Mobile security is the protection of smartphone devices, its data, and the networks to which your it gets to connect. Attackers are always ready to exploit any vulnerability in the system, so we should be aware of all the possible security risks and how to safeguard against them.
Let’s understand these threats and safeguards at a high level.
Phishing Email Attack
91% of cybercrime starts with an email. Attacker broadcast phishing website URL using fraud email messages. There are three times chances for Mobile users to be a victim of phishing attacks than a desktop user because generally, desktop users read email messages when they access their computers. In contrast, mobile users are always online, and most likely to check there emails because of easy accessibility. The first few hours in a phishing attack are critical because, after that, many attacks are blocked by phishing filters or taken down by attackers themselves. Therefore mobile users are more likely to be hit by a phishing attack. Also, most phishing emails call for immediate action. For example, they can claim that some suspicious activity is happening on the user’s account, and it will be disabled, so you need to take immediate action. Most victims who get caught in believing in this lie will visit the phishing site quickly and provide sensitive info.
Phishing SMS Attack
Attackers are now sending short URLs into SMS, which are hard to inspect; hence only by looking at URL, you will not know if that is legitimate or not. Intention to create URL Shortening was to avoid broken URLs in email and SMS messages. Nowadays, popular social medial apps like messengers, Twitter has increased the use of URL-shortening services like TinyURL and Bit.ly. It increases the chance of phishing or malware download. To avoid it, you can enable the preview feature of TinyURL and Bit.ly from respective sites.
Why do mobile users trust phishing emails, SMS, or websites links more?
Few reasons mobile users are going to trust or fall for these phishing emails are
(1) Small screen sizes (as compared to desktops) and limited display of information on smartphones. Especially in notifications which now also include one-tap options for opening links or responding to messages can increase the chances of phishing success.
(2)Many mobile email clients application displays only a sender’s name, not the full email address (for example, XYZ Bank)— making it easy to trick a person into thinking an email is from someone they know or trust. Also, if we expand, they may give a tempered email domain like firstname.lastname@example.org instead of email@example.com.
(3) The placement of action-oriented buttons in mobile email clients and the unfocused, multitasking of mobile users who tend to amplify the effect.
(4) It is harder to differentiate a phishing website on a mobile device than on a computer.
(5) The standard fraudulent email message format is HTML, which uses href to embed a link; hovering over the link will not reveal the actual address. When the user clicks on the link, and the mobile device starts opening the link. Mobile screen size is limited, so if the URL is long, then it is hard to check if the URL is legitimate or not. Example It starts with www.abcbank,com.xyzw…). If the phishing website is an excellent clone of the actual bank website, then there is no easy way to determine that the site is fraudulent.
Phishing attack by Social Media Apps
83% of phishing attacks happen in apps like Facebook Messenger, WhatsApp, games, and social media services.
Public Wi-Fi usage
People do not want to use their mobile data when there is free Wi-Fi available. A mobile device is as secure as the network through which it sends and receives data. It would be best if you used a VPN network; otherwise, you are leaving a lot of doors open for attackers.
Poor password protection
Most of the users still don’t have their devices and accounts password protected. Most of the users reuse passwords across multiple accounts. One-third of the users are not using 2FA. Only a few people are actively using a password manager. 50% of professionals use the same passwords for both work and personal accounts.
Application Access Permissions
At the time of a new app installation or update from Google’s Play Store, then you get a pop-up having a list of the permissions it requires, like access to your text messages, phone call details, media files, etc. Apps need these accesses for their functionality. Many applications ask for a lot of permissions to access data and functions they don’t even require. We should identify the nature of the app and question ourselves what are the minimum access permissions necessary for the app. You should always read the permission list before you select ‘Accept’ to install the app. For example, a chat app can ask for permission to pictures or media files so that you can share those with your contacts. But you should be careful if it asks to know your location or read SMS.
Apps with extra permissions can access your contact list, your messages (including your bank transactions and one-time passwords), and data on your phone (including your pictures and screenshots). They may also know your exact location at any given point, your house details, and your email account details.
Thumb rule for better security does not let apps access more data on your phone than required.
Out-of-date Operating system (OS) and applications
Generally, devices don’t come with guarantees of timely software updates. Most of the manufacturers are still not effective at keeping their products up to date. It may be an area where an attacker can easily target you. We need to be regularly updating our devices (OS and apps both) because newer versions may have security patches for the latest malware or viruses. Turn on automatic system updates in your mobile settings.
As per the Google survey, 25% of installed apps are never used or used only after installation. Some mobile apps can send or use data, whether you open them or not. If you open Settings | Apps and locate an app that you haven’t used and then see Data Usage and Memory stats, you might be surprised. If you have not used an application for a while, then you should remove it.
As people have started doing more financial transactions through mobile, mobile security threats are also increasing day by day. There are few advanced security apps available that can encrypt data on your mobile, can wipe all data remotely when your mobile is lost or stolen, and even take video or pictures of the person remotely. You can install a reputed mobile security app on your mobile also. In most cases, if the user is aware of these threats and is alert, these can be handled.