Accessing personal and financial information on a smartphone can be as reckless as leaving bank statements or credit cards on the sidewalk. But with a few easy protections, experts say phones can be made much safer.
When it comes to mobile data, very little of what's stored on a phone is secure or private. Earlier this month, Congress asked Apple to update the company's app approval process after it was revealed that many apps pilfered phone contacts and other information without user permission. Then last week, The Wall Street Journal reported that Google created code allowing it to circumvent privacy settings on Apple's Safari mobile web browser. In a statement, Google said it didn't use any of that data.
Those cases may be just the tip of the iceberg. "I don't want to be this uber-alarmist, but there's so much we don't know about what companies are doing with private information," says Brad Spirrison, the managing editor of app review site Appolicious. Even if the company doesn't have designs on using say, the numbers in your phone contact list for marketing purposes, just collecting it could pose a problem if hackers target their servers. Then there are the openly malicious attacks against cellphones, which are a small but growing problem, says Derek Halliday, senior product manager of security for Lookout, a mobile security company with a free protection app. At the beginning of 2011, the company estimates, 1% of U.S. Android phone users had encountered malware. By the end of the year, that number reached 4%.
The bottom line, experts say, is that consumers should assume that someone could be looking at anything on their phone. That's not to say it isn't safe to go shopping via a mobile browser or use an app to check a checking account balance. But people should take precautions to limit their exposure:
Thwart phone thieves
"The biggest concern still for businesses and for consumers is a lost device," says Tim Herbert, vice president of research for the Computing Technology Industry Association, a trade group. Many people don't password-protect their phone, and research shows that among those who do, the most common codes are 1234 and 0000. That leaves all information on the phone wide open to anyone who comes across it. Pick a less intuitive password -- or better yet, opt for a stronger one that incorporates letters and numbers, he says. Some carriers and manufacturers offer a remote wipe for lost or stolen devices, deleting all the data. Apple's free "Find My iPhone" app, for example, lets users locate a missing device, remotely lock it and then wipe it.
Use computer savvy
Threats typically targeting computers -- such as viruses, botnets and Trojans -- are increasingly focusing on mobile operating systems. Consumers' best course of action is to take precautions similar to those they already use for home computers. Developers create patches to protect against known vulnerabilities, and checking regularly for available updates can limit such risks, Halliday says. Consumers should also take care when clicking on unknown links in their mobile web browser, which could result in malicious software downloading to the phone, Herbert says. Some phones come preloaded with anti-spyware protections. There's also a growing market for free and pay-for mobile phone security programs, although experts say their usefulness depends largely on the type of phone.
Download with caution
Read reviews and compare options before downloading any apps, Spirrison says. App stores are the first line of defense, weeding out many of those that contain malicious code designed to steal information from or damage your phone. "Malware is almost a nonexistent problem on iOS devices because Apple applies so much scrutiny," he says. Users of Android, which is a more open platform for developers, should be more cautious, he says. Try out downloaded apps to check that they look legit, Halliday says. And check monthly phone bills, too -- a common tactic for malicious apps is to rack up bills for premium text messages.
Safeguard important data
Consumers who have to store sensitive information on their phone, such as confidential work documents or personal health records, should take the extra step of using an encryption program for storage, Herbert says. "You wouldn't just want to store that in a notes field on your phone," he says. Apps like SplashID Safe and mSecure cost $10, and protect files with encryption and passwords. Data can also be wirelessly and securely synced with other devices, in the event one needs to wipe a phone.
Review app permissions
App stores are adding more disclosures, requiring developers to ask permission to access various data on your phone. Consumers will recognize them as the pop-ups that appear when they open a new app for the first time. "We see among consumers that this is something that a lot of people do skip through," Halliday says. But they're worth reading, he says. Security apps like Lookout offer privacy features that monitor which apps are accessing what information. Plus, phone settings may allow users to toggle off an app's access to features like location awareness, which tells the app the phone's physical location.