application data, and while we can reject their request to sync our contacts or photos without affecting usability, it's usually a case of take it or leave it when it comes to wider app permissions.

facebook mobile app permissions

Even so, it's worth bearing in mind that rogue apps often ask for extra permissions that they really don't need - such as a bakery app asking for access to our phone book.

Android users can check the permissions of all apps using the handy open source Permission Explorer.

Although - perhaps because - the App Store for iPhone users is much better protected from rogue apps than Google Play, Apple still allow all apps unfettered access to a user's contacts all the time. That's just how they roll.

Malware and scams

Mobile malware

Following the discovery of malware in the previously very secure Apple App Store, the proportion of Apple devices infected with mobile malware has risen substantially.

Research carried out by former mobile giant Nokia in early 2016 found that malware aimed at iPhones accounted for around 7% of total infections - significantly up from 0.7% in 2012.

But Android is still the main target for malware: of the top 20 malware threats in 2015, 18 were Android-focused, and the top three alone accounted for almost 70% of Android malware infections.

Although the majority of apps, especially those that are very popular, are entirely safe, Android users clearly need to be more on guard for suspicious software - including new types like Ransomware - than iPhone owners.

Luckily there are plenty of security options out there, but it's often worth sticking to the ones from the big names in anti-malware like AVG and Avast

As mentioned above, most of the big names offer free versions of their apps, which may not feature all the bells and whistles of the premium versions but will nevertheless be kept up to date against new threats.

But remember that a free anti-malware app that we've never heard of, or an app with a similar name to a well known one from an unknown developer, is probably the opposite - a nasty trick from a dodgy scammer.

Avoid any apps offering "free wallpaper", "free music" or "free anything". If it seems too good to be true, it probably is.

Those who are worried about mobile malware might want to consider combining malware and anti-theft protection by using a phone protection package like one of the paid for products listed above.

SMS scams and spam

Texting a premium rate number to download mobile content might seem like a bit of a throwback to the days of polyphonic ringtones, but it remains big business.

Despite seeming rather old school, SMS scams are still a serious threat for mobile users, allowing fraudsters to steal millions of dollars each year from unsuspecting consumers.

SMS scams normally work either when a rogue app fires off text messages to a premium rate number owned by the fraudsters or spammers send out messages usually along the lines of:

"CAT FACTS, YOU HAVE SUBSCRIBED TO CAT FACTS. TO STOP RECEIVING FACTS ABOUT CATS, TEXT 'STOP' TO 823433. (£12 per message)"

There are also phishing texts, similar to emails that purport to come from a trusted institution, usually a bank, asking you for account or personal information. Never reply to these messages.

Spam texts, just like spam calls, follow trends in subject matter, so it shouldn't be surprising that in recent years there have been an unusual amount relating to PPI, free energy saving schemes, and pension reviews.

Useful contacts

It's possible to check where a message has come from by using the search function available on the Phone-paid Services Authority website, who act as regulator for premium rate services in the UK.

To complain about marketing texts, you should contact the Information Commissioner's Office (ICO).

How can you avoid these scams?

In the first instance, never download apps that offer "free" wallpaper or ringtones as they are a big source of the malware that run SMS scams.

The ICO issue the following advice to deal with SMS phishing:

The ICO also suggest replying "STOP" to prevent further messages.

Whilst this is a good move when it comes to premium rate subscription services and legitimate marketing, it often doesn't help when it comes to spam texts - it simply confirms to the spammers that the number is active, and could act to increase the amount of junk texts we receive.

If the messages don't result in charges - they're simply annoying spam - ignoring and deleting them is the most straightforward tactic. But if they get too much, or they do seem to come at a cost, contact the ICO or network provider, who may be able to take further action.

Parental controls and protection for kids

Adult content/Parental controls

Mobile networks block adult or unsuitable content by default and require us to opt in, usually verifying via credit card in order to turn off the restrictions.

This won't prevent access to unsuitable content when a mobile device is hooked up to unprotected wi-fi, however.

Further protection using a third-party app with parental controls can be helpful when mobile phones are being used by children.

Norton Family and Kids Place are often recommended for parents wishing block access to adult material online, prevent app downloads, texting, making calls or other functions that little hands might be tempted to alter.

iPhone users can control access to a wide variety of phone functions including mobile internet, installing apps, cameras and other privacy settings using the iPhone Parental Controls menu which can be found under Settings > General > Restrictions.

Location-based services

In a theft scenario most users are more than happy to allow the phone to reveal all to the outside world.

While location-based services can be very useful, there are other possible risks with being able to find out the location of a device and, potentially its owner, particularly if it's being used by a child.

Wi-fi receivers, GPS sensors and mobile networks all surrender location-based information if allowed to operate unchecked.

To power Google's intelligent assistant ("OK Google"), for example, Android collects location data about our whereabouts via wi-fi, even if we're not connected to any wireless network.

These settings can all be controlled via the location settings menus on our handsets.

change location based settings android

In-app purchases

In-app purchases generate significant revenues for developers who can make hundreds of thousands of dollars a month encouraging customers to purchase faster cars for racing games, weapons packs for adventure games or more functions for a scientific calculator.

A few years ago they hit the headlines in a big way, following a spate of cases where young kids playing games on mobile devices innocently racked up bills that would rival a rap star's tab for room service.

Possibly the most famous case was that of then-five-year-old boy, Daniel Kitchen, who spent £1,700 on weapons packs playing Zombies vs Ninja on his father's iPad.

"I was worried and I felt sad. I'm banned from the iPad now," he told the BBC at the time.

Apple refunded these "unintentional purchases", but the only certainty to come out of the episode is that the boy will never be allowed to use the iPad again.

Would Apple refund the parents if it happened twice? No one can be sure. Thankfully there are a number of steps we can take to ensure that mishaps such as these are prevented.

iPads or iPhones - Apple iOS devices have a "Restrictions" menu within "Settings" that gives us the option to turn off in-app purchases completely - or, if we'd like to make purchases ourselves but prevent the kids from splashing out on zombie repellent, set the device to ask for a password before it allows us to purchase anything.

Google offer similar password-based restrictions for the Android Play store. Open the Play store app and open the menu, then scroll down to "settings" (it's towards the bottom of the list). Click on this then scroll down to "User Controls" and set "require authentication" to the necessary level.

Users won't be able to make purchases without inputting that account's password; in addition, Google automatically require authentication for all purchases made in apps designed for ages 12 and under.

Meeting the mobile security challenge

Many of these things can at first seem like a lot of hassle, but once set up, a lot of the security and protection features outlined above will happily purr along in the background.

There's just one more thing to do once we've put in the initial effort, and that's to make sure we keep everything up to date. Set security apps to automatically update whenever they need to at the very least.

Keep other apps up to date too: security threats often come about from hackers and malicious developers taking advantage of exposed vulnerabilities in existing code, and as well as adding new features, updates are intended to address these issues.


» Read more of the latest news


» Search for more guides on broadband and mobile


Follow us or subscribe for FREE updates and special offers