Top 10 Security Tips for Smartphones & Tablets
Developed by the Office of Information Security
- Know Where to Get Help - This is a quickly evolving technical space. The services and features described here may or may not be available for your particular device (and/or additional protections not mentioned, like encryption, may be available). Get to know your Local Support Provider (LSP) and notify them if you have a lost or stolen device. For more information see: www.upenn.edu/computing/view/support/
- Secure the Basics
- Keep your phone or tablet's operating system and its applications up to date.
- Make sure to keep a recent backup of your device and its data. Loss or theft is the most likely problem you'll encounter with a mobile device.
- Check your billing information every month to see whether there are unrecognized numbers or charges; if so, this could be an indication that malware has been installed.
"Manage" Your Risk: If available to you (e.g., if your school or center uses the University Exchange email service) enable "server management" of your smartphone or tablet. This will result in several security functions being implemented automatically. If your device is not eligible to be managed, you should manually configure these options yourself:
Avoid Sensitive Data - Penn policy prohibits the storage of certain types of University data on mobile devices without strong encryption. Make sure you have adequate protection for the level of data stored on your phone.
- Pin or Password - At a minimum, require a four digit passcode to access your device.
- Passcode Lock - Automatically lock the device and require the PIN to be re-entered after five minutes of inactivity. (note: make sure that your phone still allows you to make 911 calls when locked!).
- Auto-wipe - After 10 failed passcode entries, the device should "wipe" (erase) all of the data it contains.
Think before you Geo-Locate - Be judicious about enabling location-based services on your phone and carefully consider the implications to your personal privacy. Turn these services off when not in use.
Use a Device Location Service - One optional application you should enable geo-location for is one that assists in locating a missing device (e.g., Find My iPhone for iOS devices, Where's my Droid for Android, and Blackberry's Protect). Many of these services have other recommended features, including the ability to remotely wipe a lost phone or tablet, make a sound (to help you find it) or display a message on the screen to the person that finds it.
Be Smart about Apps - Only download applications from trusted sources. Check available information regarding the app developer, not just the site or carrier where the app is available. A portion of malware found on phones comes from hackers taking a popular app, adding malicious code and distributing it for free - so be sure to download official versions only!
Use Secure Wireless - Only connect to known and trusted wi-fi networks. An untrusted network could allow someone to observe your traffic or even gain access to your phone.
Smartphones and the Cloud - A number of cloud service providers, such as DropBox, Box.net, iCloud, etc. allow you to store data remotely and easily access it from your mobile device. First and foremost, think critically about what data you store in the cloud. Second, make sure that losing your phone doesn't mean exposing all of this information by employing passwords and lockouts as recommended above.
Don't "root" or "jailbreak" Your Device - Many mobile devices (e.g., iPhones, Kindle Fire, etc.) have proprietary Operating Systems installed that restrict user rights and control. Bypassing these restrictions is sometimes called "rooting" or "jailbreaking" the device. This typically introduces a new set of vulnerabilities, may be against the Terms of Service, and void your warranty.
For more information and resources please see the Information Security website at www.upenn.edu/computing/security/, or call 215-898-2172.
Last updated: Thursday, August 9, 2012