Using Smartphone Apps Safely

Authors:: Valerie M. Vogel
Published:: Tuesday, February 3, 2015
Columns:: Cybersecurity and Privacy

min read

By Celina Stewart

Celina Stewart is an undergraduate student in International Relations at Brown University.

"We should hack an application," a fellow teaching assistant brainstormed to our Cybersecurity and International Relations Teaching Staff at Brown University. His suggestion to hack a widely used photo- and video-sharing app, popular especially among college students, might seem malicious or even illegal. However, after vetting the idea and checking its legality (we created our own account to hack by cracking our own password rather than targeting the application itself), we scheduled a lab aptly called "Scaring you into securing your information."

As a college student, it does not confuse me that an application could be hacked by guessing a password and gaining access to my information. Growing up with the advent of social media, data privacy became a concept intrinsic to my experience on the Internet: Be aware that whatever you send into the void can and will be traced back to you. Technology users likely understand the implications of sharing personal information online, making small tradeoffs between sharing too much and losing the efficiency of their technology. However, the idea that data privacy only relates to information shared through e-mails, online chat rooms, and social media sites stopped being relevant when hackers realized they had a wonderful new target: the smartphone.

Not only do smartphones present the ideal medium through which to access the Internet — portable, personal, and reliable — smartphone applications provide an increased layer of efficiency. However, it seems that many people overestimate the level of protection these applications afford their personal security.

Data privacy can be lost in several key ways. Loss of information usually occurs as a result of an unseen vulnerability that application users have not anticipated. Some attacks begin in the app store, where a hacker has specifically uploaded a malicious application, usually spoofing a commonly downloaded game or banking application, in hopes that users will mistakenly download the bad application and enter their protected personal information. Each month, smartphone users actively use 22–29 different applications, often leaving themselves logged in for ease of access, or at least allowing cookies on their phone to let sites load efficiently during the next use. By leaving applications logged in, and potentially running, a lost phone could provide anyone access to personal information and constitute a breach of data privacy.

Another vulnerability is called a Man-in-the-Middle attack [http://www.newhaven.edu/feature-stories/Cyber-Forensics-Group-Reveals-App-Issues-Affecting-968-Million/], in which a user connects to an unencrypted wireless network often disguised as one the user would find familiar, such as those found at coffee shops or in airports, through which a hacker can intercept unencrypted personal data. Even plugging a smartphone directly into an unfamiliar USB port could lead to a hack called "juice-jacking," in which user data is downloaded to a computer synced through the USB connection. These vulnerabilities require a fair amount of user oversight to prevent hacks; if a user is not aware of these potential threats, however, the possibility for data loss grows substantially.

Indeed, personal data such as passwords, bank account information, location information, and personal photos or videos are not the only things to worry about where data privacy is concerned. A particular risk emerges when users connect any number of Internet-capable technologies to their smartphones through applications. These may include health and fitness trackers, home security systems, and even baby monitors. Any and all information accessing the Internet through a smartphone could be targeted with malicious intent. Infected applications might also allow a malicious hacker to target smartphones with malware called ransomware. Appearing to shift from personal computers to smartphones in the summer of 2014, this malware encrypts all data on the smartphone, demanding that the owner pay a ransom to the criminal group responsible in order to regain access. The personal and financial cost of this breach of data privacy is devastating.

Despite these risks, smartphones and their various applications are clearly engaging, efficiency boosting, and (nearly) indispensable. Users should learn to use smartphones without compromising their data privacy.

Not only should smartphone users check the legitimacy of any application before downloading it, they should routinely check the privacy settings and information accessed even by applications they trust.
Users should remove any applications they no longer enjoy or find useful; having old games or forgotten applications accessing the smartphone creates an additional vulnerability to malicious updates.
Changing passwords regularly and installing security updates will also help mitigate an attack.
Foremost, users should carefully consider whether to leave applications logged in, reserving this for those apps where the potential loss of information is worth the increased efficiency of leaving the phone less secure.
Lastly, protect the smartphone and its applications from Man-in-the-Middle or juice-jacking attacks by refusing to connect to unencrypted, unfamiliar networks or directly allowing USB contact with outlets.

The key to maintaining data privacy on smartphones is simple: use the applications, and don't let anyone use the applications to exploit you.

Data Privacy Month Additional Resources

This Computerworld article outlines several vulnerabilities associated with smartphones, tracing these across Android, iOS, and Blackberry mobile operating systems. These vulnerabilities include tracing and storing personal information, in addition to sending information without user oversight.
This PCMag article provides another perspective on smartphone vulnerabilities, focusing on Android and iOS mobile operating systems. It provides additional information about the vulnerabilities associated with "jail-breaking" a phone, or simply allowing applications too much permission.
This National Public Radio blog post explicitly defines and explains vulnerabilities across Android and Apple mobile platforms; it is also slightly more up to date than the previous articles and offers good advice.
Kaspersky Labs does a great breakdown of easy and practical ways users can protect their smartphone information, with additional links to associated vulnerabilities (both computer and smartphone related).