8

Like a lot of people, I pretty much run my life on the Web these days. I use online bill pay, I shop at Internet retailers, I keep in touch with friends electronically, &c. I'm pretty comfortable with the standard home computer security setup for that stuff: physical router, antivirus suite, strong passwords, that sort of thing.

Are smartphones at least as secure at storing sensitive data as a home computer with that standard protection level? I'm thinking of stuff like credit card numbers, passwords, financial information and health records. I don't know if something about their architecture or the fact that they're on cell networks makes them less safe.

In particular, I always look for the green HTTPS indicator in my browser when I need to do something secure-ish on my computer, but I have no idea how apps store the data I punch in, or how to tell whether they use secure/encrypted transmission techniques. I end up not doing anything with my phone that involves money or passwords, which means I'm missing out on a lot of the benefits of what is really a cutting-edge piece of technology.

The best resource I've been able to find so far is Android Guy Weekly: Is Cellular More Secure than WiFi?, which points out some differences between cell and wi-fi systems but doesn't give much advice about what to do about them.

If it helps, assume for simplicity's sake that the phones in question connect to the outside world (i.e. the Internet) via cell only, not wi-fi or Bluetooth or anything else.

Edit:
In retrospect, I should have asked two separate questions: "are cell networks as safe as wi-fi," and "are smartphones/tablets as safe as desktops/laptops." I guess it's too late to try to separate the two now. At least it looks like the former question has sorta-kinda been brought up on this site before, though with mixed results.

Pops
  • 241
  • 4
  • 10

6 Answers6

8

I will have to vehemently disagree with the comment that "your mobile phone is more secure against malware". This is a dangerous and very wrong statement of the state of mobile phone "security" - and if it is based on anything, it is based on inappropriately interpreting currently skewed statistics.

As a security enthusiast and a developer on mobile phone platforms I can tell you mobile phones are no more, and probably less secure than other systems, period.

The reason mobile phones statistics may be currently low, is more of an "opportunity" issue - in that unlike computers that CAN BE found on networks, the networks that mobile phones reside on are more, well mobile - therefore ambiguous to directly target.

That said, there is a long history that is building of exploits that are being seen and growing through the, current single points of failure in both IOS and Android - the appStores, as well as browser based attacks that are growing.

New points of exploit injection are growing with aggregation and crowd sourcing apps that are the trend on both genres of devices (I work for a company that provides exactly such type of app).

Do not think that your mobile device is secure. It is not.

makerofthings7
  • 50,488
  • 54
  • 253
  • 542
Tek Tengu
  • 1,699
  • 11
  • 13
  • +1 plus the recent FTC judgment against HTC http://www.theverge.com/2013/2/22/4017746/htc-settles-with-ftc-over-insecure-logging-software suggests telcos and device maker may layer on vulnerabilities. – zedman9991 Mar 13 '13 at 18:17
  • Agreed with your disagreement. Additional to what you said, it's much easier to get tricked in installing an infected application on a mobile phone compared to a computer program. – Overmind Jun 25 '19 at 11:13
2

Your mobile phone is more secure against malware. There's a lot of data indicating that if you follow basic security practices (only download apps from an official app store; don't side-load apps from other sources keep the phone updated; keep backups), then phones are more secure against malware than desktop PCs. Malicious apps on the official markets are rare; it's relatively rare for people to have their phone infected because of a malicious app that they got off an official market, whereas it's common for people to have their desktop PC infected because of malware.

The biggest risk with your phone is that it is more easily lost or stolen. Therefore, if you have sensitive data on it, you may want to enable a PIN-unlock code, and enable "track my phone" and "wipe my phone" functionality so you can use it if you lose your phone.

Secondarily, many phone apps rely heavily upon "the cloud" and upload data to the cloud. If you don't want that to happen, you may need to be slightly more careful.

Also secondarily, a big challenge for Android phones is that they don't always receive security updates in a timely fashion -- and after a certain period, security updates are no longer available. This is frustrating and a definite risk factor, particularly if you're using an older phone or if you plan to keep your phone for several years.

D.W.
  • 98,860
  • 33
  • 271
  • 588
1

I'd say there are tradeoffs. Mobile operating systems enforce stricter security policy than PCs, for example actively monitoring the controlled app market for malware, giving apps specific permissions to access certain information on your phone, lack of traditional file system, sandboxing, etc (this often goes out the window if the phone is rooted/jailbroken however).

