Think of it this way: Your computer might have sensitive work documents, banking information or personal records, but there are only a few ways people can access those files — in person, via a network or over the Internet.
Your smartphone is almost always on, connected to the Internet, logged into your email and social media, and likely has at least a username stored for your bank account. Your smartphone contains as much sensitive information as your wallet does — more, if you count the contact information for your family and friends.
A smartphone is a whole different beast, said Yuval Ben-Itzhak, the chief technology officer of AVG Technologies, an American subsidiary of the Czech security firm Grisoft. At an AVG event here on Sept.4, Ben-Itzhak explained that the average smartphone has several avenues of attack.
Smartphones can access the Internet, which puts them at risk for a variety of malware and compromising exploits, but malware can come via almost any phone function. Text messages are easily exploitable, especially since an average text-messaging app takes no security precautions. They open automatically and load as soon as your phone connects to a network; in effect, they can't be blocked.
At the Black Hat 2011 security conference in Las Vegas, researchers even demonstrated a proof-of-concept that infected iPhones with malware via charging stations. Although they did not distribute any harmful software, they showed that this behavior, called "juice jacking," could be a threat. If a malicious hacker ever implemented a scheme like this, he or she could conceivably infect hundreds of phones each day.
Hackers also monetize these hacks in fairly subtle ways. Rather than stealing credit card information to buy themselves luxury yachts or scads of DVDs on Amazon, tangible goods that are extremely easy to track, they often subscribe users to premium texting services, which often cost as little as $3 per month.
These scams are much more common in Eastern Europe, where users get charged for premium texts on-the-spot rather than monthly.
Many (but not all) users will catch the extra charge on their phone bills, cancel the service and prevent the malefactors from ever getting their money. But an enterprising hacker can nickel-and-dime his or her way into relative richness.
Hackers do not represent the only mobile threat, either. Leaving your Wi-Fi and Bluetooth functionality activated when you don't need to do so represents a considerable privacy risk. Phones broadcast signals that reveal their model number and location information, and some malls are now leveraging this feature.
By tracking phones, malls can get a good idea of their shoppers' demographics (even though there's no way to identify users, phone preference varies by age, sex and race), which shops their patrons visit and how the two correspond. If users download retail-specific apps, stores can also track when users enter and leave their premises and communicate accordingly, but downloading an app at least allows the user to choose whether or not to participate.
Retailers are not the only entities interested in aggregating mobile data. Up until recently, recycling bins in London had the same functionality. The City of London wanted to gather data on cellphone usage without any apparent end goal in mind, and walking by a recycling bin while your cellphone's Wi-Fi is active would transmit your phone's build and location information directly to the British government.
Public outcry put an end to the invasive bins, but while the City of London — which represents only a small, somewhat separate financial hub in London, not the larger city — was the first government entity to try such a tactic, it probably will not be the last.
In order to keep your mobile information private and safe, keep Wi-Fi and Bluetooth turned off unless you need them, and install a mobile security suite on your phone. Ben-Itzhak also recommended disabling or uninstalling social media apps — the HTML versions of Facebook and Twitter are more secure, and much easier on a phone's battery life.