Mobile phone AV & security

[Osem]

Hi guys, I've just got an LG GT540 to match the wife's. The only difference is that her's is Android 1.6 and mine 2.1.

Anyway, presumably these devices are susceptible to viruses etc. so while we're surfing the web, accessing e.mail etc. what security measures do we need to take? If using wi-fi hotspots are there any other risks/considerations we should be aware of whern it comes to other people being able to access our private data, emails etc.? Also, what role does a VPN have in any of this and, if it does, is it worth setting one up and how is that best done?

Bearing in mind we're both newbies to this, are there any simple but effective apps for handling this sort of thing?

TVM as always

[Damien]

I am unaware of how many successful viruses are out in the wild targeting Android. As far as I know this isn't a real problem yet, when you take into account that any program offering continues, real time, virus protection would be sapping your phone's resources and battery I wouldn't install anything yet. To be honest I don't see the traditional virus problem rearing it's head on mobile devices and tablets, they should be locked down enough to prevent malicious code from executing. Social Engineering is probably a bigger threat.

As for the 2nd part of your question. You do need to be aware that anything you send on a public network that isn't encrypted via SSL can be viewed by someone else on the same network. This can include logins, quite a lot of sites don't use SSL to protect your login details. Even sites that do use SSL for your login don't use it to transmit the cookie you can use to stay logged into your session, therefore someone can Hijack this session and access your account, even if they can't change the password.

E-Mails are often not sent via SSL so depending on your provider and settings anyone on the same open network could view them.

Not much you can do to protect yourself against this. Avoid open networks were possible, think carefully what you do on the ones your on, and use SSL for the sites that support it. Google supports it with G-Mail, now for all data, thus meaning the e-mails viewed in the browser are also protected.

[haydnwalker]

Why don't you just install an anti-virus app - my wife uses Lookout Mobile Security, which is a fairly good app.

However, just be conscious of what you install etc and you shouldn't need anything.

I don't use anything on my Nexus S

[Wayfair]

I use Norton™ Mobile Security.

Mainly for the remote locate, lock and wipe capabilities in case I lose it or it gets nabbed..

https://market.android.com/details?i...=search_result

[Osem]

TVM guys. Will look into your suggestions.

Damien - Do I assume that using mobile internet is safer/more secure than open wi-fi then? The wife buys a £5pm 1gb VM addon for her phone so doesn't really need to use free wi-fi when out and about. I don't do that yet so hence my question about public wi-fi hotspots.

My phone is linked to an existing google account that I mainly use just to have all my hotmail forwarded to as a sort of backup. When I access that account via my PC at home it shows https: and a padlock in the address bar. I can't see any of this when I access that account via my phone (I just get a list of my emails displayed on the screen) so do I assume my email access at this point is secure by default or do I need to set that up via the phone in some way. I've looked in the email settings menu and can't find any security options there.

Presumably when I connect to my home wi-fi network (which is secured), I'm not open to the above potential security problems, it's just when using open/public hotspots?

Finally in basic terms what data is it that can be improperly gathered when using insecure wi-fi. Is it just stuff that's actually sent from the phone during that session (which could include site/account logins, passwords, card numbers, email contents) or also anything that's received by the phone via that wi-fi hotspot at the same time.

Cheers as always!

ps. Remember guys, patience is indeed a virtue....

[Damien]

Quote:

Originally Posted by Osem

TVM guys. Will look into your suggestions.

Damien - Do I assume that using mobile internet is safer/more secure than open wi-fi then? The wife buys a £5pm 1gb VM addon for her phone so doesn't really need to use free wi-fi when out and about. I don't do that yet so hence my question about public wi-fi hotspots.

As far as I know, It is much safer. Let's be clear here, the dangers of the being on the Internet at all still apply; be it your home connection, your phone connection, or a public access point. However a open wi-fi network can mean other people on said network can intercept your data. Less likely on a private home or mobile connection.

Quote:

My phone is linked to an existing google account that I mainly use just to have all my hotmail forwarded to as a sort of backup. When I access that account via my PC at home it shows https: and a padlock in the address bar. I can't see any of this when I access that account via my phone (I just get a list of my emails displayed on the screen) so do I assume my email access at this point is secure by default or do I need to set that up via the phone in some way. I've looked in the email settings menu and can't find any security options there.

Does it show https the entire time or just when you log in? Basic rule of thumb is whenever you do not use https your information can be snooped on by anyone on the same unprotected network as you. So while you can login securely, the e-mails may be read, unless they are also protected by https.

I do not know if the information sent and received via your phone (IMAP I presume) is protected.

Quote:

Presumably when I connect to my home wi-fi network (which is secured), I'm not open to the above potential security problems, it's just when using open/public hotspots?

