Want to keep learning?

This content is taken from the Raspberry Pi Foundation & National Centre for Computing Education's online course, Introduction to Cybersecurity for Teachers. Join the course to learn more.

Phone security

Many of us carry around extremely sensitive data in our pockets: our phones give us access to our bank accounts, to our work files, and to our apps, among other things. All of this data is only as secure as our phones and so, in this step, you will learn about phone security, and how to ensure that your phone is secure.

Password protection

Most phones are protected by a passcode, which is usually a series of digits or a pattern. As with passwords, the longer and more random the passcode is, the harder it is to guess. As passcodes are typically four to six digits long, they are easier to guess than a password. However, many phones are programmed to lock down or wipe their contents if the wrong passcode is inputted too many times. This fail-safe should discourage an attacker from trying to guess the combination.

However, phones can give physical clues to hackers which can give away the passcode. This is because when the user touches their phone screen, they leave grease from their fingers behind. This can point out the places on the screen that they touch often, and even hint at the order in which the keys have been touched. Therefore, it is important to wipe your phone screen after use.

A finger unlocks a phone, leaving a smear of grease behind it

Biometrics systems

A new development in phone security is the use of biometrics systems. Biometrics systems use unique biological characteristics as authenticators. Some examples of biological characteristics used as biometric data include:

  • Fingerprints
  • Iris/retina patterns
  • Facial features
  • Voice patterns

Biometric data has several advantages over passwords. For example, users can’t forget it, and they take it everywhere with them. Because biometric data is unique, users don’t need to be able to create something secure.

mobile device with fingerprint scanner

However, biometrics systems are more expensive to build than password-based systems, and it is possible to forge biometric data. For example, fingerprints for mobile phone biometrics systems can be recreated using everyday materials such as sticky tape and lipstick, or a glue gun and tinfoil.

This is an additional video, hosted on YouTube.

Remote access

Attackers may also try to break into your phone remotely. Remote access attacks work without the user needing to connect with a hacker’s phone or give them access permissions. Phones are vulnerable when they communicate with other networks, and devices broadcast information when Bluetooth is turned on or the device is allowed to search for wireless networks.

The information that a device broadcasts might help an attacker to tailor hacking software to the device, which would improve their chances of successfully carrying out an attack. Hackers can also use a device’s connection to gain access to the data stored on the device, or even gain control of the device and use it to make payments or phone calls.

To protect your phone from remote access attacks, you should keep Bluetooth and wireless network connectivity switched off until you are ready to connect to a trusted and secure network. It is also important to keep your operating system (OS) security updated. In addition, apps that require two-factor authentication (2FA) are better protected from remote attacks, because if an attacker gains access to a device, they will still need an additional password or other form of authentication to use the apps. You will find out more about OS security updates and 2FA later.

Permissions

So far, you have learned about how to protect your phone from external attackers, but the data is also threatened from within. When a user downloads an app, it asks for permission to access the data stored on their phone, including their contacts, camera, photos, location data, and more. Apps can even be given permission to turn on the user’s microphone and record their conversations.

App providers might use this data to optimise the app’s performance, or they may be trying to harvest and sell the data as part of the data economy. Malicious apps could also be used to collect data to steal the user’s identity and/or hack their accounts.

App stores like Apple and Google take steps to check apps for malware, but they cannot protect phones from every threat. Therefore, when an app requests access to your data, it is important to double-check what data it wants to access, and think critically about whether you need to share that data with them.

Exercise

Which of the following do you think the game Candy Crush requests access to and why?

  • Name
  • Contact details
  • Contact list
  • Social media profiles
  • GPS data
  • Camera and microphone

You might find the website Terms of Service; Didn’t Read helpful to complete this exercise, or to check the permissions that you have granted to other apps.

Share your thinking in the comments section.

Next step

We rely on an up-to-date OS to protect our phones, and you will learn more about this in Week 2. In the next step, you’ll learn more about a form of data protection called two-factor authentication.

Questions

  • Why might an attacker choose to carry out a remote access attack instead of one of the other types of attack discussed in this step?
  • How might you best protect yourself from an attack conducted using a malicious app?
  • Is your phone more secure when protected by a passcode or by a form of biometric data?

Share your answers in the comments

Share this article:

This article is from the free online course:

Introduction to Cybersecurity for Teachers

Raspberry Pi Foundation