Today we welcome like-minded techie/Knoxvillian/Twitterer, Andrew May, to the Cloud 9 blog. After posting a blog about recent malware affecting Android phones, Andrew chimed in for some good conversation. From that conversation sprung this post on smartphone security. Thanks Andrew (@MantaMay) for the great thoughts, and be sure to check out his blog and software company, ADMSoftware.
Android & Mobile Security - Think
As we move forward into the new world of mobile computing many phone and tablet users are left asking, "Do I need security software?". The answer is much more complicated than most are aware, and Android users have an even more complicated situation. We need to understand that Apple has spoiled the public by leading them to believe they are impervious to attacks, and with this, users expect a similar experience on other platforms. Although in some sense it is true that Apple's iOS has no malware, you forfeit a free ecosystem that many Android users have come to love. Despite the lack of malware iOS users are still susceptible to phishing scams, and mobile safari security flaws. Google's Android is also susceptible to phishing scams, mobile browser security flaws, and malware. Between Android's growth, and open ecosystem, malware has grown, so much that mobile security is now being offered on the platform by most major security companies. There are a few options available to Android users, but the first, and most viable option is to think, be aware, and know your phone.
Think before installing
The first line of defense on your Android mobile device is to think before you install. Malware is designed to look like useful software, but it will attempt to access your phone's important and personal information. Google's Android team knew that an open ecosystem could lead to malware, and made it possible for the users to see what an application wants access to. When you install an application you grant privileges, and the Android OS will display those before you install. The best practice for installing software is to use common sense; a photo application should not require access to the internet, SMS, or any other part of your phone except the camera. A secondary source to detect malware is the comments and ratings, read the last few comments on an app, are they positive? Negative? Googlers do a good job of letting us know if an application is worth our time. Last, avoid installing apps that aren't from a known source, like Amazon's App Store, or Google's Marketplace.
Think before entering a password
Malware does a good job of hiding, and getting what it wants (your passwords and personal information). To protect yourself, never trust an app that wants passwords to other services, and if you sign up for a new service within an app, always use a different username/password combination than other services. Using a repetitive username/password scheme is a bad security practice in general, try to avoid it at all costs.
Think before clicking a link
Mobile security extends beyond malware, as phishing scams don't always originate from an app. A phishing scam attempts to trick someone in to giving up a username and password when you stray to a bad site, type in the wrong URL, or click on a malicious email link. If you are asked to enter a password or username in a mobile website, ALWAYS check the URL, and ensure it's using HTTPS! Many mobile users fall prey to this trick because mobile sites are rendered differently than desktops, and the URL can be hidden by the mobile browser. When in doubt find a computer and view the site in question, typing out the URL, rather than clicking on the link. Another good reminder, almost no reputable company will send you an email directing you to a site to change your username or password.
Mobile security software can't always detect everything
As advanced as mobile security is, it can't detect everything, but it can find known malware and phishing sites. Mobile security isn't necessarily a bad investment; it just can't always catch the newest malware and phishing sites. Mobile security companies are playing a perpetual cat and mouse game, trying to catch up on the newest tricks of hackers and phishers. It's always evolving, and currently the best any mobile security can do is detect previously known malware and phishing sites, but by then, Google has done its job, and removed the application from the Market, and your phone.
Let Google do their job
Google may not curate their Market, like Apple, but Google will forcefully remove malicious apps when they are found. Although some say this is a breach of privacy, this is Google doing their job after a threat is detected. Google does look for malicious apps, and will react appropriately, if you let them do their job, they will protect you.
If you believe you've downloaded malware
Don't panic! So you think you've downloaded malware to your mobile device, and your personal data breached? It's an easy fix, malware often goes after your passwords; but before you go changing your passwords, remove the malware. Personally, I would go a step further and factory reset a device, to remove any lingering data, but application removal should be fine in the case of Android. After you have removed the offending app, change all your passwords (Foursquare, Facebook, Twitter, etc). The last step in to post malware intrusion, check your accounts, and ensure no emails, texts, tweets, status updates, have been sent.
Your best bet, is to always be on the defense
If you feel safer by purchasing security software to protect your mobile device, then do so. The caveat being, it may not protect you any more than simply paying attention to what you are downloading by reading reviews, checking permissions, and being careful. If you do buy software, do not rely on it to do all your security, as it cannot catch everything. Remember to think defensively when installing apps or surfing the web on your mobile device.