Naked Security Naked Security

Why you shouldn’t worry about privacy and security on your phone

We're offering a free Phone Privacy Check on the Sophos stand at Infosec Europe... ...because we think you should be informed about privacy and security, not worried!

Phone v. Phone courtesy of Shutterstock

Do you worry about privacy and security on your mobile phone?

Don’t!

After all, worrying won’t help…but making informed decisions will.

When it comes to mobile phone privacy and security, you need to ask yourself:

  • Q1. Which security settings are suitable for me?
  • Q2. How do I configure them?
  • Q3. How do I check that my settings are correct?

Just keep in mind that there almost certainly isn’t a single, static answer to Q1, so you’ll be regularly changing some of your security settings, possibly on a regular basis.

And that makes the answers to Q2 and Q3 even more important.

“Set-and-forget” security on a mobile phone doesn’t work for most people, because it means you have to decide on the strictest settings you’ll ever want, set them, and stick to them day by day.

That’s likely to be unusable.

Or you have to compromise, and live life at your slackest settings all the time.

That’s likely to be unsafe. (Everyone has times when they don’t want their location tracked!)

At a minimum, you need to know how to make wise choices about what we call “The Three Ls”:

  • Your lock screen. How quickly to blank the screen? How quickly to lock the door behind you?
  • Lock code choices. PIN or password? 4 digits or 14 characters? Encryption or not?
  • Location choices. Always on? Always off? Use on special occasions?

If you understand the various options available on the Big Three mobile phone operating systems, you’ll be able to help yourself, as well as to advise friends and family.

Here’s our advice, from how to control your connection to how to avoid giving away where you are all the time.

0. Keeping track of your connectivity

To turn all your wireless-based connectivity off in one go, you can engage so-called Flight Mode, also known as Airplane mode.

Just remember that the flight mode option is back-to-front compared to the individual connectivity settings, so that turning flight mode ON effectively turns your individual radio-based communications options OFF.

  • On iOS (we’re on 8.3), the main Settings page lays out all your connectivity options, with Airplane mode at the top.
  • On Android (we’re using the latest Lollipop 5.1.1), drag down from the clock in the top right corner to get the quick settings menu, and then drag down again to open up the settings configuration. Tap on the airplane icon turn it ON, and thus communications OFF.
  • On Windows Phone (we’re using 8.1), go to Settings | Flight mode. This screen neatly clarifies that that turning flight mode ON turns OFF all radio-based communications, including phone, Wi-Fi, Bluetooth and NFC.

Note that the advice in the Windows Phone screenshot about individual options applies to all the Big Three.

Turning flight mode ON will force all radio connectivity OFF, but just because you can see the airplane icon on your lock screen doesn’t mean that you are cut off from the world.

Wi-Fi, Bluetooth and so on can be turned on individually without turning flight mode off – indeed, Wi-Fi is commonly available while you’re in flight these days.

If you are in a hurry to ensure everything is turned off, you can always toggle flight mode OFF and back ON really quickly, which typically kills all connections without giving enough time for the phone part of your device to connect to the mobile network.

(If you are worried even about brief mobile connectivity, try turning your whole device off.)

1. Setting your autolock timeout

Go for the shortest autolock timeout you can tolerate – that’s the idle time after while your device will lock itself, as though you pressed the Lock button.

We accept that shorter delays tend to be more annoying, especially if you are using your phone regularly but not continuously throughout the day.

The problem is that if you set a 15-minute or 30-minute autolock timeout, you’re making it much more likely that your phone will be easily accessible to a crook who steals it or finds it when you leave it behind in the airport, coffee shop or taxi.

  • On iOS, choose your timeout in Settings | General | Auto-Lock.
  • On Android, go to Settings | Display | Sleep.
  • On Windows Phone, use Settings | Lock screen | Screen times out after.

We recommend two minutes or shorter.

Just setting autolock, however, is not enough: you also need to set a decent passcode, which we’ll come to next, and to make sure you configure the lock feature to work immediately.

If you don’t set “instant lock,” your device typically gives a grace period after it has apparently locked (automatically or manually) during which you can turn it back on and use it immediately, presumably in case you change your mind soon after you think you’ve finished using it.

We recommend making sure that lock means lock, so when you see the screen turn off, you can be simultaneously confident that the lock really has engaged.

  • On iOS, you need Settings | Touch ID & Passcode | Require Passcode | Immediately.
  • On Android, it’s Settings | Security, followed by Automatically lock | Immediately and then Power button instantly locks.
  • On Windows Phone, use Settings | Lock screen | Require a password after | Each time.

2. Choosing your password or PIN code.

Don’t leave your lock screen so that just double-tapping or using a slider will unlock.

You should set a decent PIN or password instead – and not one of Apple’s 4-digit Simple Passcodes, either.

