We’ve heard this question about mobile devices from users all over the world at different events and conferences that we attend. It’s a natural question to ask given the amount of vulnerabilities, hacks, and exploits reported on an almost daily basis about our digital infrastructure.
Security exists on a spectrum. Nothing in life can be said to be 100% safe. This is true for the digital world as much as it is true for the physical world. When discussing security we have to think about the available options as well as the most probable attacks.This gives us a framework in which we can say something is safe or not.
Many feel that their desktop is safer than their mobile device but when examining the evidence on digital security this isn’t the case. This feeling can be quite natural and is probably rooted in the fear of loss or theft of the mobile device. Something bigger and stationary often feels safer than something smaller and mobile.
The most common way malicious actors get access to digital accounts is through social engineering. Cyber-criminals manipulate users or a user’s social network into giving up information that helps them gain access to user accounts. This has nothing to do with the safety of operating systems, or the hardware people are using. It has everything to do with users’ behavior and the information they give up to others. Mobile devices aren’t any better or worse on this front than your average desktop or laptop because it’s an issue of user behavior not hardware or software.
A common attack used by social engineers is convincing a phone company to transfer a user’s phone number to their own device. This allows them access to accounts that are linked to the victim’s phone number. The mobile device’s security hasn’t been subverted, the telephone company has been manipulated. We highly recommend not linking your phone number to any important accounts. Some in the crypto-currency industry have been hit by this type of attack. This attack has nothing to do with the security of the device and everything to do with the incompetence of telephone companies. Realize that while headlines might show “Bitcoin Stolen from Mobile Phone Hack”, what’s really been hacked was a centralized telco company and the centralized exchange tied to a phone number not the device itself.
The next most common threat to users is malware (malicious software). Once downloaded, cyber-criminals can remotely access your device and perform a variety of tasks. Many users have expressed concerns over specific malware known as a keylogger which logs a user’s key strokes and are used to collect any information a user types like sensitive passwords, banking information, etc. Although rare, keylogger malware does exist for mobile and is another reason why you should use two-factor authentication(2FA) for your accounts. If 2FA is set up properly, even after obtaining account information through keylogger malware the cyber-criminal won’t be able to access your account without the second factor.
The best way to protect yourself from malware, like keyloggers, is to be mindful of where you’re downloading software from. On desktops and laptops you are open to install raw downloads onto your device from pretty much anywhere. Just because you can do something doesn’t mean you should. Make sure you are always downloading software from a reputable source.
Mobile vs Desktop Security
App Store Screening
The good news is that mobile device users usually download from the operating system’s respective app store. These stores are typically safer environments to download software from than random sites on the internet or third party app stores. The applications on the mobile device app stores go through a screening process and Apple and Google have the chance to remove any malicious applications. They can’t catch everything and don’t have security experts looking at the code of every application but if you’re only downloading applications off the app stores the probabilities of downloading malware are going to be smaller than many other options. In contrast, desktop/notebook computer use frequently requires us to download and install various applications from the global internet. Anything from tool tray apps, device drivers, price tickers, office suites, photo editors, and messaging apps. All of which expose the user to unscreened applications.
Not only do the app stores scan for malware but the mobile devices themselves use security mechanisms such as sandboxing that help mitigate the threat of malware. Even if a user happens to download malicious software their device will be able to isolate that software and create separation between the malware and applications on the device. These techniques prevent vulnerabilities from spreading to other applications or to other critical device resources. In contrast, a typical desktop application has nearly full access to the entire desktop machine including hard drive storage, screen, keyboard, and mouse input. Hence the reason why users frequently download extra security software to scan for and protect against malware
In addition, many mobile devices encrypt the data stored on a device by default and the data can only be decrypted by some type of passcode set up by the user and hopefully only known by the user. This has been standard in iOS since the iPhone 5S and now in most modern Android devices. Even the device manufacturer and law enforcement can’t access the stored data. This was demonstrated in 2016 when Apple and the FBI could not get into the iPhone of the perpetrator of the San Bernardino terrorist attack because of the strong encryption employed by Apple. In contrast, the data stored on many desktops computers aren’t encrypted by default and require an extra step in settings or even 3rd party application to be installed. This extra friction leaves the average user with an unencrypted device which puts their data at risk in the event of loss or theft.
In addition there is much more malware specifically designed for desktops compared to their mobile counterparts. PCs and Macs have been around a lot longer than their mobile brethren so it makes sense that there would be more malware. Cyber-criminals are rational economic actors and want to go after the biggest markets with the best bang for the buck.
iOS vs Android
If we had to rank the security of the existing dominant mobile software platforms, iOS and Android, iOS would come on top for some of the same reasons mobile can be more secure than desktop options. Apple’s app store is much stricter and more diligent than its Google Play rival, iOS is a relatively closed and stronger sandboxed environment compared to Android, and there is a considerably larger amount of malware designed to corrupt Android based mobile devices compared to iOS. In addition, Android security updates can take much longer to roll out than iOS updates because multiple entities have to sign off on the update before it gets deployed to end users. iOS only needs one entity to approve security updates: Apple.
We highlighted that risks do exist and there are bad actors out there but the probabilities of a successful attack on a mobile device are quite low. According to a study conducted in 2015 by security firm Damballa(now a part of Core Security Corporation) only .0064% of mobile devices in the United States were infected by malware. The researchers pointed out this was less than the probability of being struck by lightning in your lifetime(.01%). Still, users should exercise best mobile security practices, especially when using cryptocurrency.
- Ensure your device has full disk encryption enabled with auto-lock turned on
- Enable 2FA on all sensitive accounts
- Do not install software from unknown sources
- Do not install “custom keyboard” apps which may expose your keystrokes
- Do not jailbreak or “root” your device as this gives malware open access to your device
- Keep your device updated with the latest operating system security patches
Download Edge for iOS Download Edge from the Play Store Android APK Direct Download