The Australian Prime Minister, Anthony Albanese, has apparently advised people Down Under to turn off their mobile phones once a day, for the surprisingly precise period of five minutes, as a cybersecurity measure.
UK newspaper The Guardian quotes the PM as saying:
We all have a responsibility.
Simple things, turn your phone off every night for five minutes.
For people watching this, do that every 24 hours, do it while you’re brushing your teeth or whatever you’re doing.
Why at night? Why every day? Why for five minutes, and not, say, two minutes or 10 minutes?
We’re not sure.
But the Guardian suggests that the reason is that this will “stop any spyware that may be running in the background on your device.”
There’s some truth in this, given that malware infections can generally be divided into two separate categories, known in the jargon as persistent threats and the rest.
In malware terms, persistence generally refers to rogue software that outlives the app that launched it, that outlives your current logon session (if you’re on a laptop), or that survives even a full power-off and reboot.
But non-persistent threats are transient, and don’t survive from app launch to app launch, or from session to session, or from shutdown to reboot.
And shutting down generally closes all your apps, then closes down the entire operating system, thus stopping any malware or spyware that was active in the background, along with everything else.
In that sense, regularly rebooting your phone won’t do any harm.
There’s a lot more to it
The problem is that most malware these days, especially secretive mobile spyware developed at the likely cost of millions of dollars, will be of the persistent threat sort, meaning that it won’t exist only in memory until the end of your current session and then evaporate like early-morning summer mist.
For example, Apple’s latest spyware-crushing security update for iPhones, iPads and Macs included patches for two zero-day code execution vulnerabilities: one in WebKit, Apple’s low-level browser software, and one in the operating system’s own kernel.
If attackers can only trigger the execution of unauthorised code inside your browser, then it’s likely that their malware won’t be able to escape from the browser process and therefore won’t be able to access or modify any other parts of the device.
The malware might therefore be limited to the current browser session, so that rebooting your phone (which would bump the browser software and its injected malware code out of memory) would indeed magically disinfect the device.
But if the unauthorised code that the attackers run inside your browser via the zero-day WebKit bug follows up by triggering the other zero-day bug in the kernel, you are in a pickle.
The attackers can use the non-persistent malware in your browser to compromise the kernel itself, getting control over your entire device.
Then, the attackers can use the unauthorised code running inside your kernel to implant a persistent malware infection that will automatically start back up whenever your phone does.
If that’s how the attackers choose to do it, then religiously rebooting your phone every day will give you a false sense of security, because it will feel as though you’re doing something really important and useful, even though you aren’t.
Other tips to consider as well
With that in mind, here are some additional mobile cybersecurity tips to consider as well.
Unfortunately, none of these are quite as easy and unintrusive as simply “turning it off and back on again”, but they’re all worth knowing about:
- Get rid of apps you don’t need. Uninstall unnecessary apps entirely, and delete all their associated data. If your needs change, you can always reinstall the app in the future. The best way to avoid having data snooped on by malware is not to have it stored where the malware can see it in the first place. Unfortunately, many mobile devices come with a raft of preinstalled software that can’t be uninstalled, known disparagingly in the jargon as bloatware, but some of these non-removable packages can be turned off to prevent them running automatically in the background.
- Explicitly log out from apps when you aren’t using them. This is unpopular advice, because it means you can’t just open an app such as Zoom, Outlook or Strava and be back in the middle of a meeting, a discussion forum or a group ride at a moment’s notice. And logging in with passwords and 2FA codes via the fiddly keyboard of a mobile phone can be annoying. But the best way to avoid exposing data by mistake is to authorise yourself, and therefore your device, to access it only when genuinely necessary. Rebooting your device doesn’t “reboot” the logged-in status of the apps you use, so your phone starts back up with all your commonly used apps automatically reauthenticated to their respective online accounts, unless you previously logged out deliberately. Unfortunately, different apps (and different operating system options) implement their logout processes in different ways, so you may need to dig around to find out how to do this.
- Learn how to manage the privacy settings of all the apps and services you use. Some configuration settings can be controlled centrally via your phone’s operating system Settings app, others can be managed in the app itself, and others may need you to visit an online portal. Sadly, there’s no shortcut for this, because different apps, different operating systems, and even different mobile network providers, have different setup tools. Consider setting aside a rainy weekend afternoon to explore the myriad privacy and security options that exist in your own chosen apps and services.
- Learn how to clear your browser history, cookies and site data, and do so frequently. Rebooting your device doesn’t “reboot” your browser history, so all sorts of tracking cookies and other personal history items get left behind, even when your phone restarts. Once again, each browser does it slightly differently, so you need to match the history-and-cookie-clearing procedure to the browser or browsers you use.
- Turn off as much as you can on the lock screen. Ideally, your lock screen would be just that, a locked screen at which you can do exactly two things, namely: make an emergency call, or unlock your device for use. Every app that you allow to access your “lock” screen, and every bit of personal data that you allow to be shown on it (upcoming meetings, message subject lines, personal notifications, and so on) weakens your cybersecurity posture, even if only slightly.
- Set the longest lock code and the shortest lock time you can tolerate. A little inconvenience to you can be a massive extra hassle to cybercrooks. And get in the habit of manually locking your device whenever you put it down, even if it’s right in front of you, just for added peace of mind.
- Be aware of what you share. If you don’t actually need to know your location precisely, consider turning off Location Services completely. If you don’t need to be online, try turning off Wi-Fi, Bluetooth or your mobile connection. And if you genuinely don’t need your phone at all (for example, if you are going to go out for a walk without it), consider powering it down completely until later, just as the Australian PM suggests.
- Set a PIN code on your SIM card, if you have one. A physical SIM card is the cryptographic key to your phone calls, text messages and perhaps some of your 2FA security codes or account resets. Don’t make it easy for a crook who steals your phone to take over the “phone” part of your digital life simply by swapping your unlocked SIM card into a phone of their own. You only need to re-enter your SIM PIN when you reboot your phone, not before every call.
By the way, if you’re planning to start rebooting your phone regularly – as we mentioned above, it doesn’t do any harm, and it does give you a fresh operating system startup every day – why not follow exactly the same process with your laptop as well?
Sleep mode on modern laptops is mightily convenient, but it really only saves you a couple of minutes every day, given how quickly modern laptops boot up in the first place.
Oh, and don’t forget to clear your laptop browser history regularly, too – it’s a minor inconvenience for you, but a major blow to those stubborn website owners who are determined to track you as closely and as doggedly as they can, simply because you let them do so.