Measures for Everyone to Protect Your Digital Self Living in Your Mobile Devices
In part one of this guide to protect your digital ID, I will talk about the basics — measures that anyone can use to reduce risks to their devices. Then, in part two, I will address more on digital identity — some special efforts for people who need more protection.
In the last part of the guide, I will focus on something that anyone can turn into a habit — a risk-based approach to treating your digital identity with risk assessment threat modeling. After reading this guide, I hope more people will, and hopefully, be more aware of protecting privacy.
(Remarks: The first one here is for the beginners.)
Know Yourself and the Enemy
The key to protecting your digital self is making it as pricey and impractical as possible for somebody to steal data critical to cyber-safety — your financial security and privacy. If attackers find it too challenging or expensive to get your data, there’s a better chance that they will move on to an easier target.
For that reason, it’s crucial to assess how vital information can be stolen or leaked — and understand the limits to protect that information after knowing where and what your enemy wants to steal, you can have a better chance to put your effort and resources into those vulnerabilities.
Make a List! To Check Your “Attack Surface”
The first step above is all about taking stock of your digital life that could be exploited by a cyber-criminal (or an “unethical” big tech company, employer, or the like) for profit at your expense. Or similar things could put you in a vulnerable position that you may or may not be aware of.
A sample item list may include items like:
- mobile phone and other mobile devices,
- personal computer,
- home network (e.g., routers, access points),
- social media accounts,
- online banking and financial information,
- information of your physical identification and
- credit card information.
In cybersecurity, each object offers an “attack surface” — a chance for someone to exploit that and steal your data. How much an attack surface is exposed relies on numerous factors, but you can significantly lower the chances for malicious exploitation with some basic countermeasures. So let’s tackle them one by one.
Physical Security for Mobile Devices
Our digital identities “live” in our smartphones and tablets. And these mobile devices are so portable that they lead to a high risk of being out of our control by being lost, stolen, or simply picked up by others when it’s idle, and we are not aware.
Luckily, defending against casual attempts to get personal data on a smartphone or other mobile devices (as opposed to attempts by law enforcement, sophisticated criminals, or state actors) is moderately straightforward — reducing the attack surfaces.
Lock Your Phone+
First, always enable lock on your devices. But it’s equally important to consider how your devices are unlocked. Use a longer PIN if possible. Besides, ensure your device is set to erase its contents after multiple wrong password attempts (e.g., a maximum of 10 times).
Limiting the number of trials can significantly reduce the chance of password guessing and thus have a better opportunity to protect your privacy once your device is stolen or lost, especially when your PIN is only 4-digit long.
For better security, use a password **at least eight characters long (**preferably a longer passphrase than a long passcode). This shouldn’t be a problem using face recognition or a fingerprint unlock on your phone.
Bonus: Check if there is any delay in the screen locks due to the app settings or other reasons. Delays mean someone who grabs your phone can get to your data if they bring up the screen just in time.
Data Backup
In response to stricter requirements for password reset after multiple password failures, it is recommended to back up your phone regularly. The safest way to backup data is plainly doing it locally — an encrypted backup on your external hard drive.
For Apple devices, for local Backup, you can:
-
backup your iPhone to your computer via Finder (macOS Catalina or later) or
-
Use iTunes (Windows or macOS Mojave or earlier).
Apple has an easy-to-follow guide for data backup locally. For Android devices, please find a similar guide here.
If you want to enhance the availability of your Backup (in case the local copies are corrupted or lost), before you upload it to the iCloud or other storage services, you can encrypt those backups. But remember, please keep the encryption key safe and secure (whether it is a password, certificate, or token).
Software Update
To reduce the attack surface, ensuring your mobile devices are kept up to date, along the same lines, is crucial to prevent someone from taking advantage of known security bypasses. With good initiatives like “Project Zero,” now we have vendors fixing security vulnerabilities much faster. Keeping up-to-date is easy. All you need to do is check for updates on the device’s settings and press “update.”
Digital Footprint 101
More from my previous article: The KonMari Method for Your Digital Footprint: How to Clean up Your Digital Clutter Like Marie Kondo
We need to know what it is before trying to protect it. Digital Footprint is everywhere online. It is all your activities with a keyboard and mouse, in addition to what we tap and swipe on our precious mobile devices.
Here are some typical locations where we leave most of our footprint.
- Social Media is not just what you post but also the comments, like, tweet, retweet, and swipe left and right. Unfortunately, most platforms have very long user agreements that are difficult to read.
