Smartphone, tablet

The IT security team of the University of Vienna has compiled a list of practical tips for students and employees to make the daily use of tablets and smartphones more secure.

 Note

We strongly advise against rooting and jailbreaking mobile devices. It is true that it grants you full access to your device, but at the same time, many security measures will be disabled. Malware and potential attackers can exploit the additional permissions.

5 tips for those in a hurry

Increase the security of your smartphone or tablet by following these five easy tips: 

  1. Never allow “installation of apps from unknown sources”. Android: This option is usually deactivated by default. iOS: In unmodified Apple devices, this option is usually deactivated and users cannot change this setting.
  2. Use a PIN or a password to protect your mobile device against unauthorised access. For greater convenience, you can also use your fingerprint to unlock the device. This way, you can better protect your data against shoulder surfers looking over your shoulder when you enter your PIN code or password, for example, in public transport vehicles.
  3. Encrypt the storage of your mobile device, including the memory card. Android: As of version 6.0 (Marshmallow), the internal storage on all devices is encrypted by default. If your mobile device has a memory card slot, you have to encrypt the memory card separately. As of iOS 7, the storage is encrypted with Data Protection by default.
  4. Keep the option auto-update apps activated.
  5. Keep the option automatically update the operating system activated and update your device as soon as new updates are available.

Search for information provided by the device manufacturer to check and update the current settings on your device.

Using applications securely

Installation

Only install apps from trustworthy sources. Only use the pre-installed app stores (Google Play Store for Android, App Store for iOS, Windows Phone Store for Windows). Apps from external sources pose a higher risk for your device because they bypass the control mechanisms of the app stores. Thus, it is not possible to determine the origin of the app.

Before downloading an app from the app store, check if it is trustworthy:

  • Who provides the app? This is particularly important for apps by big companies and banks. For example, PayPal should be specified as the provider of the app PayPal.
  • When was the app released in the app store for the first time? Look-alike apps pretend to be the real thing by using the same name or name components of prominent apps. The release date of an app can help you distinguish between the official app and the look-alike app. For example, if you look for a messaging app that has been on the market for years and the release date is two days old, you can assume that it is a forged app with unclear intentions. The release date is usually specified in the detailed description of the app in the app store.
  • How often has the app been downloaded? A widely popular app has definitely more than a few hundreds or thousands of downloads. If the number is suspiciously low, it could be a look-alike app with possibly malicious objectives.
  • What do other users say about this app? Reviews are a good indication to assess if an app is trustworthy.
  • Which permissions does the app require? Check the requested permissions of the app. A flashlight app does not need access to your telephone book and does not have to be able to send text messages.

Deactivate or remove any apps that you no longer need. This minimises weaknesses of and risks for your mobile device, increases storage space and, sometimes, improves the performance.


Updates

Keep the option auto-update apps activated. Updating your mobile devices on a regular basis is essential for their security. This applies not only to the operating system but also to apps from the app store.

App updates close potential security vulnerabilities and update important system-related components that have been shifted to app modules (for example components to display web and multimedia contents).


Settings

Keep the security function Google Play Protect in Android devices switched on to detect malicious apps, no matter how they were installed. On Android devices, you can find this function under Settings -> Google -> Security. Do not activate the option installation from unknown sources.


Security apps

Some mobile operating systems offer security apps, such as anti-virus apps. Corresponding malware for these apps is still uncommon in the mobile sector. Some established mobile operating systems check the apps in the app stores (e.g. with Google Play Protect), and sometimes even directly on the mobile devices. At the moment, it is not likely that your device can be infected if you only use apps from the pre-installed app stores.

Therefore, the necessity of additional security measures is rather controversial. However, many security apps offer other functions, such as security measures in case of theft, in addition to the protection against malware.

Protecting your device against unauthorised access

Enable the PIN-protected screen time-out. Easy PIN codes, such as 1234, are easy to guess. The ZID recommends using a PIN containing at least 6 digits.

In addition, enable the automatic screen time-out. After a short time, the screen turns off automatically and thus prevents unauthorised access.

For greater convenience, you can activate the Smart Lock function. It allows you to automatically unlock the device in certain secure places, when you establish a connection with certain previously selected devices, or using face recognition. This is more convenient for the user, but at the same time reduces security.

Use the fingerprint scanner. It makes unlocking your device easier and protects your PIN code against curious glances.

Encrypt your device. Most devices offer integrated functions or are encrypted by default. If your mobile device has a memory card slot, you have to encrypt the memory card separately. Most of the devices already include this feature.

Avoid storing sensitive data (passwords or bank details) on your mobile device as long as it is not absolutely necessary.

What to do in case of loss or theft

Most manufacturers offer a function that deletes all personal data on the mobile device if a wrong PIN has been entered too often. This aims at protecting your data in case of theft. You can usually specify the number of tolerated failed attempts yourself.

Some operating systems are equipped with additional functions that you can activate (if they are not activated by default) to minimise the damage when you lose the device.

  • This allows you to lock stolen or lost devices remotely, erase personal data, and track the device’s position. We recommend trying these features beforehand to get used to them. Make sure to back up your personal data regularly if you use this function.
  • Deactivate the lost device through the relevant portal of the operating system provider. This prevents the device from continuing to communicate with the provider’s services. In the case of Android:  Deactivate the device you lost on the website where you manage your Google account under Devices & activity. After you deactivated the device, it can no longer access the Google Play Store, Gmail, Google Calendar, Google Contacts, etc. Similar possibilities apply to other mobile operating systems.
  • Change the password of the primary service connection for your mobile operating system, such as the Google account for Android, the Apple ID for iOS, or the Microsoft account for Windows Mobile.
  • In addition, change any other passwords for important user accounts, e.g. Amazon, Dropbox, u:account, that you have used on the lost device.
  • Inform your service provider about the loss and request that your phone number be disabled to prevent abuse and potential connection costs incurred.

