Musings on Mobile Security

Like almost everyone else in the world, I have a smartphone. In my case it’s a Palm (now HP) Pre. It’s fun to use, and it’s pretty useful–it lets me check my e-mail, surf the web and play Angry Birds. And, of course, it’s a phone too.

But what would happen if I lost it? Or somebody stole it? How much trouble would I be in? I don’t keep my social security number or driver’s license number on it.  I do have my bank account numbers in a Memo. And, of course, it is attached to my various e-mail accounts (Wayne Connect, Gmail, AT&T), so anyone who found it could read my e-mail. They couldn’t find my passwords (I have different ones for my Wayne account and the other two) because they are not accessible, but they could send messages from my account, look at my calendar and my contacts. Is this a risk I’m taking? Sure it is, although I’m careful never to put really sensitive material in my phone.

I do access sensitive websites occasionally (such as Wayne Connect through the web browser), but I have to type in a password, and I don’t allow the Pre to store the password and fill it in automatically.

So recently I’ve been experimenting with locking my phone. Now, whenever I turn it on I have to type in a four-digit PIN before it will give me access to the rest of the phone. You can make emergency calls without a PIN, incidentally. And when the phone rings you can answer it without the PIN too.

I have friends with BlackBerries, iPhones and Droids, and they all have the same characteristics. On the Pre it’s on the utility called ‘Screen and Lock’, and it allows you to choose either a password or a 4-digit PIN number. Here’s what the screen looks like:

On the iPhone it’s under Settings > General > Passcode Lock.  The passcode screen looks like this:

On the Droid it’s under Settings > Location and Security > Security, and you can choose either a PIN number or a swipe pattern:

So, should you lock your phone? As I said, I’ve been keeping mine locked for about a week, and it’s not too obtrusive. How much of a risk am I running? I have no sensitive university-related data on my phone, and I could probably password-protect my memos and not bother otherwise, since nothing else is risky. I’m not sure where I’m going to go with this, and am interested in others’ thoughts on this. What do you do? What do you think you should do?

11 Replies to “Musings on Mobile Security”

  1. As a non-smart phone user this issue, besides cost and needing ‘offline’ time, is one of the reasons I haven’t bought a smart phone. Many of my friends and family don’t have a password on their phone and I can’t help but wonder, what might happen if it was lost/stolen. Besides the hassle of replacing the phone, how much time and effort to reset all your old passwords – not just the major sites. Lastly, I highly recommend backing up your contact list via spreadsheet (GoogleDocs is great if your a Gmail user) and having a few emergency numbers in the wallet because you never know when your smart/dumb phone might be a paperweight! Please keep us updated on how obtrusive entering a pin every time you use your phone Dr. ProfTech!

    1. Interesting thoughts. Thanks for coming by. I keep track of my passwords with an online utility called lastpass. It’s pretty cool, and a simplified version is available free. The usual disclaimer–I don’t have any stock in this company, incidentally. They also own Xmarks, which keeps track of your bookmarks across different computers and different browsers. Both of these are, of course, pass-word protected themselves.
      I will report occasionally on how annoyed I am about typing in the PIN.

  2. Another thing to keep in mind is that Android apps are not immediately screened for security. If you are on the Android platform, look up the application you are about to buy/download, before installing it. In most cases you are fine, but you still need to do your homework to make sure that you are downloading a safe app.

    1. Same is true for Pre apps. In fact, there’s both an approved app store supplied by Sprint but also a hacker community set that requires jailbreaking your phone (not hard–just type in a long code) and connecting to the open-source app ‘store’.

  3. There is another side to WSU security using smartphones and iPod Touches. Why can’t we log on securely to WSU facilities using VPN? Many people at Wayne have these devices and would like to be able to both log into WSU facilities and securely encript connections. I have been raising this question for several years and hope C&IT will address it. Of course, it probably means using software other than that provided by Juniper Networks.

    1. Sorry it took a while to find the answer to this, but it turns out that you can log on to Wayne’s VPN with mobile devices. There is an app called Junos Pulse, which is available from the iOS app store and the Android store, as well as the Blackberry app store. Install it and log in and you’re good to go.

  4. Great post. I have an Android phone that has a security mechanism called “pattern lock.” Instead of using a password or PIN number, you choose a pattern across 9 “dots” and you have to draw the correct pattern to unlock the phone. (See image/example here: (http://allandroidblog.com/wp-content/uploads/2011/09/Security-Pattern-Lock.png) I personally like this a lot better than having to type in something each time–it’s just a swipe of the screen. Of course this only works with touch screen smart phones…

    I wish more people understood that when they do not protect their own data/devices, they are also putting their contacts at risk. I recently was receiving some spam text messages. I suspect that my number may have been stolen from one of my Facebook friend’s accounts that was compromised. Makes you think twice about what you’re sharing on social networks, too.

    1. Your second paragraph makes an excellent point. There will be a web broadcast later in the month about the risks you take when you post on Social Networks that we’ll be heavily publicizing.
      I think only Android phones have the pattern system, which is rather cool, I must admit. My Pre only has PINs, as, I believe does the iPhone.

Leave a Reply

Your email address will not be published. Required fields are marked *