Yup.

Quote:

Finally in basic terms what data is it that can be improperly gathered when using insecure wi-fi. Is it just stuff that's actually sent from the phone during that session (which could include site/account logins, passwords, card numbers, email contents) or also anything that's received by the phone via that wi-fi hotspot at the same time.

Any data being sent via your phone and back to the internet that isn't protected by https. Anything. Sent or received as long as it's using that wireless network too transmit or receive it. Card Numbers are almost always protected by https as any secure login system would be, but as I mentioned that doesn't mean the entire session is protected.

I really would not worry though. The chances of people sniffing your data on a open network is very small, be sensible but not paranoid. Consider the size of the open network, a small cafe is unlikely to be much of a danger, and never send the really personal and important stuff over the net unless protected by SSL.

[Matt D]

Quote:

Originally Posted by Damien

As for the 2nd part of your question. You do need to be aware that anything you send on a public network that isn't encrypted via SSL can be viewed by someone else on the same network. This can include logins, quite a lot of sites don't use SSL to protect your login details. Even sites that do use SSL for your login don't use it to transmit the cookie you can use to stay logged into your session, therefore someone can Hijack this session and access your account, even if they can't change the password.

There's even a Firefox extension which "demonstrates" this...

[Osem]

OK, when I turn on my phone and select the gmail icon it just loads all my e.mails from the linked account - no need to enter the password. So, how do I stop anyone just accessing all of that if my phone is lost or stolen? There doesn't seem to be any way to set a password prompt.

TVM

[alferret]

http://www.bbc.co.uk/news/technology-12633923

[Arty-Media]

If you are just using the stock mail app or gmail app then it'll load with the default setting(s) you setup through webmail, If you have never activated https in webmail its highly recommended you do so!

Also if you can, upgrade to Froyo (Android 2.2) as its more up-to-date!

Lookout is what I use and I've never had any problems with viruses

[Osem]

Quote:

Originally Posted by Arty-Media

If you are just using the stock mail app or gmail app then it'll load with the default setting(s) you setup through webmail, If you have never activated https in webmail its highly recommended you do so!

Also if you can, upgrade to Froyo (Android 2.2) as its more up-to-date!

Lookout is what I use and I've never had any problems with viruses

Thanks for that. I've set my google account to https and my hotmail account too. Not sure what you mean about it loading with the default settings though. I had the account before I got the phone so where do I find them and how do I adjust them?

As regards Lookout - can you tell me more about that please. Cheers.

Many thanks.

avg do a free av for droid

[Arty-Media]

Quote:

Originally Posted by Osem

Thanks for that. I've set my google account to https and my hotmail account too. Not sure what you mean about it loading with the default settings though. I had the account before I got the phone so where do I find them and how do I adjust them?

As regards Lookout - can you tell me more about that please. Cheers.

Many thanks.

Erm to adjust go into account settings, its in your webmail eg, gmail.com

As for Lookout, its awesome! They now do a premium version which scans your apps to let you know what permissions they use n so forth..

What I really like though is the incremental backup of your pics onto their server so you can log into It via web & see your pics and download them in a zip file.

Also awesome is the lost phone bit where it can locate your phone (using something like Google maps) and also make It "scream" if you loose It, though these features depend on GPS & net being left on! Also they do a remote wipe & destroy option, have never used this but they claim they can wipe the phone so no personal data will be left for the tealeaves to snoop through!
Search the Android Market for It, I used to use mobile Antivirus but that used to hog the CPU and made my phone really sluggish, but Lookout does the job nicely :-)

Hope this helps.

[Osem]

Ah right OK thanks for the AV info.

Re the email issue, to be honest I only use the account to back-up my hotmail which is forwarded to it so I've left the settings at default settings since the account was opened so never really bothered looking into them. I can see it's possible (I think) to just display new e.mails received but what I am concerned about is someone getting hold of my phone and being able to gain access to all the emails stored on that linked account. Presumably even if they're not displayed by default someone with my phone could just alter the account settings to change all that. What I'd really like to be able to do is set the account so that when I try to access it from my phone I have to enter the password (this isn't the case at present). Currently my PC remembers my account password so do I have to disable that in some way in order to get my phone to require the password before opening the account? I've not used Gmail much so how would I do that if indeed it's possible?

Thanks again.

[Arty-Media]

Erm I'm not 2 sure to be honest, I dont think there is a way as most apps that access internet on Android is capable of auto-syncing the data...
I guess the only things you can do is make sure you have sim pincode on and also there should be a phone lock option somewhere, on mine I have the options of drawing a pattern, using a pin code or using characters for a password, I guess always try to keep your phone on you at all times!