We accept that full-blown passwords, especially if they contains a mixture of UpperLower&&D1g1ts, are a real hassle to type into a mobile device, not least because the on-screen keyboard is so much fiddlier that the on-screen digits-only keypad.

If you simply can’t get used to proper passwords, it’s better to have a long PIN than a trivial password (or nothing at all), so we’d urge you to try for a 10-digit PIN as a minimum.

For a while, you’ll probably find a 10-digit PIN or longer really annoying, but if you stick with it, it should become second nature pretty quickly.

→ If you choose 10 digits or more, you can arrange to type each digit at least once, which also disguises the tell-tale “grease spots” on the screen that give away short PIN codes to anyone who holds your phone at the correct angle to the light.

  • On iOS, go to Settings | Touch ID & Passcode. Make sure Simple Passcode is OFF and then use Turn Passcode On. (If your passcode is all digits, the passcode prompts will automatically use the digits-only keypad.)
  • On Android, you want Settings | Security | Screen lock, and then choose PIN (digits only) or Password (full keyboard).
  • On Windows Phone, it’s once again Settings | Lock screen, and then turn the Password toggle ON.

Note that on Windows Phone, the password prompts are automatically digits-only, so you are stuck with a PIN-style passcode.

3. Setting device encryption

We can’t really cover passwords and PIN codes without mentioning device encryption.

Device encryption is where your mobile operating system keeps all your data scrambled in storage, transparently decrypting any data you read and encrypting anything that’s written, including all your data files, installed apps, configuration information, and even the operating system itself.

While you’re phone’s unlocked, of course, the encryption is essentially invisible, so you (or a crook) can access everything, but that, in turn, makes the encryption fuss-free.

On the other hand, once the phone’s locked, a crook needs your PIN or your password not only to start using the phone again, but also to access any data off it at all.

That applies even if the crook manages to connect up your device to special data-harvesting hardware in a forensic-style laboratory.

Unfortunately, support for full device encryption (often abbreviated FDE) on the Big Three mobile platforms is very inconsistent, but here’s a quick overview:

  • On iOS, your data is encrypted by default, and the decryption is controlled by your PIN or password automatically. Turning on a decent passcode therefore protects your data even if the phone is dismantled and attacked by a determined crook.
  • On Android, Google has said it wants to follow Apple’s lead but hasn’t quite got to encryption by default. You need to set a PIN or passcode and then turn encryption on by hand using Settings | Security | Encrypt device. You’ll need a full battery charge, and the actual scrambling process may take several hours, during which you can’t use the device.
  • On Windows Phone, you’re stuck unless your phone collects mail from an Exchange server that requires encryption, or is managed by a corporate policy server that enforces encryption. Sadly, if you have a personal Windows Phone, there is no option like Google’s to turn encryption on, whether you’re willing to wait hours or not.

We’re disappointed in Windows Phone’s lack of FDE on consumer and unmanaged business devices; we think you should write to Microsoft and say so.

4. Managing geolocation

Geolocation is where your device figures out where you are, and tells other people, typically your operating system vendor, the producers of your app, a third-party advert provider, or all of them.

Working out your location can be done to an astonishing degree of accuracy by combining information such as: what Wi-Fi access points are visible at any moment; what Bluetooth devices are around; which mobile phone towers you’ve pinged recently; and (if you have the needed hardware) where your GPS says you are.

As with device encryption, the Big Three all have different attitudes to geolocation.

Apple’s iOS allows you give and withhold location-access powers to and from individual apps, but Android and Windows Phone stick to an overall toggle that simply turns so-called Location Services on or off.

We’ll dig into the details of how you can manage location data more precisely in a future article, but for now, the key thing to know is how to stop and start Location Services at will.

    On iOS, it’s Settings | Privacy | Location Services. You can click About Location Services & Privacy, even when you’re offline, for a useful overview of what you’ll be telling other people if you turn it on.

  • On Android, drag down from the clock in the top right corner to get the quick settings menu, and then drag down again to open up the settings configuration. Tap on the location icon to toggle it on and off. There’s no quick way to read an overview of what Google plans to do with your location data.
  • On Windows Phone, you need Settings | Location. There’s a Privacy Statement link on the location options screen, but it’s fetched from Microsoft into your web browser, so you need to be online to read it.

What next?

You may well have known all of these options and where to find them already, but we nevertheless thought it would be handy to collect them in one place.

After all, you might forget, or get a new phone with a different operating system, or have a friend or colleague come up and say, “Where do I start? And why does it matter?”

By the way, we’ll be running a free Mobile Phone Privacy Check on the Sophos stand at the Infosec Europe show.

Infosec runs from Tuesday 02 June 2015 to Thursday 04 June 2015 at Kensington Olympia in London, England.

If you’re going to be in the area, we’d love you to stop by…and you could even win a super-cool Privacy Settings T-shirt!

Image of one phone stealing another courtesy of Shutterstock.