Site icon Sophos News

Why you shouldn’t worry about privacy and security on your phone

Phone v. Phone courtesy of Shutterstock

Do you worry about privacy and security on your mobile phone?

Don’t!

After all, worrying won’t help…but making informed decisions will.

When it comes to mobile phone privacy and security, you need to ask yourself:

Just keep in mind that there almost certainly isn’t a single, static answer to Q1, so you’ll be regularly changing some of your security settings, possibly on a regular basis.

And that makes the answers to Q2 and Q3 even more important.

“Set-and-forget” security on a mobile phone doesn’t work for most people, because it means you have to decide on the strictest settings you’ll ever want, set them, and stick to them day by day.

That’s likely to be unusable.

Or you have to compromise, and live life at your slackest settings all the time.

That’s likely to be unsafe. (Everyone has times when they don’t want their location tracked!)

At a minimum, you need to know how to make wise choices about what we call “The Three Ls”:

If you understand the various options available on the Big Three mobile phone operating systems, you’ll be able to help yourself, as well as to advise friends and family.

Here’s our advice, from how to control your connection to how to avoid giving away where you are all the time.

0. Keeping track of your connectivity

To turn all your wireless-based connectivity off in one go, you can engage so-called Flight Mode, also known as Airplane mode.

Just remember that the flight mode option is back-to-front compared to the individual connectivity settings, so that turning flight mode ON effectively turns your individual radio-based communications options OFF.

Note that the advice in the Windows Phone screenshot about individual options applies to all the Big Three.

Turning flight mode ON will force all radio connectivity OFF, but just because you can see the airplane icon on your lock screen doesn’t mean that you are cut off from the world.

Wi-Fi, Bluetooth and so on can be turned on individually without turning flight mode off – indeed, Wi-Fi is commonly available while you’re in flight these days.

If you are in a hurry to ensure everything is turned off, you can always toggle flight mode OFF and back ON really quickly, which typically kills all connections without giving enough time for the phone part of your device to connect to the mobile network.

(If you are worried even about brief mobile connectivity, try turning your whole device off.)

1. Setting your autolock timeout

Go for the shortest autolock timeout you can tolerate – that’s the idle time after while your device will lock itself, as though you pressed the Lock button.

We accept that shorter delays tend to be more annoying, especially if you are using your phone regularly but not continuously throughout the day.

The problem is that if you set a 15-minute or 30-minute autolock timeout, you’re making it much more likely that your phone will be easily accessible to a crook who steals it or finds it when you leave it behind in the airport, coffee shop or taxi.

We recommend two minutes or shorter.

Just setting autolock, however, is not enough: you also need to set a decent passcode, which we’ll come to next, and to make sure you configure the lock feature to work immediately.

If you don’t set “instant lock,” your device typically gives a grace period after it has apparently locked (automatically or manually) during which you can turn it back on and use it immediately, presumably in case you change your mind soon after you think you’ve finished using it.

We recommend making sure that lock means lock, so when you see the screen turn off, you can be simultaneously confident that the lock really has engaged.

2. Choosing your password or PIN code.

Don’t leave your lock screen so that just double-tapping or using a slider will unlock.

You should set a decent PIN or password instead – and not one of Apple’s 4-digit Simple Passcodes, either.

We accept that full-blown passwords, especially if they contains a mixture of UpperLower&&D1g1ts, are a real hassle to type into a mobile device, not least because the on-screen keyboard is so much fiddlier that the on-screen digits-only keypad.

If you simply can’t get used to proper passwords, it’s better to have a long PIN than a trivial password (or nothing at all), so we’d urge you to try for a 10-digit PIN as a minimum.

For a while, you’ll probably find a 10-digit PIN or longer really annoying, but if you stick with it, it should become second nature pretty quickly.

→ If you choose 10 digits or more, you can arrange to type each digit at least once, which also disguises the tell-tale “grease spots” on the screen that give away short PIN codes to anyone who holds your phone at the correct angle to the light.

Note that on Windows Phone, the password prompts are automatically digits-only, so you are stuck with a PIN-style passcode.

3. Setting device encryption

We can’t really cover passwords and PIN codes without mentioning device encryption.

Device encryption is where your mobile operating system keeps all your data scrambled in storage, transparently decrypting any data you read and encrypting anything that’s written, including all your data files, installed apps, configuration information, and even the operating system itself.

While you’re phone’s unlocked, of course, the encryption is essentially invisible, so you (or a crook) can access everything, but that, in turn, makes the encryption fuss-free.

On the other hand, once the phone’s locked, a crook needs your PIN or your password not only to start using the phone again, but also to access any data off it at all.

That applies even if the crook manages to connect up your device to special data-harvesting hardware in a forensic-style laboratory.

Unfortunately, support for full device encryption (often abbreviated FDE) on the Big Three mobile platforms is very inconsistent, but here’s a quick overview:

We’re disappointed in Windows Phone’s lack of FDE on consumer and unmanaged business devices; we think you should write to Microsoft and say so.

4. Managing geolocation

Geolocation is where your device figures out where you are, and tells other people, typically your operating system vendor, the producers of your app, a third-party advert provider, or all of them.

Working out your location can be done to an astonishing degree of accuracy by combining information such as: what Wi-Fi access points are visible at any moment; what Bluetooth devices are around; which mobile phone towers you’ve pinged recently; and (if you have the needed hardware) where your GPS says you are.

As with device encryption, the Big Three all have different attitudes to geolocation.

Apple’s iOS allows you give and withhold location-access powers to and from individual apps, but Android and Windows Phone stick to an overall toggle that simply turns so-called Location Services on or off.

We’ll dig into the details of how you can manage location data more precisely in a future article, but for now, the key thing to know is how to stop and start Location Services at will.

What next?

You may well have known all of these options and where to find them already, but we nevertheless thought it would be handy to collect them in one place.

After all, you might forget, or get a new phone with a different operating system, or have a friend or colleague come up and say, “Where do I start? And why does it matter?”

By the way, we’ll be running a free Mobile Phone Privacy Check on the Sophos stand at the Infosec Europe show.

Infosec runs from Tuesday 02 June 2015 to Thursday 04 June 2015 at Kensington Olympia in London, England.

If you’re going to be in the area, we’d love you to stop by…and you could even win a super-cool Privacy Settings T-shirt!

Image of one phone stealing another courtesy of Shutterstock.

Exit mobile version