When security analysts look at the potential weaknesses in a system, they talk about how much “surface area” is exposed to risk. Mobile computing is an incredible convenience but it has also sizably increased our personal surface areas. Smartphones and tablets extend network access to our sensitive data well outside the home and office, and the devices themselves are physically small and vulnerable to loss and theft.
With all that in mind, you can reduce your risks by arming yourself with effective security apps. These select apps can help protect your security on a number of different fronts.
Protecting Mobile Passwords
Among the most vulnerable attack vectors these days are our passwords, which we must use between devices and somehow maintain uniqueness between sites and services. Fact is, many people do not – and that can turn out to be a mistake when a weak service is compromised, revealing a password you use on multiple sites with sensitive personal data.
LastPass is a multi-platform app which can manage passwords across devices and help you generate secure ones unique to each site. Using the LastPass app you have access to the same logins you use on your desktop, while they are stored in a secure form.
Although the app is free, you will need a $12/year LastPass subscription to use it beyond the 14-day trial period.
VPNs to Secure Remote Access
Virtual Private Networks, or VPNs, are essential for ensuring secure communications. A VPN builds an encrypted tunnel between your device and a remote server. For corporate use, a VPN is often the only way you can remotely access company assets. But even for personal use, a VPN secures communications which might otherwise be potentially vulnerable, such as using your device over open Wi-Fi connections like those at public hotspots like libraries and cafes.
You must have a VPN server to connect to in order to use a VPN. This is beyond the scope of this article, but one popular type of VPN server is called OpenVPN Connect. Likewise, the free OpenVPN Connect app for Android makes it easy to connect to a compatible server. When connected, a persistent notification icon reminds you that the VPN connection is in place and your activity is secured.
Encrypting Mobile Data
Mobile devices store lots of personal data – from text messages to camera photos to any documents you’ve loaded onto the device, either through a physical network or downloaded from a cloud storage service.
Besides network-based attacks, simple theft can provide a treasure trove of data to criminals. They can download data from your device or, if it has removable SD-card storage, simply pop the chip into a card reader and plunder your data. Unless your data is encrypted, that is.
Encrypting data can be complicated, but it is worth the learning curve. A popular solution is the free and open source TrueCrypt for desktop machines. With TrueCrypt you can create a virtual “folder” which contains multiple files. The entire folder is encrypted and portable between devices. Android users can get the free app EDS Lite which can access TrueCrypt containers. (Containers must be created with particular configuration settings.)
A more user-friendly but service-specific data encryption app is Boxcryptor Classic. This app will automatically encrypt data stored on cloud services like Dropbox, Google Drive and Microsoft SkyDrive. It does not require the learning curve of using TrueCrypt but offers limited functionality in its free version. A paid Boxcryptor account buys you realtime encryption to multiple cloud services simultaneously.
For corporate users, DataNow from AppSense is a more sophisticated encryption solution which works end-to-end between the client device and many kinds of corporate resources.
Interest in email encryption has been on the rise lately, particularly in the wake of the various reports about NSA activity. While encrypted email is an effective way to keep your communications private from the prying eyes of superpowers, it is also somewhat cumbersome to implement. PGP has long been the favored tool for generating encryption keys and messages, but it is not always the easiest software to master.
AGP for Android helps smooth the path by integrating PGP encryption with the popular Android mail client K-9. While you’ll still need to understand and implement public and private keys, with AGP you can more easily fire off and decode encrypted emails without a lot of manual cut-and-paste work.
For iOS users, the app iPGMail smooths the process for creating and managing PGP keys. Although it is not an email client itself, it provides some integration with the built-in iOS Mail App so that messages and attachments can be encrypted on-the-fly. However, the process is not friction-free, as messages must be pasted from the mail app into the PGP app for decoding.
Malware, Remote Control and Mobile Device Tracking
You might be surprised that anti-virus apps haven’t made this list yet. Although the technology media is quick to highlight studies about the rise of Android malware, most of these risks do not apply to typical users. Android malware is real, but it is largely confined to sideloaded apps which are acquired through unofficial channels – specifically, outside the Google Play store. There have been exceptions, but they are hardly epidemic, and the Play store has been further hardened against hidden malware.
That said, anti-virus apps have a place, both for personal security and potentially for corporate legal reasons. Long-time desktop anti-virus maker Avast has made a strong claim for the Android space with its Mobile Security & AntiVirus app. In addition to malware scanning, this app also provides defenses against lost or stolen devices. You can disable lost Android devices using remote disable and wipe, or track their location.
iOS users do not need third-party apps for basic lost device defenses. Particularly with iOS7, Apple’s iCloud now functions as a remote device management console. Lost or missing devices can be remotely disabled and even located using iCloud, assuming you have an iCloud account and can log into it.
Still, there are apps that can provide additional functionality. GPS Location Tracker by FollowMee will silently track a device’s movements, which are accessible through a Google Map view on the companion website. A free account supports realtime tracking and a seven-day history; longer histories are available with a paid account. The app also supports “geo-fencing,” meaning that you can define boundaries (via the Web service), and receive alerts when the device is moved outside these virtual fences.
Aaron Weiss is a technology writer and frequent contributor to eSecurity Planet.