WASHINGTON - A great deal has been written over the years about the necessity of computer users to be proactive if they want to guard their privacy and keep their machines clean of viruses. Habits such as changing passwords, updating software, running anti-virus and using encryption when possible are often referred to as “good web hygiene.”
But as the use of mobile phones and other devices has skyrocketed, users often have failed to transfer these precautions to the mobile digital environment, leaving millions vulnerable.
This was put on display in the fall of 2014 during the “Occupy Central” protests in Hong Kong, as Chinese hackers flooded protestors' phones with a variety of malware.
Some phone manufacturers have stepped in to fill the security gap.
For example, Apple now automatically offers end-to-end encryption for iMessage and FaceTime, as well as offering a range of other encryption services and applications.
But most security analysts say these steps aren’t enough, and that mobile phone and tablet users around the world need to step up and take more responsibility for keeping themselves safe and secure in the wireless world.
The first step is with the device itself.
The latest versions of the world’s three most common mobile operating systems, Google’s Android, Apple’s iOS and Microsoft’s Windows Phone, already offer complete encryption as an option. It’s activated in different ways, but common to all is that users create a passcode they must enter every time they power up or unlock their phones.
Once encryption is enabled and tied to the passcode, all data on the device will be encrypted and unreadable without the passcode.
This means it’s important for users to choose a code that will be sufficiently challenging to crack. A simple four-digit code is practically meaningless; a 15-character code that uses digits, upper- and lower-case letters, and symbols would be magnitudes harder to break.
Downloading Apps, remote wipe
Users should also be careful when and where they download apps or document attachments. Applications downloaded from Apple’s iTunes or Google’s Play Store are generally fairly secure, but downloading from other services can be an iffy proposition. As always, it’s not a good idea to download any email attachments you didn’t specifically ask for.
Anti-virus packages are available for mobile phones, but security analysts are roughly split on whether they would be required for the majority of phones. What is recommended, however, is for users to install some sort of “remote-wipe” application, which would allow a user to remotely erase all the phone’s data in case it’s stolen.
Mobile phones traditionally connect to the world by two means: wireless phone service for actual phone use, and a wireless local area network, or WLAN, for Internet and data. Tablets mostly just use a WLAN. Both the phone service and WLAN use provide potential security holes, but many of those can be mitigated.
First, when connecting to a WLAN using WiFi, users should choose their service carefully. In crowded urban environments, it’s not uncommon for phones to sniff out 20 or more WiFi services with decent signal strength. If possible, users should only connect to secure WiFi services; these are denoted by a locked padlock icon and require some type of password to access.
Free, open WiFi services – those available to anyone without any passcode – should be avoided if at all possible. It’s simply too easy for a bad guy on open WiFi to break into others also online and create havoc.
Text messages (SMS), which are transmitted via the phone service, are relatively (but not completely) secure from infections. But as with actual phone calls, they can be intercepted by third parties.
There are numerous apps available designed to keep text messages private and secure. WhatsApp is one of the most popular around the world, logging around 700 million users worldwide, with more users in India than in any other country.
The app by-passes the mobile phone service, using the Internet to send and receive secure text, photos and video in what it calls “chats.” Other selling points are its ease of use and low price, costing just $1 a year.
Its parent company, Facebook, says WhatsApp chat sessions are completely secure; however a handful of high-profile security breaches beginning in 2010 have raised concerns among privacy advocates.
For the more security minded, some users have moved to TextSecure, an open-source text encryption app produced by Whisper Systems, a data security company endorsed by no less than former NSA contractor Edward Snowden. It offers end-to-end encryption for users running TextSecure for text, audio, video, and images.
Whisper Systems engineers say that in addition to robust encryption, the app offers a user verification system to prevent man-in-the-middle attacks.
Whisper Systems also has an app for securing mobile phone calls. Called RedPhone, the app was aimed at first specifically for people who live under repressive governments that routinely tap and monitor phone calls.
RedPhone uses the Internet for end-to-end encryption of real-time two-way voice conversations between two RedPhone users. Additionally, two matching words appear on both phones during the call, allowing the users themselves to verify a secure, encrypted connection. RedPhone has proven to be very popular in a number of nations, including Venezuela and Egypt.
Another popular application, Ostel, is an outgrowth of the Guardian Project, a cooperative venture to develop applications that secure users’ privacy. Like RedPhone, Ostel uses VoIP (“Voice over Internet Protocol”) for end-to-end encryption between Ostel users; an additional benefit is that there are no costs for long-distance or international calls.
Finally, for users who want proven Internet security for their mobile Android device, and don’t mind giving away a little speed of access, there’s Orbot. Essentially Tor for mobile, it’s just like its online counterpart, routing all text, Internet and email data through a randomized series of computers.
Like Tor, Orbot offers users some of the strongest privacy protection to be found – but it comes at a cost. Because the user’s data is being routed through a shifting set of nodes on the Tor network, Orbot can significantly slow down uploads and downloads. It’s not for everyone, but for those who want to remain as anonymous as possible, it’s just about the best bet available.