Choosing a new device

Choosing a new device usually depends on many factors, including preferred media platform (e.g. Google Play on Android or iTunes on iOS), functionality requirements, or any subjective preferences.

After you have chosen a platform, you should consider the update policy of your preferred manufacturer when choosing a device:

  • Some manufacturers are open in communicating their update policy. For further information, please also see Security updates for mobile operating systems.
  • Ask your colleagues and friends about the security patch level of their mobile devices. In the menus of the operating systems, this level is sometimes also called status of the security updates or Android security patch level. It informs you when the last security update was done. The last update should ideally date back less than three months.
  • Some reviews – assessments and tests of devices – already address security updates and update policies of device manufacturers.

If you have a contract phone, you should also bear in mind the update policy of your mobile service provider.

Retiring a device securely

  1. Secure all data on your old device.
  2. Remove all data from your old device.
  3. Fully encrypt your mobile device – if you have not done so yet – and restore the factory settings. Consequently, third parties cannot read data ranges that have not been overwritten.
  4. If your device does not offer encryption, delete the storage with an appropriate app that overwrites your data several times. This way, it is impossible to restore the data and you can delete them securely. Afterwards, restore the factory settings on your device.

Security updates for mobile operating systems

From time to time, operating systems have critical security vulnerabilities. You should always install the security updates provided by the manufacturer, since known security vulnerabilities that are not closed pose a great risk.

Unfortunately, these updates are usually available only for a limited time. There are great differences between operating systems, manufacturers and brand devices of mobile service providers, especially in the area of mobile devices.

Therefore, we can only recommend those devices to users, for which the provider offers continuous and lasting security updates. However, this is often only the case, if the hardware and the software come from the same company.

 


Android

The update policies vary from manufacturer to manufacturer because many manufacturers use Android as the single operating system for their devices. Pixel devices, offered by Google, have the highest update frequency: Google promises monthly security updates over a period of three years as of the sales launch and at least 18 months after sales close down.

As part of the Android One initiative, Google cooperates with a number of manufacturers to offer devices that have a "pure" Android system. Devices with the Android One seal should receive regular security updates for several years. The frequency of updates varies strongly depending on the manufacturer.

Companies such as Nokia, Samsung and BlackBerry communicate their new security updates only during a short period. Often, the updates only apply to particular models, production lines or geographical regions. LG guarantees monthly updates for certain smartphone models. However, according to the users, these are offered very infrequently in Europe.

Other manufacturers have not communicated regular update cycles publicly. Some product lines rarely get updated – if ever. However, those devices (if they are connected to the Google Play Store) still get protection by an integrated system called Google Play Protect or SafetyNet. As a result, millions of Android devices, the apps installed on them, and additionally installed features are checked for threats, and countermeasures are taken. For more information on Google Play Protect and on how to check if your device is protected, go to Android – Certified.

 


iOS

Apple’s mobile devices have one big advantage: The hardware and the operating system come from the same manufacturer. Therefore, unlike Android, Apple is in full control of the update cycle.

Apple has regularly published security updates, when security vulnerabilities were detected. However, there are no explicit provisions on how long Apple offers updates for an iPhone generation. So far, Apple has supported every generation of iPhones with security updates and updates for the operating system for at least four years.

 


Windows 10 Mobile/Windows Phone

Windows 10 Mobile is no longer being developed but security updates will be provided until the official life cycle of each version expires (e.g. 1709 – Fall Creators Update).

Windows Phone 7.x and 8.x are no longer supported and do not receive security updates anymore.

Microsoft guarantees updates for its mobile operating systems for a period of 3 years. Since the Windows 10 Mobile operating system, the devices get updates directly without any detours via different manufacturers. The only updates that are delivered separately are driver updates that do not come from Microsoft.

Security settings for advanced users

Tips on the secure handling of e-mails and the browser apply to both desktop computers and laptops, as well as smartphones and tablets. Please note the following tips, particularly regarding mobile devices:

  • Deactivate automatically opening links in your QR code reader: Some QR code readers automatically open scanned links, without displaying them beforehand. Criminals can use this function to lure users to fake websites.
  • Never transmit personal and important data via public Wi-Fi networks, which many shops or restaurants already offer today.
  • If possible, use specialised apps for your transactions (i.e. bank transactions), instead of using the browser on your mobile phone.
  • Back up your data regularly. Many manufacturers and apps offer automatic backups of photos, contacts or other personal data. Make sure that these usually cloud-stored data are not publicly available. You can check this in the settings and change it if needed. Alternatively, you can save your data manually on your computer as well.
  • Deactivate Wi-Fi, Bluetooth and NFC as soon as you no longer need them. By doing so, you close potential points of attack and reduce power usage.
  • If you need Bluetooth for constant connectivity to a headset or smartwatch, deactivate the visibility of your mobile device in the Bluetooth settings.
  • Deactivate public location sharing to avoid sharing information about your location via social media or similar services. For example, this information could be used to find out the best time to break into your home while you are away. You have to distinguish whether an app is only allowed to access your location as part of its function, or whether it is authorised to share your location publicly. The former can be configured under “App permissions” and is safe to use with trustworthy apps. The latter is critical when it comes to your privacy. Therefore, you should deactivate it in the settings of the relevant app.