- Protecting your data can be as easy as keeping your apps updated and updating existing app permissions.
- Create strong, unique passwords and, when available, use two-factor authentication.
- Public Wi-Fi is convenient but can be a hotbed for potential intrusions. Avoid it or use a VPN service to keep your data safe.
In little more than a decade, smartphones have gone from expensive replacements for flip phones to multifunctional devices that we take everywhere and check dozens of times each day. With its ability to help with work-related tasks, find a date or whittle away our day in bite-sized chunks, the smartphone is a ubiquitous tool in our digital lives – thanks in large part to apps.
The apps we download are what make our phones unique to us. We entrust our data to these apps in exchange for their use. But what happens when that trust is violated? In recent years, major apps have been the center of massive intrusions from hackers and data breaches that have left our private data exposed.
To help you keep your private data safe, we spoke with security experts about the steps you can take to make sure the information on your phone data isn't vulnerable – whether you're connected to your small business's network or just watching cat videos.
1. Keep apps updated.
The easiest thing you can do to protect your smartphone from intrusion is to make sure that the application you're using is the latest version. Nearly every phone on the market has the ability to constantly check that installed apps are up to date.
While it's easy to just set up your phone to automatically update apps, sometimes you need to grant it permission to download an update. This usually happens when the download is particularly large or the app needs special permissions to access parts of your phone.
Andrew Reshetniak, a staff security intelligence engineer at Lookout, said keeping applications up to date becomes especially important as developers find vulnerabilities.
"App developers try to address identified vulnerabilities as soon as possible," he said. "It is a good idea to get the fixed version of the app before corresponding vulnerability exploits become widely available."
Similarly, you should always download and install updates to the phone's operating system. Not doing so could leave discovered vulnerabilities wide open at the system level.
2. Only install apps from official sources.
In addition to keeping apps updated, it's important to only download apps from official sources. Whether you have an Android, Apple or some other kind of mobile device, each has an official app store that requires certain safeguards before an app can be sold on its storefront.
While nearly all phones can let you download and install applications from third-party locations (after you change a few security settings), cybersecurity experts emphatically warn against doing so.
"Applications from unofficial sources do not undergo the verification procedure, and therefore, the chances are much higher than you will encounter malware that can attack programs on the device," said Leigh-Anne Galloway, a cybersecurity resilience lead at Positive Technologies.
Downloading from the App Store or Google Play Store may be a safe bet most of the time, but Galloway also cautions against getting complacent, as malicious apps can sometimes slip through the cracks. One way to counter that issue, she said, is to pay attention to who made the app in the first place.
"If the developer has created other apps with suspicious names, such as Wi-Fi Booster, Easy Root or Funny Videos, then it might not be a trustworthy one," she said. "You can also check reviews online of the application before installation. If you see the app was mentioned as suspicious by even one user, don't install it."
3. Pay attention when granting permissions.
When downloading an app, it's likely you've just accepted any and all permissions it requested so you could get it running as soon as possible. Like the end-user agreements that we're all guilty of paging through without reading, app permissions are very important but largely ignored.
Experts say blindly accepting app permissions can leave you extra vulnerable, as apps can gain access to your device's camera, microphone, contact list or other sensitive areas of your phone.
"Apps have previously been discovered that ask for permissions they don't really need," said Ray Walsh, digital privacy expert at ProPrivacy. "If a [flashlight] app, for example, asks for permission to access your contacts and microphone, it is easy to see why this app might be doing something untoward."
While you're likely to have lackadaisically granted permissions in the past, the good news is you can go back and fix your mistakes. Depending on the version of Android your device uses, it can be as simple as finding the application manager and changing the privacy settings. Likewise, Apple users can go into the device's settings, tap Privacy and make changes to any previously granted permissions.
4. Practice good password hygiene.
Since most services require you to log in before using them, it's imperative that your passwords are secure. There are many ways to create stronger passwords. Take this step seriously, since more than 80% of breaches can be traced to poor passwords.
One simple way to make sure you're secure is to download and use a trusted password management app. These often come with tools to generate unique, high-strength passwords. The benefit to using a password manager like LastPass or 1Password is that they also remember those passwords for you, so the long, jumbled alphabet soup that is your new Google password can be easily stored, recalled and used.
You should avoid using the same password for everything you do on the internet. That way, if one service is compromised, the rest of your services are still safe. It is also a good practice to change your passwords regularly.
Two-factor identification is a great way to ensure your accounts are secure. Rather than relying on a single password to verify that you're the right user, some apps ask you to enter a passcode that was either emailed or texted to you, while others will have an automated service call to confirm your identity. If your phone allows for it, fingerprint scanners can also be a form of identification. The more hurdles between your data and a digital attacker, the better.
5. Be careful when using public Wi-Fi.
Free public Wi-Fi can be convenient to have access to when you need it, but you should know the risks going in. Since the Wi-Fi network is open to everybody, there's no secure way of using the service. With zero encryption, anyone with a Wi-Fi-enabled device can see what everyone is doing.
According to Keeper Security co-founder and CEO Darren Guccione, a public Wi-Fi network can pose major problems for the average user.
"Open access points can be easily impersonated – there is no authentication mechanism to ensure that you're truly connecting to an airport or coffee shop access point," he said. "You could be connecting to a hacker's laptop or mobile device that is impersonating the access point, which gives them full access to all of your network traffic, opening you to man-in-the-middle attacks, which can allow the hacker to steal data and passwords."
One way to counter this is to use a VPN, or virtual private network. While VPN services charge a monthly fee, they work by obfuscating your traffic on the web. As a result, to someone monitoring traffic on a public Wi-Fi hotspot, what would normally show up as readable data would show up as encrypted data.
Ultimately, the best way to keep your sensitive data secure from public Wi-Fi is to not connect to the service at all.
6. Train employees on BYOD best practices.
As businesses continue to adapt to a constantly changing tech landscape, many are changing to a "bring your own device" model. In past years, companies had IT departments that heavily monitored and restricted what devices were allowed on their servers. To cut costs and boost productivity, however, companies of all sizes have started letting employees bring their own laptops and other Apple and Android devices from home.
Eric Williams, founder and CEO of Ijura, said employees' devices then become the weakest link in a company's security chain, leaving sensitive business data at risk.
"You could try preventing any non-company-owned device from accessing your network. But let's face it – that's not practical, especially for a small, growing business," he said. "The reality is, you and your employees are going to access sensitive business content on the same device from which you are checking Facebook and emailing friends. Personal apps can be a serious exposure point, as many hackers use legitimate apps to create trust with users whilst getting them to pass over sensitive information or download malicious content."
To combat that problem, Williams said businesses should have quarterly training sessions on online security best practices. During those sessions, employers should teach workers how to "recognize phishing emails and set fake traps for them as practice."
Rather than just teaching your employees about online security, Williams said, companies should consider implementing a "cloud-based mobile threat solution integrated with your company's mobile telecommunications operator. You can more easily protect all employee devices and data, including apps and email, while still respecting employee privacy. This software can recognize and reject suspicious apps, links, messages and sites so you won't even have the option to click."