The fact that you're required to give apps permissions might give a false sense of security however, since you're often required to give apps access to things that seem unrelated, which means you just end up accepting everything without question. In regards to privacy, you're also often encouraged (if not required) to share your location, call log, messages, emails, etc.

There is also the risk of losing your phone or having it stolen. A risk which probably will be much greater than having your PC stolen from your home. Yes, you can install wipe apps, locators, etc - but they're not fool proof. I'd rather lose an encrypted laptop than an unencrypted smartphone with wipe capability.

GBC
  • 706
  • 3
  • 10
1

No they are not. Initial thoughts:

Reason 1: Most smart phones are protected with a 4 digit pin. Even simple Windows/Linux/Mac passwords are generally better.

Reason 2: Smart phones very often go online through public routers without password. That means the data 'in the air' between your phone and the router can be sniffed.

Reason 3: Security updates come through very much slower than on a 'regular' computer. This is especially the case for Android phones. Both the phone manufacturer and your telecom provider have often 'enhanced' the OS with their own extensions, and you have to rely on them that those extensions are safe and that they pass on updates quickly enough (they don't).

Reason 4: Your smartphone has a much larger attack surface because it not only communicates over Wifi, but also has NFT and Bluetooth technology and is even a phone ;-)

  • Simple Windows/Linux/Mac passwords protect your data from a casual, physical intruder. Otherwise - non-physical attacks, Linux-happy 12-year-old - it's not going to help :). – sourcejedi Mar 13 '13 at 13:04
  • Is reason2 still valid in 2017? If a person uses a smartphone browser or USB tethers the phone to a laptop to access internet, is https data still 'sniffable' on the public router of the cellular service provider? Citations? – Nav Nov 17 '17 at 16:13
1

I have no idea how apps store the data I punch in, or how to tell whether they use secure/encrypted transmission techniques.

You can't. Many apps don't, or they claim to, but have been found to use protocols in an insecure way (not checking certificates).

You also don't mention your mobile web-browser. There have been articles suggesting they're not as effective at highlighting whether the site is secure or not. Screen size is one obvious limitation here.

Apps from UK banks will generally attempt to use secure encryption. There have been non-encryption related failures (which are reported to be fixed). OTOH the UK government tries to regulate banks, and you do have certain resorts if you become a victim of fraud through no fault of your own.

In a similar vein, Amazon is able to do stuff on their UK website like allow one-click buy without entering the usual CSC credit card code, because the retailer always bears fraud risk, and they've made that tradeoff for higher sales. If you report fraud on a credit card, the general UK rule is that your losses will be made good. (Though things change over time, people try to wriggle, and there may be some special cases to watch out for. Try to find a reliable citation for it, which would point out limitations).

The general UK rule for online payments is probably to use a credit card (not a debit card), and check your statements as they arrive for unexpected payments.

You may notice a certain qualification being repeated in this answer from a UK resident. I suspect EU laws look fairly similar, but I'm not sure what the overall US scenario looks like :).

These sort of protections are less useful for private information. You can't make good the disclosure of a medical condition in the same way. And it'd be harder to discover, prove, dispute and/or sue for, even if you're in the EU.

sourcejedi
  • 619
  • 4
  • 14
1

The ultimate security of any system depends on the mindset, knowledge, and intelligence of the user.The second consideration after this would be the mobile phone platform we're discussing. iOS based devices are generally less susceptible to compromise due to a centralized secure appstore and the lower numbers of known viruses of their kind. But that doesn't mean that their more secure.

For example, an updated but root'ed android running selinux with a firewall, a proper password without Bluetooth, tunneling all traffic through a VPN and having minimalistic application packages (and even then from a trusted source) can be in my opinion much more security than a normal Windows 7 PC.

A really good question indeed, but the attack vectors here have been left too ambiguous.

For starters, the conventional 4-digit numeric pin code is clearly a -1 for mobile security against hard-hacks as compared to desktop security. Then again utilities like konboot demonstrate just how easy it is to break windows security if you have hard access.

Conventional "anti-virus" s/w use pattern detection among other methods to exhaustively determine if a file is malicious or not. This approach does not port well to mobile devices due to lighter h/w installed on them and even more importantly the limited battery life.

What I'm trying to imply here is that is it not logically possible to compare safety of smartphones directly to that of desktop computers because of differences in platform, usage, user audience, hardware and beyond.

Reference: Some basic study I did for my blog. http://jedicorp.com/security/kids-take-on-mobile-app-security/

Rohan Durve
  • 2,321
  • 16
  • 19