Author: Chris Cronin, ISO 27001 Auditor
As the holidays approach, you’ll probably be seeing many relatives and friends. Many will pull you aside and ask you about the latest security news, myths and rumors. While preparing for a Thanksgiving visit, one relative asked me about a hoax security alert warning that her iPhone’s flashlight was listening to her conversations.
Educated security types (many of us, anyway) know how to quickly discern between a real threat and F.U.D., and we have some pretty sophisticated tools, processes and resources to mitigate the real threats. But how can we give practical mobile security advice to our non-tech savvy friends and family? Recommend Blackphone? Tails OS? Not gonna work. And besides, any time we give advice to someone we become their go-to person for free tech support in perpetuity. And to simply say “It’s a hoax” will lead to even more questions when the next alert comes around.
So while this particular flashlight hoax story is not true, it is foreseeable that something like this – an app you installed on your tablet or your phone – could steal information, or snoop on you in some other way. Here is the simple advice I gave my relative this weekend; and it’s pretty consistent with the advice I generally give to non-technical types. While it may not be perfect, it is certainly better than what they’re doing now.
Using out-of-the-box smartphones and tablets means that right away you are giving up some privacy. If you’re okay with Apple, Microsoft and Google cataloging your every move and using it to advance their market intelligence, then that is up to you. But you may want to lock down how much your apps know about you.
The four most effective methods you can use to reduce the risk of overly-snoopy apps are:
1. Only install applications that you need, not applications that seem fun or interesting. This sounds like a really boring, no-fun way to use your phone or tablet, but if privacy is important to you, this is a very good practice. An amazing amount of software apps are built to take your information from your phone and use it for marketing purposes, or to sell it to others.
2. Before installing software, read the privacy notices. When you install your software at your device’s app store or play store, and when you first run iPhone/iPad apps, you are given notice about the privacy implications of using the software. Your phone tells you whether the application is going to access your email, your contacts, your photos, your files, your camera, etc. Keep in mind that this is a very real conversation between you and a stranger who says to you, “Hey, can I give you a game called GooGoo Ball? If you say yes, I can go through your family’s photo album, I can look in your camera, I can go through your file cabinet in your home office, I can listen to your phone calls, I can get all the information you have about your personal and family contacts, and I can find out what you get shipped to your home, and can track where you go and send that information to people you don’t know. But it’s a fun game. So is it a deal?” You’d say no if this conversation happened at the front door of your house. So say no at your device. Not all applications request this level of access, but read those privacy notices and choose wisely.
3. Beware of free software. Applications are expensive to make and maintain, so if someone is making and providing free applications, it’s likely that they are using your information for their profit in other ways, such as selling your information to marketing firms.
4. Use a privacy audit app to report which of your other apps are accessing what parts of your device. Use the search term “privacy” or “permissions” to find apps in your device’s app store. There are some that are free and others that are commercial. Good examples are Bitdefender’s Clueful, MyPermissions, and Lookout’s optional privacy module. When you audit your system with privacy tools, you will see each of your apps listed with a description of the information that they share with others. See if you’re comfortable with the level of access you are providing to strangers who provide your apps, and remove any app that has more access than what you are comfortable with.
As security professionals, we often think of the most effective way to secure our devices, which is fine for us when we are capable of modifying and supporting custom ROMs and discerning hoaxes from real threats. But for our less tech-savvy loved ones, simple, if imperfect advice, may be the best thing we can do.
Do you have a favorite privacy or permissions app? Feel free to share your recommendations in the comments!