f5-nz logo
Story image

Safe and sound

01 Nov 2009

As mobile phones take on more of the functionality of computers, they’re also taking on the security risks. Chris Leggett investigates how you can keep your mobile secure

Sitting at a café on Auckland’s Ponsonby Rd for a mere 10 minutes back in 2005, Mike O’Donnell (not his real name) detected 12 Bluetooth-capable mobile phone devices within a 100-metre radius using his laptop computer. He could have launched a malicious attack on five of these devices using a simple set-up consisting of one laptop, one readily available bootable CD, one retail-grade USB dongle, and roughly one hour’s practice.

Thankfully, O’Donnell was doing this only in the name of security research. Owing to the methods he must undertake in the name of research, his work is fairly sensitive (hence the pseudonym), but just be thankful that he’s on your side.

However, there are many others also capable of such acts who aren’t on your side; quite the contrary, in fact. Even though mobile security measures have increased as the technology has improved, so too have the abilities of hackers and those of dubious intent. And the continued convergence of mobile phones and computers means that your phones are now susceptible to many of the same threats as your PC. “Anything you do with your desktop or your laptop has now moved to your mobile,” explains O’Donnell. “They have the functionality of a computer now, but people don’t see it that way.”

Before the advent of smartphones, mobile phones were typically considered to be ‘closed systems’. Users could make and receive phone calls and text messages, but there was no inlet for malefactors to breach the device. But now that wi-fi, Bluetooth and Internet connectivity features are standard on many contemporary handsets, there are many inlets – and mobile users may have grown too accustomed to closed-system devices to take the necessary precautions.

With that in mind, here’s a list of top tips to make your mobile just that little bit more secure.



Smartphone manufacturers will update their device’s operating system in order to plug security gaps as they arise. But if you haven’t downloaded the latest version, then your phone may still be vulnerable. Usually, you’ll be prompted to download such updates, which are generally provided free of charge, and they can typically be accessed from your device itself. Failing that, try searching for your handset on the manufacturer’s Web site.


On PCs, users can often unwittingly surf to malicious Web sites designed purely to infect visitors’ computers with malware. But while most computers enjoy the protection of anti-virus software that will alert users to fishy sites, the overwhelming majority of mobile devices don’t. Sometimes these sites can appear rather convincing, and they may ask you to provide username, password and even credit card details (even if it’s only for verification purposes). A number of things should get your own alarm bells sounding, however, such as poor spelling and grammar, and the fact that a reputable organisation will never ask for your password or other personal details.


It may be tempting for some iPhone users to ‘jailbreak’ their phones – a process that allows a user to run unofficial code on their devices – but doing so really does open your phone up to all manner of risks. Jailbreaking allows you to install applications that have not been authorised by Apple, and as such, there is a chance that malicious code may be included. Such code can do anything from ‘bricking’ your iPhone (effectively rendering it unusable) to sending sensitive data back to the programmer. Charlie Miller, famous hacker and security analyst said, “If you care about security, don’t use a jailbroken iPhone”. The man should know – he recently pointed out the iPhone’s most dangerous security flaw yet: a loophole that allowed code to be sent via SMS that could leak the personal information of any iPhone user. Jailbreaking also voids your warranty, so it has the potential to cause you a whole lot of heartbreak.


When people think of security in a computing and technology context, it’s often easy to overlook the simple notion that even losing your phone is a security hazard. If your mobile ends up in the wrong hands, they may have access to any number of your personal details that may have already been entered into the device. Be sure to activate any password features on your phone, and if it supports ‘remote wipe’ – the ability to delete all data from a missing phone using an Internet-enabled computer – it might pay to consider setting up this feature if you fear your device contains sensitive information. Your phone’s specific security features should be detailed in the accompanying instruction manual.


Every mobile phone should have a unique serial number known as the International Mobile Equipment Identity (IMEI). Typically, this 15-digit number can be found on the back of your handset (underneath the battery) or by entering the combination *#06# on your phone’s keypad. iPhone users can find it on their phone’s ‘About’ screen, or on the SIM tray (on the iPhone 3G and 3GS). This number can be used by your carrier to prevent a missing or stolen device from accessing its network, and also by police to identify a phone in the event that it’s recovered.


While wi-fi or Bluetooth allows access to other devices from your phone, they can also present a window for other devices to access your phone. If they’re not in use, switch off your wi-fi and Bluetooth; this will effectively render your mobile invisible to potentially malicious lurkers.


It can be tempting to save on mobile data by leeching Internet from any available and unsecured network when you’re out and about using your mobile phone. But there are risks to this approach, and some unsecured networks have been set up purely to phish passwords and other sensitive details from unaware users. Make sure that any wi-fi hotspot you connect to is a trusted one, and be especially careful at airports, which are a known haven for such dodgy networks.


If you’re ever prompted to install an application or offer passwords or other private information, don’t just assume that it’s legit. Take whatever measures you can to ensure the validity of any such sites, programs and applications.


If you’re not wise to the warning signs of an inbound security threat, or if you’re simply disaster-prone, then you may wish to consider picking up a security client for your phone (if indeed there is one available for it). Security providers such as Kaspersky and Symantec offer such a solution already, and many more will release as the need arises. Many mobile phone anti-virus packages allow remote wipe functionality, the ability to track a missing or stolen phone using GPS and the ability to block unwanted calls and text messages, on top of other measures for combating cyber crime.GLOSSARY

JAILBREAKING: An unofficial procedure that allows code and applications not authorised by Apple to run on iPhones. Apple decries the procedure and even claims that it infringes on the company’s copyright. It’s popular with iPhone users, however, as many of the features that jailbroken phones can adopt are not offered by official Apple-sanctioned applications. For example, while the iPhone does not support video recording, there is an unofficial application for jailbroken phones that allows this. Jailbreaking does remove the layers of protection that authorised apps provide, however, and unofficial apps can be given access privileges beyond that of official apps. Jailbreaking your iPhone voids its warranty.

PHISHING: The process of electronically obtaining sensitive details from an unaware user by masquerading as an official entity. Phishing is commonly used by cyber criminals to access such details as usernames, passwords and credit card details from unwitting Web surfers. A common means of phishing is to run a fake but official-looking Web page in which a user will enter their username and password details, subsequently revealing these details to the phisher. Phishing scams have affected all manner of popular Web sites, including social networking sites MySpace and Facebook. Web surfers should be sure to double-check that the URL or Web address is correct when entering their username and password details on any site.

MALWARE:  Short for ‘malicious software’, malware is designed to infiltrate a user’s computer or mobile device without their informed consent. Viruses, Trojans, worms and spyware are all examples of malware. Such malicious programs are often intended to relay information about a user to the programmer, or to redirect a user’s search results to paid advertising.