To hear the headlines scream it, mobile security is already a lost cause. Android is the king of mobile malware! Umpteen gazillion rogue apps found! THE HACKERS ARE SNOOPING YOUR SNAPCHATS AND SEXTING YOUR GRANDMA!
It’s enough to make you want to wrap your phone in tinfoil and cower in a corner somewhere—but don’t believe the hype.
The sky isn’t falling, and your phone isn’t sending illicit photos to your grandmother. While you may want to slap a security app on your phone, it probably isn’t for the reason you think. And those rogue apps? If you aren’t an idiot, the odds of your installing a malicious mobile app are almost infinitesimally small.
Welcome to your mobile security reality check.
Much ado about (very slightly more than) nothing
Here’s the thing about all those ominous-sounding reports: Most of them originate from the very antivirus companies looking to sell you security solutions—so they’re not exactly impartial.
Fortunately, I managed to track down honest, straightforward experts from three noted security firms: Lookout, which offers a popular security app for Android devices; McAfee, which needs no introduction; and AV-Test, a highly respected independent institute that specializes in technology security.
All sang the same tune when it came to malicious mobile threats.
"If you follow simple precautions such as sticking to the Google Play Store, not downloading things from suspicious sites, and not clicking on suspicious links in emails you weren’t expecting, then you’re pretty safe," says Marc Rogers, the principal security analyst at Lookout. "Google has a very effective app vetting process in place."
Fear not, iOS lovers: Apple’s approval process is even more stringent.
Andreas Marx, the CEO of AV-Test, agrees with Rogers. "The mobile malware situation for US and European users is not yet problematic; the majority of malware is spreading in China and Russia only.
"Google Play is not entirely safe to use," Marx continues, "but it’s well maintained and even when malicious Apps are able to ‘enter’ the market—criminals are working hard on this—the apps are getting removed quickly. Google can also remotely wipe malicious apps from your phone if they see a very big risk."
Sweet! So you can leave your phone AV-free and carry on with life blissfully stress-free, right? Not quite.
All three organizations reported that they’ve been seeing an increase in targeted malware that skirt the precautions Google, Apple, and other platform protectors have installed—think malicious websites, third-party app stores offering free versions of popular paid apps, and phishing emails containing poisoned links or apps.
While the threat to the average person is still small, the bad guys are definitely getting smarter. Lookout recently identified the BadNews malware family, which disguised itself as an everyday ad network to sneak 32 apps into Google Play, and then began acting maliciously only after those apps had been downloaded between 2 million and 9 million times. The damage was limited mostly to Russian users, however.
Built-in app store security doesn’t protect against trickery like that. Now for some not-so-delicious irony: Android typically gets hammered as being the more vulnerable operating system, compared with iOS, but Marx says iOS is actually more vulnerable to phishing attacks since Apple’s App Store has few viable antimalware apps.
What’s more, the contents of our mobile devices all but ensure that those unfriendly efforts will continue.
"Think about it: Your phone is, for all intents and purposes, a computer," says Luis Blando, vice president of mobile product development at McAfee. "It has every single bit of corporate data that your company wants to protect. Much more worrisome, it has your calendar, your Amazon account, God knows what else. As a target, phones are absolutely irresistible [to hackers]."
Slightly hyberbolic? Maybe. But it’s also very true, and that has led AV-Test to revise its recommendations for mobile security.
"The situation is changing," says Marx. "More and more attacks are targeting mobile users in the US, so it’s getting more risky. Therefore, we recommend using security software on your Android. Last year, we said ‘It’s an optional component, but it will get more essential in the future.’ Now we argue: Use it."
Don’t misunderstand: If you’re smart and careful, the threat of infection is still fairly small. But with more and more bad guys trying to sneak their way onto your phone outside of the app stores, running Android unprotected is a risk.
Even if you don’t have much cash, you can keep your phone fairly secure using one of the freebie Android security apps that are out there, including offerings from Lookout, AVG, Avast, and others. However, sticking to no-cost solutions usually leaves you out in the cold when it comes to security features that are arguably the most handy-dandy.
The real reason you want a security app
Even if you barely surf the Web and rock impeccable security habits, it’s still recommended that you pick up a security app.
Mobile security, you see, isn’t all about malware.
Mobile security apps are more important for their non-malware-related tools.
"One of the biggest mobile security risks is actually losing your phone," Blando says. "When you lose your phone, it’s not only the cost of the device, but also the cost and hassle of losing its data."
That’s especially so when your phone is stolen. People’s entire lives are stored on their handset, open to anyone that picks it up. Study after study shows that few people lock their phones, and losing mobile devices is an all-too-common occurrence.
In the past year, the "Find My Phone" feature in Lookout’s mobile app was used more than 9 million times, or roughly every 3.5 seconds. Half of all robberies in San Francisco and 42 percent of all robberies in Washington, D.C. are related to smartphone theft, the New York Times recently reported.
Apple’s iPhones have robust features against phone loss that can be set up with minimal hassle, including remote locking, wiping, and phone-finding capabilities. Android’s antitheft options aren’t quite as beefy, prompting experts to recommend picking up a third-party security solution.
"The question ‘What can you realistically expect from a mobile security suite?’ is easy to answer," says Marx. "To help you when your phone is stolen or lost, to either help find it and/or destroy the data on it."
While free security solutions sometimes work a few anti-theft tools into the mix—witness Lookout’s Find My Phone—virtually all security providers tuck the most helpful backup, location-finding, and remote control options into their paid-for offerings.
In other words, while careful users can usually get by with a free security program on their PCs, cheaping out on your mobile Android security means you won’t have access to the features that you’d really, really need if you ever lost your phone.
The no-nonsense recommendation
So that’s where we stand today. What does it mean in terms of actual product recommendations?
If you’re walking around with an iPhone in your pocket, there’s no pressing need to buy a mobile security solution. Not because iOS is inherently safer than Android—if you’re even the slightest bit cautious, all mobile operating systems are highly secure—but because Apple already offers phone-finding and back-up features, and because none of the scant security options available in the app store can really protect against the increasing risk of phishing attacks and other “back door”–type malware.
The situation’s a bit different on Android. You’re going to want a free security app at the very least, and we recommend paying extra for a premium security app to gain access to those crucial remote security features. (Again: If you need ever them, you’ll really, really need them.)
Which app should you buy? Our mobile security app roundup can help answer that question, as can AV-Test’s superb (and independent) Android testing results.
But save your money if you’re using a BlackBerry phone. Robbers don’t want your device anyway.
Parting words of wisdom
“But wait!” you cry. “What about metrics! You didn’t delve into the hard stats! I read this report…”
Hopefully, this reality check made sense sans all the numerical gobbly-gook. But regardless of whether or not you’re a stat freak, consider these parting words of wisdom from Lookout’s Rogers, and keep them in mind the next time you read a hysterically screaming report about mobile security.
"A lot of people have latched onto the idea that there’s a large variety of Android malware that’s out there, kind of implying that there’s been some kind of huge explosion—but that’s not really the case," he says. "…Don’t get hung up on the numbers."
And when you do see numbers, give ‘em a thorough eyeing. "Android threat doubles in the past year!" sounds scary, but if that means there are now 10 malicious apps where there were once five, it’s not worth worrying about. A good rule of thumb from the Lookout team: If you see percentages in an Android malware report, ignore it completely unless hard numbers back up the sensational headline.