日期 : 2018年9月24日
作者 : 網絡安全精英嘉許計劃2017金獎得獎者陳惠康先生
In the global mobility and digital transformation landscape, under the MOBILE FIRST, MOBILE ONLY evolutions, it is no doubt that mobile would be the first selected by the end users experiencing the Internet application services. With the high penetration of the use of mobile technology, the wide-range of the use of mobile Apps from banking services, merchants payment to email usages, lifestyles, and gaming would also be introduced as part of our daily life. User experiences would be the major elements for the mobile Apps getting success.
In addition to user experiences and fancy layouts, another side of the mobile that people must look for is the security. Similar to desktop and laptop computers, mobile devices (such as iPhones, iPads, Android devices, etc.) must be secured appropriately to prevent leakage of user sensitive information, or the mobile devices being compromised. As such, several security consideration points to facilitate the mobile device protections are illustrated as follows:
1. Lock the Mobile Device with Password / Fingerprint with Proper Timeout Settings
If the mobile device is lost or stolen, password / fingerprint protection could somewhat prevent / deter the device from unauthorized use. However, if weak password and short timeout period are used, the mobile device may be easily gotten through. Although it is not easy to set a complex password in mobile device, it is also recommended to use a password that not easily be guessed, and to set the short timeout period (such as 30 minutes or less) as sort of security protection.
2. Do not leave your Mobile Devices Unattended anytime
Device left unattended may lead to device being stolen. It would also increase the risk of unauthorized use of the device, or even data leakage. As such, password / fingerprint setting and reasonable timeout setting would be the possible ways to protect the data and device.
3. Avoid Auto-Payment or Auto-Logon Features without Re-confirmation
Mobile payment services could bring out excellent user experiences. Some mobile Apps or web services may offer sort of the similar features by using “remember username” or “remember password” so that it would be no longer required to key in the password for commencing the login or payment actions. If this is the case, consider not enabling the “remember username” or “remember password” so as to mitigate the risk of the unauthorized use in case the device is lost or stolen.
4. Be careful of social engineering / phishing scams
Attackers always target to sensitive personal information / data because selling of such sort of information could make money. Cybercriminals always make use of social engineering means (such as phishing emails, URL links) to attract people to provide personal information. Hence, when browsing the Internet, please draw high attention with careful eye on the potential malicious links that may be harmful to the users.
5. Be careful when accessing Public Wifi / Wireless Access Points
Public Wifi / Wireless Access Points, are inherentlyinsecure, particularly for those available for anomalous accesses without the use of passwords. Hence, try not to perform payment transactions or transmit sensitive data through public Wifi / Wireless Access Points. Also consider using encryption, such as SSL or VPN if possible when doing so.
6. Consider using Private / Secure Mode when browsing Internet
Mobile devices in current generation would provide private mode / secure mode when browsing Internet. For security and privacy perspective, consider turning this mode on such that the user’s browsing behaviors would not be easily tracked / traced.
7. Disable any unused Applications and Options
To reduce security risk, it is suggested to limit only necessary Apps, options and services for the mobile devices. For example, fewer Apps installed, fewer software updates for security vulnerability are required. On the other hand, when it is not required to use Bluetooth or Infra-Red (IR), it is also suggested to turn them off to mitigate the risk of abnormal network accesses to the mobile devices.
8. Keep the Operating System (OS) and Mobiles Apps Up-To-Date
To mitigate security threats of mobile devices, it is required to perform security / patch updates for the Apps and OS of the mobile devices by enabling automatic update, or accept security updates when prompted by trusted sources, such as device / OS / Apps manufacturers so as to fix the known security loopholes or vulnerabilities.
9. Avoid Rooting / Jailbreaking
Rooting or jailbreaking to break the factory security settings would make the mobile devices vulnerable to cyberattacks. The mobile Apps running the rooted / jailbroken devices may also be vulnerable to attacks, particularly for those financial or payment related Apps. As such, strongly suggested that do not run any business or financial related application in rooted / jailbroken devices for security / integrity point of view.
10. Download and Install Mobile Apps from Trusted sources
Some mobile apps are embedded with malwares or carrying redirection to malicious locations when accessing them to collect personal information. To protect the mobile devices from being compromised or data leakage, it is strongly recommended to download mobile apps from well-known trusted App stores.
11. Encrypt the Mobile Devices if Possible
It is useful to protect the user data, particularly for sensitive data from data lost. Hence, for the mobile devices processing especially business information such as emails and files, data encryptions would be necessary for protecting the important information.
12. Regular Backup of the Mobile Data
Make sure that the backup copy of the necessary data in place in case of losing the mobile devices. Consider encrypting the backup copy of the data if the device data is considered as important and critical. When adopting cloud based backup, please make use of the security features (such as encryption, integrity checking, password and etc.) to protect the backup copy of the mobile device data.
13. Consider setting up remote wipe / remote kill features
If the mobile device is lost or stolen, user is able to wipe the data or even “kill” the device remotely to make it no longer accessible. So that the lost or stolen device cannot be used unintentionally. More often than not the location of the lost or stolen devices can be identified by using the remote wipe or remote kill features.
14. Perform Factory Default / Data Clearance before decommissioning the Mobile Device
New model devices are usually attractive. It is quite often for consumers to look for and change to new mobile devices, while the original devices would be dominated / given to others. In addition to data migration, before decommissioning the old devices, for data security perspective, remember to perform factory default or data clearance for the devices to clear all configurations and data containing personal / sensitive information so as to prevent data compromise / leakage.