Continuing with the reports published this October 2016 by the National Cryptologic Center, we are going to summarize, in the form of advice, the one that deals with ” Good Practices in Mobile Devices “.
In its introduction, the CCN-CERT points out that the proliferation of mobile devices, as well as their increasing functional capacity, place these devices in the center of attention of possible attackers. Three pillars contribute decisively to defend all of us must observe our mobile devices: awareness , we need to have all clear that the threat is real and the danger exists, the common sense in the way we use the l mobile as good practices in configuration . The report he seeks in his own words influences these good practices “describe these practices in order to help end users protect and make the safest possible use of mobile devices, deepening in the configuration and use of the protection mechanisms that currently exist ”offering security advice and recommendations.
Improving protection against unauthorized physical access, improving the confidentiality and security of information storage and improving security in communications with other equipment and services are the axes around which the recommendations revolve.
Decalogue of recommendations
The screen always locked if we are not using the mobile
The mobile must always have the screen lock option activated and its unlocking must always be protected by access code or, if the device allows it, by fingerprint. We will be careful to never leave mobile without blocking it and not to allow, as far as possible, functionalities with the screen locked. It is recommended not to display notification content or access to quick controls. It is also recommended to disable Google Assistant (or Now) on Android or Siri on iOS.
Encrypt mobile device
It is recommended to use the security features of the mobile device itself to encrypt the content of the mobile and not to use external storage cards if their encryption is not possible . If we have an iOS device (Apple devices) the encryption will be active if an access code has been established. On Android devices, you must access Settings> Security> Encryption, and follow the instructions. In Android, the encryption of a device can be a long process and should not be interrupted since it risks the risk of losing data.
Always updated operating system and applications (Apps)
The updated version fixes security vulnerabilities and improves the ability to avoid attacks on the device, however we must remember that there may be unknown vulnerabilities or not yet solved by the manufacturer. We must always exercise caution when faced with strange messages or links, as the report insists, always apply common sense before doing anything, particularly if it is the response to a message or a visit to a website.
Do not connect the mobile to unknown USB ports and do not accept any relationship of trust through USB without ensuring that the computer is trusted
Modern mobile devices ask us to establish a relationship of trust the first time we connect them to a computer via USB. To establish this relationship it is necessary to previously unlock the mobile device and to confirm it. The recommendation is not to connect the mobile device to unknown USB ports and not to accept any trust relationship via USB if there is no evidence of connecting the mobile device to a trusted computer . Also, in case of using Android, we will not enable debugging via USB(option found in Developer Options) to avoid installing applications from USB. As always insist on not leaving the mobile device unattended without blocking.
Disable wireless communications that will not be used permanently by the user
Mobile devices have different types of ways to communicate: NFC , which allows short-range wireless communications, Bluetooth , in its various technologies, and Wi-Fi are the most common. The recommendation is not to have them enabled and to do so only if they are going to be used. It is also recommended not to have localization activated .
Do not connect to open public Wi-Fi networks (or Wi-Fi hotspots)
In an open public network it is possible for an attacker to intercept and manipulate traffic, so if you need to use one of these networks, the recommendation is to always do it using a VPN service that allows us to encrypt all the traffic that we transmit over the network.
Do not install any application that does not come from a trusted source, such as the official Apps markets
We must not install Apps that do not come from a trusted source such as official markets (Google Play, App Store). It is not recommended to enable the functionality that allows the installation of apps from third-party repositories, and of course never install Apps from sources of dubious reputation, even if they are free.
Do not grant unnecessary or excessive permissions to Apps
The applications do not have by default access to the data of the mobile device, to access the data or functions you must request permissions. These permissions will be requested at the time of installation or when the App must execute a certain functionality. The recommendation is not to grant unnecessary or excessive permissions, for this it is necessary to understand why an App asks for a certain permission and that a correct App from a serious manufacturer must clearly explain the reasons why it needs a certain permission.
Whenever possible the HTTPS protocol should be used and an invalid digital certificate error message should never be accepted
When we use a Web browser on a mobile device, regardless of the program we use, it is up to us to use the HTTPS protocol (putting “https: //” before the web address) and not access any Web where the web browser report an invalid digital certificate. The main websites have an HTTPS page and the browser shows us an icon in the web address line indicating that the secure site is verified. If we click on it, it will inform us of the certification data of the web server.
Make regular backups
To avoid data loss due to breakdowns, loss, theft or any incident that makes access to data from our mobile devices impossible, the only possible prevention is to make backup copies. In this same blog we have covered this topic in various articles: “ Backups on our devices. Why should we do them? “,” How to back up to Android phones “or” How to back up to iOS phones “