Credit: Apple Inc./Image composite by SecurityNewsDaily
There's no doubt that we users are our own worst enemies when it comes to security on smartphones and tablets.
We often don't password-protect our devices. We download apps without checking them for malware. We jailbreak our iPhones and root our Android phones. We don’t use anti-virus or anti-malware software. We don't watch where we use our phones. We carelessly leave them lying around. And so on.
That said, every user can change his behavior and improve security — up to a point. But there are a number of security threats to mobile devices that can't be controlled — or sometimes easily detected — by the user.
"Some of the main concerns for smartphone and tablet users would be vulnerabilities that might exist in certain parts of the operating system, like browsers or Flash, that can be exploited by going to a certain URL or opening a certain file attachments," said Matthew Dieckman, product line manager for secure remote access at San Jose, Calif.-based SonicWALL. "In this case, the user may be unaware of this tablet or smartphone has been compromised or not."
Vulnerabilities in operating systems are some of the biggest hidden security threats to mobile devices.
"There have also been several vulnerabilities discovered in smartphone operating systems," said Jason Hong, chief technology officer and co-founder of Wombat Security Technologies in Pittsburgh. "For example, in late 2011, some researchers discovered some permission escalation bugs, which would let apps be able to circumvent Android's protection mechanisms and essentially do anything."
"A more subtle vulnerability is with the accelerometer built into all modern smartphones," Hong continued. "Accelerometer data is generally not considered sensitive data. However, researchers have recently developed algorithms that can infer what you are typing on soft keyboards, making it easier to guess one's passwords."
If someone knows your password, he can exploit another hidden threat and remotely install apps onto your phone. "Android smartphones come with remote install functionality," Hong said. "This functionality is useful if your smartphone is stolen, allowing you to add an app to locate your phone after the fact.
"However, remote install is also a potential vulnerability," he added. "If bad guys ever get access to your Google account, they can also access your smartphone — meaning that they can install whatever apps they want on your phone, even if they don't have physical access to it."
Another security threat found on your smartphone, but not on your PC, is the user's inability to check Web links before clicking on them.
We've been advised for years to always double-check a link's URL, or Web address, by placing the cursor over the hyperlink. If the actual URL doesn't match the destination you think you are heading to, you shouldn't click on anything.
With smartphones, you usually can't read the URL until you click the link and go through to the destination page. That leaves you open to drive-by downloads and other browser-based threats.
While it certainly isn't convenient to do so, it's safer to type the actual URL into the browser address bar yourself, even if you feel you can trust the link or the sender.
Speaking of trust, Android users are often warned against downloading apps from third-party websites, since they theoretically won't be screened as thoroughly as apps from the official Android Market. The truth is murkier. Where we get apps is in our control, but how well the apps are vetted is not.
"Google does not do a good job vetting apps," said Denis Maslennikov, senior malware analyst with Kaspersky Lab's global research and analysis team in Moscow. "Getting apps from [the] Android Market is safer, but they aren't going to be 100 percent secure. It is still possible you'll download an app with malware."
"Hackers are creating a lot of fake apps in the hopes of tricking people into installing them," Hong said. "These fake apps might be ones that pretend to be a legitimate one, in the hopes of getting your username and password.
"For example, criminals have created a fake Netflix app, fake mobile banking apps and fake anti-virus apps. These fake apps might also be a free version of a for-pay app, which the criminals have modified to contain malware."
This includes software, such as the recently discovered CarrierIQ, that's secretly installed by the smartphone manufacturer or cellular carrier.
"Depending on [the] smartphone, users may be able to run detection software to identify if logging software is installed. However, it's not always possible to disable [it]," said Daniel Ford with Toronto-based security firm Fixmo.
Smartphones are essentially at the mercy of the cellular networks to which they connect. A hostile operator network, which can be set up with a cellular minitower costing a few thousand dollars, can inject undetected software updates into a smartphone, and also install spy software to steal data. This is especially a problem in untrustworthy locations in Eastern Europe.
Believe it or not, specially crafted text messages can inject code into your phone. So the bad guys send text messages loaded with backdoor Trojans, or they send them with malicious links.
In some cases, the poisoned SMS messages are stealing information off your phone. In other cases, they are using your phone to text-spam your contact list, which can cost you a lot of money if you have a limited texting plan.
This is a relatively new threat. QR codes — those two-dimensional barcodes that look like a robot's fingerprint — are growing in popularity, as more companies are using them to attract customers for special deals or more information on a product. You're supposed to scan them using your smartphone's camera, then open them up with an app which will bring you to a promotional website.
Not surprisingly, the bad guys have gotten in on the act, and are developing QR codes that take smartphone users to a malicious website. You have no way of knowing this is happening until it's too late.
So how do you know if your device has been the target of a malicious attack? In general, a user may not know if his smartphone or tablet has been compromised, but he should look for abnormalities in how the phone or tablet is working.
Maslennikov said if a smartphone is connecting to the Internet more slowly than usual without any reason or warning, it may be because of malware on the device.
"Check your phone bill closely each month, too," he said. "If you see a lot of extra charges, your phone may have been taken over by a hacker."
SonicWALL's Dieckman thinks it's better not to wait so long.
"On most smartphones or tablets, the users can check which programs are running," he said. "If they see something that was not opened by the user, they should uninstall the program or may have to factory reset the device to remove the problem."
Maslennikov pointed out that many of us think our smartphones or tablets are safer than our desktop computers. They're not, and in some ways we make them even less safe because we often don't think ofsecuring our mobile devices in the same way we would our computers.
You may not be able to outsmart all of those hidden mobile threats. But by installing robust anti-virus and anti-malware software, as well as ignoring unknown emails and text messages, you can increase your odds that your data will stay safe.