Using Your Smartphone Safely

This article was written by Elinor Mills of CNET News.com.

Smartphones aren't just smart, they're personal computers. Unlike a desktop or even a laptop PC, those devices and other mobile phones can easily slip out of a pocket or purse, be left in a taxi, or get snatched off a table. They let you store photos, access e-mails, receive text messages, and put you one browser click away from potentially malicious Web sites.

In effect, gadgets like the Apple iPhone and those running Google's Android software can be as risky to use as PCs, except that the wide variety of mobile platforms has deprived malicious hackers of one dominant software element to target, such as they have with Microsoft's Windows operating system on desktops and laptops.

Here is a look at the different types of threats that affect smartphone users and what people can do to protect themselves.

What's the biggest security threat to my mobile phone?

Losing it. "You are way more likely to leave it in the back of a taxi than to have someone break into it," Charlie Miller, a principal analyst at consultancy Independent Security Evaluators, said in a recent interview. The best way to protect data in the event of losing a device is to not store sensitive information on it, he said.

If you must store sensitive information on it, use a password on the phone and encrypt the data. Devices can be configured so that they ask for a password every time e-mail or a VPN is accessed. Use a strong enough password that a stranger can't guess it. And back up your data frequently.

There are also ways to lock the phone remotely or wipe the data if it is stolen. AT&T spokesman Mark Siegel said users who lose their phone should call the company immediately and "with just a keystroke, we can prevent anyone else from using the phone--and from running up charges."

A number of companies offer software and services to protect mobile phones. One of them is a start-up called Lookout that offers a Web-based service that backs up the data, remotely wipes the data if stolen, can help locate the device, and includes antivirus and firewall protection.

Mobile device users should also be careful about leaving the phone unattended, or loaning it to people. Spyware can be installed without you knowing it. For instance, the PhoneSnoop program can be used with BlackBerry devices to remotely turn the microphone on to eavesdrop on nearby conversations.

Can mobile phones get viruses?

Yes. Mobile viruses, worms and Trojans have been around for years. They typically arrive via e-mail but can also spread via SMS and other means. Mobile phone users should be diligent in installing security software and other updates for their devices. All the major desktop security vendors have mobile antivirus and related offerings.

In November, several worms hit the iPhone, but only devices that had been jailbroken so they can run apps other than those approved by Apple. One worm changes the wallpaper on affected devices to a photo of 80s pop singer Rick Astley of "Rickrolling" fame. The second, more dangerous worm attempts to remotely control affected iPhones and steal data such as bank login IDs. Jailbroken iPhones have also been directly hacked via SMS, including by one Dutch hacker who was demanding $7 from victims for information on how to secure their iPhones.

Miller says: "Don't jailbreak your phone. It breaks all the security, basically." If you simply must jailbreak it, you should change the default root password and not install SSH (Secure Shell network protocol).

What are other types of attacks?

Just like with computer users, smartphone users are vulnerable to e-mail and Web-based attacks like phishing and other social-engineering efforts. All attackers have to do is create a malicious Web page and lure someone to visit the site where malware can then be downloaded onto the mobile device. People should avoid clicking on links in e-mails and text messages on their mobile device.

SMS offers another avenue for attack. Last year, researchers demonstrated several ways of attacking phone using SMS messages. In one, they exploited a vulnerability in the way the iPhone handles SMS messages. Researchers also showed how an attacker could spoof an SMS to make it look like it comes from the carrier to get the target to either download malware or visit a site hosting it. In another proof-of-concept attack, a text message was used to launch a Web browser on a mobile device and direct it to a site that could host malware. When the attack is used to phish for personal information it is referred to as "SMiShing."

Is it safe to use Wi-Fi and Bluetooth?

Yes and no. If you are doing something sensitive on your phone, like checking a bank account or making a payment, don't use the free Wi-Fi at a coffee shop or other access point. Use your password-protected Wi-Fi at home or the cellular network to avoid what is called as a man-in-the-middle attack in which traffic is intercepted. Pairing a mobile phone with another Bluetooth-enabled device, like a headset, means any device that can "discover" another Bluetooth device can send unsolicited messages or do things that could lead to extra fees, data being compromised or corrupted, data stolen in an attack called "bluesnarfing," or the device being infected with a virus. In general, disable Wi-Fi and Bluetooth unless you absolutely need to use them.

Which is safer: the iPhone or Android?

Apple vets all the apps that are used on the iPhone, and that tight regulation of the Apps store has kept users safe from malicious apps so far. Nothing is foolproof, however. Once apps are approved they can do any number of things. For instance, Apple removed free games in November developed by Storm8 that were found to be collecting users' phone numbers.

From an architecture standpoint, Android offers more granular access control. But the open-source nature of the Android platform means apps aren't as controlled as they are on the iPhone and holes can be introduced by any number of parties. For instance, Miller found a vulnerability in the Android mobile platform last year that could have allowed an attacker to remotely take control of the browser, access credentials, and install a keystroke logger if the user visited a malicious Web page. The hole was not in code written by Google, but was contributed by a third party to the open-source Android Project. However, any risk was mitigated by an application sandboxing technique Google uses that is designed to protect the device from unauthorized or malicious software that gets onto the phone, Google said. Miller recommends that Android users only download software from trustworthy vendors and reputable sites.

Are standard mobile phones safe?

Obviously regular mobile phones don't pose the Web-based threats that smartphones do. But they are still used to store sensitive information that can be accessed by gaining access to the device. For instance, the inbox and outbox for text messages can contain information that can be used for identity fraud, said Mark Beccue, a senior analyst for consumer mobility at ABI Research. "Regardless of what type of cell phone, the most dangerous current threat is through a cellphone's in/out message boxes," he said. "Clear (them) out regularly. Do not transmit full account numbers, PIN or passwords within a text message unless you immediately delete the out box message."

Standard phones that support Java can be susceptible to certain threats that smartphones are. For instance, scammers in Russia and Indonesia are hiding a Trojan in pirated software that surreptitiously sends SMS messages to premium rate numbers - costing as much as $5 each, thus racking up huge bills, said Roel Schouwenberg, a senior antivirus researcher at Kaspersky Lab.

And what about spam?

That's a growing problem on mobile devices. For information on what to do when you get mobile spam read "FAQ: How to vanquish mobile spam."

By Elinor Mills