“I feel that people accept a really big risk”
Daniel Juan Toral (Bachelor of Technology in Technology Management ’16) likes to rock climb. Because he knows the risks, he uses ropes and gets a spotter to safely exercise and have fun. “I take mitigation measures,” says the NAIT network security analyst.
“You can take similar measures with your phone,” he adds. But whether we’re using our smartphones to accomplish a task or entertain ourselves, do we always use the ropes and spotters at hand? Toral wonders if we don’t court disaster instead. “I feel that people accept a really big risk.”
For Android operating systems, even "really big" may be an understatement. In 2018 there were 5.5 million instances of malware, a slight drop from the previous two years, says independent IT security research group AV-Test. That’s a lot of chances to inadvertently install software designed to disrupt your Android system or steal data. (In comparison, we hear about fewer security threats with iPhones, says Toral, though that's not to say they don't happen. "Apple usually handles incidents with more confidentiality.")
“Usually people don’t think they have much information in their cellphones,” says Toral. Yet things such as passwords or credit card numbers they might store make them, and us, targets. Luckily, we have Toral as a spotter. Here’s his advice for not slipping up with Android-based devices.
Choose who to trust
“What drives a successful attack is gaining the trust of the victim,” says Toral. Unfortunately, consumers need to ask if even the manufacturers of their devices deserve that trust.
In 2014, Toral points out, a report revealed that an Android device made and sold in China contained a “back door” for external users to upload and download information, and even hijack the phone.
“I don’t want to scare people.”
“I don’t want to scare people,” says Toral. The report authors didn’t mind scaring people, though. To do so, they emphasized that the vulnerability was designed by the manufacturer of the phone. That it had nothing to do with the Android operating system “should make people think twice about the integrity of their mobile devices,” they said. Research before you buy.
Ask what that app wants
Everyone loves free apps. But why does that video game need to know your location at all times? Chances are, says Toral, it’s because marketers will pay for such information. Check to see what free apps actually want from you and decide if that’s a price you can live with.
But always beware of their origins, says Toral. Only download apps from sources that check them for hidden threats, such as Google Play or the Amazon App Store. If they’re offered by unfamiliar providers, “they probably didn’t put it in the app store for a reason.” Who knows what they might secretly do to your system.
In general, says Toral, limit the number of apps you keep on your phone.
Be phishing and malware aware
Canada Revenue Agency will never send you a text to say you’re owed a refund and a link to receive it. It’s the same kind of phishing scam – where a perpetrator sends a phony message containing a potentially harmful link – that you’d question when viewing it on your desktop monitor. It’s just that, now, those scammers have your number, too.
Now, those scammers have your number, too.
A phishing scam can trick you into divulging sensitive data and passwords or it can lead you to unwittingly install malware that, say, turns your device into a miner of cryptocurrency, endlessly running blockchain accounting calculations. Avoid this, says Toral, by doing three things:
- Use a trusted, updated browser. Try Chrome or Firefox on your Android device. “They’re more security-mature than other browsers.”
- Check the URL. Anomalies and misspellings in website addresses are known giveaways. Just as importantly, says Toral, look for addresses to be preceded by https: rather than http:. The former is encrypted. Taking away the s is like taking away the security.
- Click on the padlock. A trustworthy site will have a valid security certificate that can be viewed by clicking the lock symbol to the left of the URL. It tells you who vetted the site, when that oversight began and when it ends.
Never trust an open network
Free Wi-Fi – whoo-hoo! Before you accept, consider who’s providing the connection, says Toral. One type of “man in the middle attack” involves a hacker impersonating an open network. Signing on could be like dictating your passwords to a stranger.
“I wouldn’t do my banking on a network I don’t trust,” says Toral.
Signing on could be like dictating your passwords to a stranger.
There are two alternatives if you’re uncertain about an open network. One is to use your data plan, says Toral. Free, open Wi-Fi networks are not encrypted (you can check the status of a network in your connection settings; look for security protocols such as WPA or WPA2). By using data, you’re connecting to your cellular provider’s encrypted, safer network.
The other alternative for staying safe is to use a virtual private network, or VPN. Toral describes this as a protected tunnel of encryption that is created within an open network. They can be downloaded from various providers for a fee.
Don’t get paranoid, but …
The joy of our smartphones is that they put the answer to almost everything right in the palm of your hand. That convenience can easily be taken for granted. The machines give us so much, and without question, that we’re bound to let down our guard now and then.
It’s important not to be naive about that relationship, says Toral. It’s far from perfect.
Can we be certain Google Play is a flawless system? “We don’t have enough information to say there’s nothing malicious in those apps,” he says. Some certificate-granting authorities are being blacklisted for suspicious behaviour (browser such as Chrome should alert you to such a risk). As for VPNs, Toral adds, some may monitor your web habits and share them and other data with third parties.
"Everything is about who you trust and who you don’t.”
“You can become really paranoid but in the end you have to make a decision about the risks you take. Everything is about who you trust and who you don’t.”
Sometimes, the internet might leave you hanging by a thread. Do your best to know who’s holding the other end of it.