CERT-In Advisory
CIAD-2020-0013
Securing Mobile Devices and Applications
Original Issue Date: April 08, 2020
Description
The current global health situation has seen changes to the way people accomplishing their regular job, with an increasing number working
from home instead of an office. Cyber criminals are attempting to take advantage of the COVID-19 pandemic are now turning their attention
to mobile devices to spread malware, including spyware and ransomware.
So, Mobile devices and apps must be appropriately secured to prevent sensitive data from being lost or compromised, to reduce the risk of
spreading viruses, and to mitigate other forms of abuse. Following measures are advised for protecting mobile devices and apps and the
sensitive data contained on them:
- User Authentication
Restricting access to the device by requiring user authentication. Most mobile devices can be locked with a screen lock, password or
personal identification number (PIN). By requiring authentication before a mobile device can be accessed, the data on the device is
protected in case of accidental loss or theft of the mobile device. Ensure the use of a powerful password in order to make it more
difficult for a potential thief to access the device.
- Update Mobile OS with Security Patches
Keep the mobile operating system and its apps up to date. Mobile operating systems like Apple's iOS, Google's Android platform and
Microsoft's Windows Phone provide regular updates to users that resolve security vulnerabilities and other mobile security threats, as
well as provide additional security and performance options and features to users.
- Installing & using apps
Reduce the risk of downloading potentially harmful apps by limiting your download sources to official app stores, such as your device¿s
manufacturer or operating system app store. Do not download from unknown sources or install untrusted enterprise certificates. Apps that
are available from 3rd party sellers may not be legitimate and could contain malwares.
Always read the reviews and research the developer before downloading and installing an app. Make sure you understand what information the
app will access. Read the permissions the app is requesting and determine whether the data it is asking to access is related to the
purpose of the app. Pay special attention to apps that have access to your contact list, camera, storage, location and microphone. Read
the app¿s privacy policy to see if, or how, your data will be shared.
- Update Apps
Keep app software up to date. Apps with out-of-date software may be at risk of exploitation of known vulnerabilities. Protect your mobile
device from malware by installing app updates as they are released.
Delete any apps you don¿t use. For example, if you downloaded an app to help you plan a holiday and you don¿t need it any more, get rid of
it. That way you don¿t need to worry about updating it.
Social media apps
Be cautious with signing into apps with social network accounts. Some apps are integrated with social network sites-in these cases, the
app can collect information from your social network account and vice versa. Ensure you are comfortable with this type of information
sharing before you sign into an app via your social network account.
Utilizing Wi-Fi networks
Limit activities on public Wi-Fi networks. Public Wi-Fi networks at places such as airports and coffee shops present an opportunity for
attackers to intercept sensitive information. When using a public or unsecured wireless connection, avoid using apps and websites that
require personal information, e.g., a username and password. Additionally, turn off the Bluetooth setting on your devices when not in use.
If you do need to visit secure sites or access private data while you're out, consider using a Virtual Private Networks (VPN) service.
VPNs encrypt your activity, so no one on the public network can track it. Turn off WiFi and Bluetooth on your phone while you¿re not using
them.
Don't Fall for Phishing Schemes
Watch out for scams and phishing attempts on your phone, either by SMS message or email. Be cautious about clicking on links or opening
e-mail attachments from untrusted sources, as they may be from a fraudulent source masquerading as a friend or legitimate company.
Add a Mobile Security/antivirus App
Search and select a reputable mobile security app that extends the built-in security features of the device's mobile operating system.
Do not store Passwords
Many apps request users to save the password in order to prevent them from repeatedly entering the login credentials. This is an unsafe
practice, in an event of mobile theft, these passwords can be harvested to gain access to personal information.
Enforce Session Logout
It is often seen that users forget to log out of the website or app they are using. Make sure you log out of personal accounts on your
phone after paying anything or online shopping. If you stay logged in and someone steals your phone, they could get access to your account
details, as well as your credit card information or bank accounts.
Apply Multi-Factor Authentication
Multi-Factor Authentication adds an extra layer of security when a user logs into an app. The multifactor authentication method also
covers up for weak passwords which can be easily guessed by hackers and compromise the security of an app.
Disable options and applications not in use
Reduce security risk by limiting device to only necessary applications and services.
Other measures
Avoid jailbreaking: Tampering with your mobile device factory security setting makes it more susceptible to attacks, or makes it more
likely that your device will attack other systems.
Be cautious when charging. Avoid connecting your mobile phone to any computer or charging station that you do not control, such as a
charging station at an airport terminal or a shared computer at a library. Connecting a mobile device to a computer using a USB cable can
allow software running on that computer to interact with the phone in ways you may not anticipate.
When you stop using your mobile - if you give it away or sell it - Completely clear all data and settings on your mobile device by
resetting it to its factory default. This will clear all of your personal information from it.
References
https://www.appsealing.com/mobile-app-security-a-comprehensive-guide-to-secure-your-apps/
https://www.pandasecurity.com/mediacenter/panda-security/mobile-security-tips/
https://www.webopedia.com/TERM/M/mobile_security_best_practices.html
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In) Ministry of Electronics and Information Technology Government of India Electronics Niketan 6, CGO Complex, Lodhi Road, New Delhi - 110 003 India
|