Tips for Mobile Device Security

Mobile devices are a great tool to enable work and communication on the go. With the convenience offered by mobile devices, however, comes a risk to personal privacy and confidential data.

I have dedicated this article to Kenyan Students and citizens to follow the guidelines below to protect personal and organization information in the event of a lost or stolen mobile device.

Secure your data and email

  • Avoid storing sensitive data on your phone
  • Use the storage encryption feature on your phone to protect your private data (contacts, photos, etc.) in case your phone is lost or stolen (Android 3.0 and later)
  • Use SSL encryption (https) for browsing and webmail whenever possible

Turn off wireless and geo-tracking

  • Keep optional network connections (e.g. WiFi and Bluetooth) turned off except when you are using them
  • Turn off GPS and data when not in use – it can be used against you by criminals and stalkers
  • Don’t access personal or financial data when using public WiFi

Choose your applications wisely

  • Download apps from trustworthy sources
  • Don’t install a new app until it had established a good reputation
  • Update your software and apps; remove unused apps

Use a password/lock code

  • Use strong passwords
  • Set the screen timeout to 5 minutes or less
  • Avoid using auto-complete features that remember names or passwords

Be skeptical about links

  • Avoid links to untrusted sources, especially from unsolicited email or text messages
  • Don’t let your guard down when using your phone in a casual setting such as a bar or a restaurant. It’s easier to click a suspicious link when you are distracted.

See a Link?

You could compromise your academic, personal or financial data by clicking too fast. Phishing is an online scam involving emails with a clickable link that appear to be from a trusted source.

phishing link learnerscoach

Who sent the link? Why do I need to click the link? Where does the link go? How else could I take the same action? Learn how to identify the signs of phishing.

Stop and think!

Who sent the link?

Is the email containing links from a teacher, fellow classmate, friend or even a family member?
Do you know the sender? And did you expect to receive an email from them?

Why do I need to click the link?

Is the email asking you to click a link to update personal information? Are you being asked to visit a website?

Where does the link go?

Are there grammar issues in the email or link? Typos? Does the text of the link match the destination?

How else could I take the same action?

Could you visit a trusted website without clicking the link in the email? Could you call the sender?

Smart Phone Security Threats learners

iPhone Best Practices

iOS Configuration

  • Always update firmware (iOS) to latest version.
  • Turn off ‘ask to join networks’ and auto-join for all networks.
  • Turn off Location Services unless necessary for specific apps.
  • Require a passcode/PIN to unlock the iPhone.
  • Set auto-lock timeout to a period of 5 minutes or less.
  • Disable SMS preview when the iPhone is locked.
  • Enable erase data upon excessive password failures.
  • Ensure that remote wipe capability exists through Apple, W-Exchange, or a third party solution.

Safari Configuration

  • Enable Fraud Warning.
  • Disable AutoFill

Operations

  • Turn on airplane mode when you do not need the phone, GPS, radio, Wi-Fi, or Bluetooth.
  • Only turn on WiFi & Bluetooth when you need to connect to a WiFi and Bluetooth network.
  • Use the cell carrier’s network such as safaricom, telkom or airtel instead of an insecure WiFi network.
  • Use public WiFi hotspots with caution and configure the smartphone so that it does not connect automatically.
  • Use only trusted networks for sensitive matters, e.g., ebanking,/commerce, and emailing.
  • Erase all data before selling or recycling your iPhone.
  • Be skeptical: take a skeptical approach to messages, content and software, especially when it is coming from unknown sources via SMS, Bluetooth, e-mail, or otherwise.
  • Check reputation: before installing or using new smartphone apps or services, check their reputation using app-store reputation mechanisms and, if possible, with friends, family or colleagues. It is good practice to install apps only from the Apple app store. Never install any software onto Apple devices unless it knows and trusts the source of that software and expects to receive it. Never ignore or override security prompts displayed unless you are confident that you fully understand the risks associated with these actions.
    Check resource usage and phone bills or prepaid balances. Mobile malware can sometimes be detected by monitoring in this way, especially when premium rate services are being defrauded or abused.
banner510

Android Best Practices

Android configuration

  • Update firmware to the latest version that is available for your device.
  • Require a passcode. Don’t use a simple passcode.
  • Set an auto-lock timeout to five minutes or less.
  • Erase data upon excessive passcode failures.
  • Turn off “Ask to join networks.”
  • If you leave Wi-Fi enabled, forget Wi-Fi networks to avoid automatic rejoin.
  • Enable data encryption, if available. (Encryption may be available in Android versions 3.0 and later.)
  • Enable remote wipe via Webmail Plus or via a third-party application.
  • Turn off Latitude service in the Maps application for additional privacy.

Web browser settings

  • Block pop-up windows.
  • Disable “Remember form data.”
  • Turn off “Enable location.”
  • Turn off “Remember passwords.”
  • Enable “Show security warnings.”
  • Turn off “Enable Plugins.”

Operation

  • Turn off Bluetooth, Wi-Fi, GPS if you aren’t using them. (Use “Power control” widget and/or “Settings”application)
  • Use cell phone network instead of insecure Wi-Fi.
    Avoid public Wi-Fi hotspots.
  • Don’t “root” your phone or install third-party firmware.
  • Erase all data before return, repair, or recycle. Consider using a third-party app to securely erase data.
  • Keep applications updated. Remove applications you no longer use.
  • Pay attention to permissions requested by applications. Be suspicious of applications that request permissions that aren’t necessary for the core functionality of the application.
  • Consider installing Lookout Mobile Security to assist with malware detection and lost device location and/or wiping.
  • Consider installing TextSecure to protect sensitive text messages.
  • Be skeptical: take a skeptical approach to messages, content and software, especially when they are coming from unknown sources via SMS, Bluetooth, email, or otherwise.
  • Check reputation: before installing or using new smartphone apps or services, check their reputation using app-store reputation mechanisms and, if possible, with friends, family or colleagues. It is good practice to install apps only from the Android Market, but if you choose to use other sources of applications, make sure you fully trust the source (e.g., Amazon). Never install any software onto your device unless you know and trust the source of that software, and you were expecting to receive it. Never ignore or override security prompts displayed by your device unless you are confident that you fully understand the risks associated with these actions.
banner510

Phone Scams

Scammers who operate by phone can seem legitimate and are typically very persuasive! To draw you into their scam, they might:

  • Sound friendly, call you by your first name and make small talk to get to know you
  • Claim to work for a company or organization you trust such as a bank, a software or other vendor you use, the police department, or a government agency
  • Threaten you with fines or charges that must be paid immediately
  • Mention exaggerated or fake prizes, products, or services such as credit and loans, extended car warranties, charitable causes, or computer support
  • Ask for login credentials or personal sensitive information
  • Request payments to be made using Mpesa
  • Use pre-recorded messages, or robocalls

If you get scam phone calls or phishing emails at home, hang up or delete the emails. If you get scam phone calls or phishing emails at work, let your organization’s security or Information Technology team know so they can help protect others from these scams! Additionally, please educate your parents and grandparents on these scams, as they are becoming only more and more common.