- Mobile Apps — Make sure you keep an eye on data policies and settings updates.
- Shopping Websites — the buying habits are precious for ads and marketing.
- Web Browsers — web browsers use headers and cookies as attributes that let people identify who you are.
Several “fake app” scams involve tricking people via social engineering into websites resembling app stores. Unfortunately, these schemes almost always lose thousands of dollars and massive privacy exposure.
Check for the items below:
- Avoid apps with vague permission requests, and
- Deny anything that seems like an overreach (Least Privilege)
For example, when Facebook Messenger asks to be your SMS client and then logs all your phone calls to your Facebook account, it can find “friends” for you more efficiently. And if there are apps that you don’t use, delete them. Apple’s iOS does this if it’s configured, but only if the apps are not running in the background.
To make our life easier, we usually leverage single sign-on (SSO) options such as social media accounts or our email addresses for quick sign-up (as it skips the process of creating a username and password for that application.) Not everyone is a “listaholic” who would keep a list of all the online services, online stores, or apps they signed up for over the years.
If that’s your case, your SSO information may save you time. No matter which service you use to sign-up for (e.g., Google, Facebook, Apple ID), all options give you a summary of third-party apps access. Here are the top three:
However, if SSO options are not selected or not available, but you used your email addresses instead, you can search for all the services you use by searching your email inbox for keywords like “unsubscribe,” “sign-in,” or “welcome.” Then, revoke, remove, unsubscribe, and delete all sign-ups you no longer need.
Recommendation: Minimize Your Digital Footprint At the Beginning
It all makes sense. Once you produce less digital footprint, there is less than you need to clean up afterward. So there’s still hope — by applying “Digital Distancing.”
We now all know social distancing as it keeps popping up on the news. The idea of digital distancing is like when you want to talk to your boss about your salary rise, and you close the door. Keeping a digital distance could help keep you away from data breaches or eavesdropping on your digital self.
In short, you can start with the following:
- Change your Browser — Firefox and Brave are privacy-first web browsers. Or use Tor if you need extra features.
- Use Duckduckgo and the “private window” of browsers for searching.
- Check Your App Permissions and double-check the privacy settings on social media apps.
- Regarding Virtual Private Network (VPN) — Assume VPN providers keep logs and check if the provider support PFS — Perfect Forward Secrecy. Also, check the privacy law and regulations of VPN providers’ locations.
- Upgrade Your DNS Security at Home — Protecting our DNS is essential to internet security. It also blocks many tracking scripts and apps from connecting and sending data back to their destinations. All internet-accessing devices would have a DNS setting. Better to protect your data from the beginning.
Mobile Network Threats
Besides issues that arise from questionable app behavior, mobile devices can be vulnerable through normal functions like WiFi or Bluetooth. Consider turning off WiFi when you’re away from home. An adapter or the power socket with a separate on/off button would serve this purpose. I have a timed power plug set to turn off at night.
Your mobile device may be continuously polling for the network SSIDs in its history to reconnect automatically or connect to anything that looks like a carrier’s WiFi network. Unfortunately, when this happens, your device gives away information about networks you’ve seen and might allow a hostile network access point to connect.
Also, someone could use your phone’s WiFi MAC address to fingerprint your device and track it. The same goes for Bluetooth. If your device has Bluetooth turned on, it’s broadcasting information that could identify it — and you. When your phone tells you to turn on WiFi to improve location accuracy, try to ignore it unless you know what you are doing.
To avoid someone identifying you fast, name your device anything other than [Your Name] ‘s iPhone. This is because your phone’s network name is broadcast all around you. It is like using your WiFi as a mic to shout your name to other’s devices.
Bonus: Thew Mobile Threat Catalogue
NIST provided a comprehensive document regarding mobile threats, including attack surfaces and standard techniques. If you want to make your list above more extensive, you can take a look at the NIST draft.
Final Words — The Most Expensive is “Free of Charge”
We should value our data as the real world for our digital identity. We use vaults to store our personalized jewelry and only share our financial records with the bank; We need the same measures for our digital self. This guide is the beginning of a series of best practices for users of different levels.
Remember, every time you tap on your phone, you leave some traces. Simply realizing the concept of the digital footprint can make us wiser every time we need to decide if we want to share our data. In Japanese, there is an old saying: “nothing costs as much as what is given to us.” (ただより高いものはない) Why is it the most expensive? Because the price you pay does not measure with money but time, privacy, health, and freedom, which are intangible, are our most precious assets.
See you in part two.
Thank you for reading. May InfoSec be with you🖖.