Awareness : Security Awareness Tips

Protect the Data on your Smartphone

As we increasingly rely on our phones as an extension of our computers, a substantial amount of personal and business information is stored and transferred on them. The phones themselves can be expensive and are therefore desirable targets for theft due to the resale value. However, the information stored on the phone may prove even more valuable to the thief, resulting in greater risk to the owner and the institution. Below are some tips to protect your phone, yourself, and the University.

How to Protect your Device

Password protect your phone. As with your computer, the most basic thing you can do to protect your data is to use a password. It may seem inconvenient to enter a password each time you need to check your email or send a text, but the second it takes is well worth it. Once you get into the habit, entering your password becomes second nature. Imagine if your phone was stolen today and you did not password protect it. The thief can look at ALL your email, texts, contacts’ phone numbers, photos, etc., both work-related and personal. Do you have confidential information in your email or stored on your phone that you would not want others to see? The thief can easily reply to your emails and even post to your Facebook page. Password protecting your phone can prevent such access and protect the information if your phone is lost or stolen.

As with any password, longer, complex passwords tend to be more secure. A 4 digit numeric password such as 1234 or 0000 is just too easy to guess. However, from a practical perspective, using too long a password will simply prove too irritating after a while and you may disable the feature altogether. Strike a balance between security and usability. Try using at least 5 alphanumeric characters, with at least two of the following character types: letters, numbers and special characters. Additionally, you should set your device to lock after a certain period of inactivity. This period depends on your personal usage, but greater than 5 minutes is not recommended.

Install and set up remote security tools to lock, track, and erase. Once your phone is equipped with a password, most smart phones can automatically erase your phone’s data if the wrong password is entered too many times, but you must enable the feature first. Do not be overly aggressive with this setting. You want to give yourself a decent amount of attempts to enter the correct password before the automatic erasing of the device occurs. There are also tools to find your phone, erase the memory, lock the device, and even display a message when you’re not in possession of the device. There are apps (some free, some paid) that perform these functions, including Apple’s Find my iPhone, Android’s Where’s My Android, and Blackberry’s Find My Phone – but the key to using these tools is setting them up BEFORE your phone is lost or stolen.

Tip: If you access University email on your device, make sure the connection is set up using Exchange – which has built-in secure communication – and not IMAP or POP. This will also allow you to remotely erase the contents of your phone should it ever be necessary.

Perform regular backups. Theft, loss, or even a drop in the pool can cause you to lose your important data, contacts, priceless photos, etc. To avoid that disaster, back up your device regularly. For many devices, it can be as simple as just connecting your phone to your computer and clicking a button. iPhones can use iTunes. Blackberry devices can use the Blackberry Desktop Software and Blackberry Protect. For Android devices, the process is different; much of the data is automatically backed up wirelessly, but there is a variety of options for more comprehensive backups, including MyBackup, AppBrain, Handy Backup, and WaveSecure (suite of tools). Having a recent backup means you can restore your data to your replacement device, and it provides reassurance if and when you need to remotely wipe the device.

Be careful passing your phone around. Smart phone users should be careful about leaving the phone unattended, or loaning it to people. Spyware can be installed if someone has physical access to the device. For instance, the PhoneSnoop program can be used with BlackBerry devices to remotely turn the microphone on and eavesdrop on conversations.

Record your phone’s unique ID number. Depending on your phone and the service provider (Verizon, AT&T, T-Mobile, etc.), they may be able to remotely disable your phone should it ever be lost. Write that number down and keep it in a safe place. It is usually printed beneath the battery and labeled IMEI, ESN, or MEID. If you are unable to locate the number, entering *#06# into the keypad of many phones will display the number on the screen. If the phone becomes lost, you can give this number to your service provider and they may be able to remotely disable the device.

Use caution when using public wireless spots. Many smart phone platforms now offer banking, credit card and other apps accessing sensitive information. Your smart phone can be configured to connect to wireless access spots when available. Many people do this to avoid using minutes and data on the provider’s cellular network. However, just as with your laptop, it is not to wise to use insecure public wireless spots, especially those at coffee shops, bookstores, airports etc, when accessing such information. Your provider’s cellular (3G/4G) network is actually more secure than public wireless hot spots.

Enable encryption on internal storage. If your smart phone supports use of internal memory cards for additional storage (SD, microSD, etc.), then enable encryption on the card, and all data on the phone if that option is also available. If someone steals your phone and takes the card out they will not be able to access the encrypted data.

What to do if your Device is Lost or Stolen

Lock your phone. If your device allows you to lock it remotely, lock it right away (BlackBerry users can contact your IT support group to lock your device). Locking will not prevent you from tracking it, calling it, or sending messages, but it may prevent someone who possesses the phone from making calls or snooping through your data.

Track or call your phone. If you have set up a tracking tool, use it to track your device. If not, try calling your phone or sending it a message to see if anybody responds. If you think your device has been stolen, immediately call the police (or university security, if on campus).

Erase your phone’s data. After initial attempts to recover the device, you may decide that it has become necessary to erase all the information, using tools like Outlook Web Access, Find my iPhone, or calling your IT support group. It is important to remember that because most tracking tools require a phone to be properly configured, they will likely be disabled when a phone is erased. You should consider erasure only after concluding that tracking will no longer help you find the device. We offer a step-by-step walkthrough of using Outlook Web Access to wipe your phone.

Tip: There is one important exception to the above warning. AT&T, Verizon, and Sprint offer a paid tracking service which can be applied to virtually any phone, even after a loss. These are usually not as precise as most software solutions, but can be used after a phone has been wiped or for those that have no innate tracking functionality. AT&T calls their offering FamilyMap, while Verizon’s and Sprint’s are named Family Locator.

Notify your service provider. Once your device has been erased, your email, contacts, settings, and other information will no longer be readily accessible. Additionally, your password and any other restrictions will no longer be active and anyone who has your phone will be able to make calls and use all of the other apps on the phone including the Internet. Notify your service provider to minimize any further charges. The provider will be able to cancel service to your device and with the unique ID number, like a phone’s IMEI number, they may also be able to disable the device entirely, turning your stolen phone into a paperweight.

Keep your Device Updated

Google recently removed over 50 apps from the Android Market — used by over 50,000 people — that contain hidden malicious code to steal private data and open the devices to future attacks. All indications point toward criminals developing even more malware for smart phones throughout the year. According to Mary Landesman, market intelligence manager at Cisco, the medical and education industries “continue to be most at-risk of web malware.”

Phones are also starting to integrate new technology like near field communication (NFC), which can allow your phone to start your car, pay for your lunch directly from your bank account, and many other services. Now, it is more important than ever to make sure your phone has the latest updates installed and think before you install that next app. From an architecture standpoint, Android offers more granular access control. But the open-source nature of the Android platform means apps aren’t as controlled as they are on the Apple and Blackberry platforms. Install apps only from trusted sources.

Trading In, Passing Down, or Selling your Phone

Just like any other computer equipment, even a phone that has not been used or charged in months will still contain all the data you previously used, including your emails, photos, contacts, etc. So, when you purchase a new phone, make a backup of your old phone and take a moment to wipe the data before donating or recycling it. Virtually all current smart phones have a built-in feature that appropriately erases all user information. BlackBerry phones will overwrite all data as part of if their Secure Wipe process. One such iPhone app is iErase, which should be used after the standard erase tool is used. For Android devices, WaveSecure will perform this function in a future release.

Understand and Minimize the Risks

There is always a trade-off between ease and security. More and more of us are carrying smart phones and enjoying the functionality they offer. Take the precautions mentioned and minimize risk to you and the institution.

For more information

Posted: March 1, 2011