Smartphone security checker from the FCC

It was developed in conjunction with the DHS, The FTC, The National Cyber Security Alliance, CTIA-The Wireless Association, Lookout, and other public and private sector partners. It’s purpose is to help protect the 120 million American smartphone users (but will benefit all smartphone users everywhere). According to the FCC, less than 5% of smartphones use third party security software, while more than 40% have no anti-virus software. More than half of users do not use password protection – and a phone is lost or stolen every 3.5 seconds.

Against this backdrop, the FCC has compiled ten rules for a secure phone tailored to each of the four leading platforms. They range from setting PINs and passwords, to reporting stolen phones, and are product specific wherever possible. 

The weakest area is possibly where it needs to be strongest: Android. The very nature, and to many users a great strength, is Android’s open approach. This automatically makes the hardware and software more vulnerable. “99% of new threats are aimed at the Android smartphone,” PandaLabs' technical director Luis Corrons told Infosecurity. But it also makes the market more fragmented, with different device vendors providing different versions of the operating system. This complicates rule #7: Accept updates and patches to your smartphone’s software. Google might fix a vulnerability in its latest version that remains vulnerable in the older versions still supplied by some vendors.

Corrons points to another difficulty. Rule #5 states ‘understand app permissions before accepting them.’ It’s good advice, says Corrons, “but users often do not understand the implication of the required permissions, and rarely do the vendors explain the necessity.” This is confirmed in the FTC’s Mobile Apps for Kids report published earlier this month: “Indeed,” it says, “most apps failed to provide any information about the data collected through the app, let alone the type of data collected, the purpose of the collection, and who would obtain access to the data.”

ESET senior research fellow David Harley thinks a connection between bad sources and jailbroken iPhones could be made, bud added, “even I have to admit that iOS viruses are rarer than dodo's teeth.” If asked to add one other rule, he said, it would be to install third-party security software, but “don't assume that once you've installed security software, you don't have to bother with the other stuff.”

While it’s easy to criticize the FCC’s ten rules for a secure smartphone, “this is a context where more detail and precision would be seen as potentially confusing. If people read these and follow the advice reasonably closely,” said Harley, “it will make them more secure, and that can't be bad.”

What’s Hot on Infosecurity Magazine?