With the smartphones becoming more and more part of our daily lives, the European Network and Information Security Agency (ENISA) has published a new report detailing the top security risks of smartphone use and gives practical security advice for businesses, consumers and governments.
According to Gartner worldwide smartphone sales doubled last year and 80 million were sold worldwide in Q3 2010 alone. Any prevalent technology can pose security risks and the 61 page ENISA report lists several key risks including:
- Data leakage: a stolen or lost phone with unprotected memory allows an attacker to access the data on it.
- Unintentional data disclosure: most apps have privacy settings but many users are unaware (or do not recall) that the data is being transmitted, let alone know of the existence of the settings to prevent this.
- Phishing: an attacker collects user credentials (e.g. passwords, credit card numbers) using fake apps or SMS/Email messages that seem genuine.
The report goes on the highlight the risks of Spyware, network spoofing attacks and diallerware (where an attacker steals money from the user by means of malware that makes hidden use of premium SMS services or numbers).
For consumers ENISA make the following recommendations:
- Always configure your smartphone in such a way that it locks automatically after some minutes.
- Before installing or using new smartphone apps or services, check their reputation. Never install any software onto the device unless it is from a trusted source and you were expecting to receive it.
- Scrutinize permission requests when using or installing smartphone apps or services.
For consumers and businesses the report underlines the importance of properly decommissioning a phone before it is disposed of or transferred to another user. In such cases it is essential to wipe all the data and settings from the smartphone.
For government officials the ENISA recommends that sensitive data isn’t stored locally, that encryption software is used and the the smartphones should be periodically wiped (using secure deletion) and reloaded with a specially prepared and tested image.