DeleteMe’s Best Practices for Mobile Device Security

Until fairly recently, there was a disconnect between the way many users treated security of personal computers versus their portable devices.  PC’s receive antivirus applications, firewalls, layers of advanced network permissions, and many users have developed relatively sophisticated attitudes towards email-communications, encrypting sensitive attachments, and becoming more cognizant of phishing techniques.

Mobile devices, on the other hand, spent much of the past decade being treated blithely, with little real concern for device security other than a 4 digit password.  Application level security remains rare. Behavior is generally far more risk-tolerant, particularly with permissions granted to unsigned applications, and file-sharing via chat or cloud applications undeservedly treated as risk-free.

This is changing, but slowly.  The most recent generation of smartphones has made fingerprint authentication near-universal, and network carriers are being more proactive in providing customers protections against unsolicited communications.  However, significant weak-spots remain in device security, particularly in how user information is concentrated and shared by applications in ways not transparent to the end-user.  

Here are some tools and tips DeleteMe recommends for users wanting to improve mobile-device security, and general recommendations for best-practices in daily usage:

1. Use the tools the device manufacturer and phone-carrier provide

Too often people disable features already available to them within the settings of their devices, and resort to third-party ‘security’ applications written by some unknown 3^rd-party provider.  

• Ensure lock-screens require both PIN # and fingerprint or facial-recognition unlock.  
• Create stronger passwords than minimum required.  
• Utilize the SIM-card lock feature on Android phones which requires re-entering passwords for accessing stored data; this will protect against anyone simply stealing the card itself and bypassing phone-based security features.

2. Enable two-factor authentication (2FA) for all online accounts

Especially for core services like personal banking, peer-to-peer payments, social-media, and your Google account and Apple-ID, make sure you are using the extra-layer of security provided by two-factor authentication.  Here’s a helpful rundown of online services offering 2FA to protect people’s accounts, and here is a list of financial services providers and their 2FA offerings

3. Encrypt your data

Some new phones current encrypt data by default, but many devices in use still only make this available via options in settings.  Here are step-by-step guides to confirm data-encryption for both Android and iPhone users.

4. Avoid apps from unknown vendors

While iOS apps are generally safe because of Apple pre-screening, Android apps are provided directly by a range of independent, unverified 3^rd-party vendors.  Google has recently made efforts to mitigate risks by developing Google Play Protect – an app-screening service that scans for any risky features or malware included with downloaded apps.

But even when a 3^rd party app may not have any malicious intent, they can create security vulnerabilities via a combination of unneeded permissions and non-essential network communication (often to deliver targeted ads).

Spend some time researching applications and their vendors before installing them on your phone.  Additionally: delete any legacy applications you don’t find yourself using anymore.

5. Keep your phone up-to-date

One of the biggest mistakes some people make is disabling automatic software updates in order to prevent unplanned large downloads from hitting their monthly data usage.  Make sure to regularly check for OS updates and do so as soon as possible after they become available. Most updates include fixes for specific security-risks.

6. Be leery of any file-sharing via text messaging

While sharing photos with friends and family is routine daily behavior, attachments via SMS are almost entirely without any sort of security-protections, and should never be used for any sensitive information.  In general delete any unsolicited SMS attachments without reading, and routinely clear your own text-messaging history.