Cyber security: 4 surprising essentials
A 2014 poll found that the average Canadian spends 7.9 leisure hours a day staring at a screen — and that doesn't include "time they might have spent on a computer or mobile device for work."
Here at Concordia, 16,000-plus devices access the Wifi network on a daily basis.
With all this activity, smartphone and laptop security is a challenge that evolves in real time. We asked Caspian Kilkelly, a cyber-security expert with the university's Instructional and Information Technology Services, to fill us in.
1. The truth about passwords
To start, any password is the best type. Ultimately, the point isn’t so much the security, or complexity of the password — it’s locking the device.
Each type comes with its own drawbacks. For example, the gesture-based ones are easy to see on greasy screens. Generally, the best type of password is the one that is convenient and easy to type or draw.
2. Location data pros and cons
Many newer versions of Android and iOS all have a “find my phone” feature that is useful. It needs to be enabled, and the phone needs to be running for it to work.
All Apple devices have this functionality now, and it’s extending to anything that has basic WiFi or a mobile phone module. It’s best to stick to the OS-based phone locators.
There’s a risk with any application that exposes location data. If an application developer has access to your account information, they can see where you are and where you’ve been. Google has come under fire in the past for doing just this, and we know that they and Apple are collecting data from their users.
Developers of these applications can then sell the location information, along with other exportable phone data (email addresses, account names, the names and phone numbers in your contacts list, etc...). Some services also use this information to build customer profiles.
Both Apple and Google have publicly stated that they’re not selling anything illegal, and a lot of this data can be used to improve applications and devices, so it’s not all bad. It’s really a question of what you want other people to see — and what you want to protect.
The U.S. Department of Defense and other military organizations have openly told their personnel to turn off these services when they’re on duty or in sensitive locations. Alternately, groups like CrisisMappers use the location information from phones and mobile phone pictures to locate victims, coordinate aid and relief efforts, and generally help society.
3. iOS and Android settings: what you need to lock down
Aside from the above-mentioned password, setting the screen to lock after a certain time (say, 30 seconds to a minute) is a really important start.
I’d also suggest disabling any functions that allow the phone to display messages while it’s locked. In older versions of iOS (for the iPhone) and some versions of Android, there were ways to break into the locked phone using applications that displayed alerts on the lock screen — like text messages, or the camera. That has mostly been fixed, but it’s better to just leave some of these features off.
Device encryption is also important. New versions of Android have an "encrypt device" function that is incredibly useful for those scenarios where the phone is lost and you’re not getting it back. Once it’s encrypted, your password is the only thing that opens it up. This basically turns the phone into a brick for any would-be identity thief.
Apple’s iOS has a fairly well-built (but complex) security model, and doesn’t offer whole-device encryption as far as I know. Instead, they’ve set up a sort of "sandboxing" model where data is encrypted one way, while apps and core phone features are handled differently. Apple hasn’t been clear on what methods are used, but personal data is encrypted.
Another important setting on Android phones is found in the security menu, under Device Administration. It allows the phone to install apps from unknown sources — i.e. apps that aren’t vetted by Google. While this is useful if you’re experimenting with new stuff, or want that one thing that’s not on the store, it’s best to leave it disabled.
Bluetooth and other services that allow you to connect things to your phone should definitely be set up to either be off when they’re not needed, or to limit the number of devices that can reach them. Bluetooth is especially bad for this, as early versions of the software were very "friendly" and gave out all sorts of information, including contact lists.
NFC (Near-Field Communication) and QR scanning are another group of settings that should be locked down. QR codes can be used for "drive-by" attacks, where the attacker gives the victim a QR code (or NFC tag) that directs them to a website hosting malware. It’s easy to do, hard to stop, and a lot of QR and NFC scanning apps don’t ask if the user wants to go to the site in question, download an app, or other actions.
Lastly, it’s extremely important to make sure that the device is getting software updates. Unfortunately, we’re not at a stage where mobile device antiviruses work very well, and bugs like Stagefright (the recent Android media vulnerability) can be used to deliver malicious payloads.
4. App-related red flags
On Android devices, look at what the app is asking for. If your Flashlight app needs to read your contact list and phone status, you definitely don’t need to install it.
Some apps, like Facebook Messenger, directly access mics and cameras, or contact info, but most don’t need to. Generally, it’s good to read the warnings in the app store before installing the software.
On iOS and Android devices, it’s also good to look at the battery life. Battery usage increases when viruses, malware or badly made applications are running in the background, collecting data or accessing storage. But this is tricky, since some system updates will impact battery usage. Having a good idea of how your individual device behaves is going to make a big difference, in this case.
I’d say that you can trust the App Store and Google Play, but it’d be stretching it. It’s important to install software from reliable sources, but even the sources themselves may not know that what they’re serving is risky.
Both Apple and Google claim that they review applications that are in their app-store services, but a few researchers have discovered holes in the review process. One group at Georgia Institute of Technology managed to submit an application that stole identity data to the Apple App store, and it passed the review without incident.
There have also been reports of apps carrying malware on Google play and the App store that appear legitimate, but steal user data.
I think the most eye-opening thing I’ve seen recently was Mike Murray and Alan Zhang’s work on mobile device antiviruses, and app store security.
Find out 12 ways to stay connected at Concordia.