What kind of things do you do with your smartphone? Do you use it to control your heating system or operate your robotic vacuum cleaner? Do you take photos of your children? Do you glance only occasionally at your bank account, or get your updates from e-mails only? Even if you only use your phone for one of these purposes, it is important to protect the entire device against external attacks.

This is because, on the Internet, your smartphone or tablet is frequently under threat of attack by potential malware, whether you notice it or not. Another threat is that it is now always possible to carry these devices with you everywhere and to connect them to the Internet.

Video series: Smartphone security

What is the best way for me to protect my smartphone? What should I do if I lose my smartphone? And is it safe to use mobile banking on my smartphone?
These and other questions are answered by two experts in our video series "Cyber Security²".
However, effective protection for your smartphone, tablet or other devices against common threats is not complicated. In fact, it takes just a few minutes to work through the items in this checklist:

Security tips for internet-enabled mobile devices

Immediate measures

• Get basic protection in place
  Check the settings of your device to ensure that the security features it is equipped with are enabled. These features may include a screen lock or a PIN that needs to be entered when turning on the device. Many attacks target vulnerabilities in software that will be closed by an update from the manufacturer. This especially applies to defects in your operating system and its applications. Activate the automatic updates function or check back regularly to see if any updates are available. This way, you can ensure that your device is always up to date.
  For Android devices
  For iOS devices

• Only install apps from trusted sources and check the access rights
  Only install apps from approved sources and only download apps that you really need. Avoid any sources that give you reason to doubt they are genuine. For example, do not install any app that you receive as an e-mail attachment or as a download link in an e-mail that you did not request. Apps that seem to offer much more functionality than their original equivalents should also raise your suspicions. If you are in any doubt about whether or not to trust an app or an app developer, an internet search can often help you find out more about the provider. Look for reviews, ratings and tests published by established online portals. Install updates as soon as they are available. Uninstall any apps that you no longer use.

  Many apps grant themselves extensive access rights without good reason, enabling them to access your location information, contacts list or phone status. However, not all apps need this data. Before installing an app, consider whether the access rights it requires are really needed for the app to function. If you are in any doubt, it is best not to install the app. In addition, you have the option in your smartphone settings to revoke access rights given to apps you have already installed.

  Important: Updates to an app may make changes to or extend data access rights. For example, an app may suddenly regain access to the address book. Check the access rights granted to your apps regularly and consider whether you wish to continue using the app under the new conditions.
  Click here for further information on app security.

• Use PINs and passwords
  Ensure that the PIN codes for your SIM card and screen lock are activated. Sensitive applications such as online banking apps or apps that you use to make purchases should also be protected with a PIN or a password where possible. Replace any default codes with your own combination of digits. Use combinations of numbers that are not easy to guess and avoid logical sequences such as 12345 or birthdays. Some devices also allow you to unlock them using fingerprint or facial recognition technology.

  Another option that is convenient, but not actually very secure, is unlocking the device using a pattern. To do so, the user traces a specific pattern across the screen. Be sure to clean the screen of your device regularly so that the traces left by your finger doesn't reveal the pattern. Whether you use a PIN or a pattern, ensure that no-one can learn your combination by watching you unlock your device.

• Activate interfaces only when you need them
  There are circumstances in which an attacker who is in the same place as you could access your data transfers. This is why it can be advisable to deactivate wireless interfaces in your device settings, such as Bluetooth, WLAN or NFC, when you do not currently need them. This will also help to preserve your battery.

  When you switch off WLAN reception and the GPS function on your device, it will not be able to determine your position as accurately. However, operators of mobile phone networks and some app providers will still be able to determine where your phone is. In spite of this, as a general rule, you should be very careful who you share your location information with. Cyber criminals may be able to determine your location, obtain other personal information and use information such as your holiday dates to plan a theft. Only use navigation services when you need them (see point 6 for further information). Use an app to remove the location information from any photos that you plan to upload to the internet. Metadata is all of the information (date, location etc.) that your device automatically stores whenever you take a photo.

  In the case of hardware interfaces like USB, the following applies: when you want to charge your device or transfer files, connect your mobile device to a computer only if you trust the people who use it. These interfaces can be used to transfer malware. In your mobile device settings, you can specify whether you want to establish a data connection when you connect to a USB port or whether you just want to charge your device. Where possible, only use the mains charger supplied with the device to charge it.

• Take extra care when using public hotspots
  Public hotspots, i.e. WLAN at a café or at the airport, often use radio links to the router without any password or with a password shared by all users. This means that there is a risk that an attacker could read your data. In this scenario, it is even more important to ensure that all communication between your end device and the internet server is encrypted. This secure communication is established via the https protocol, which you can recognise in your browser by the presence of the lock symbol in the address bar. If this symbol is missing or if you see a warning about an insecure connection, the connection is not secure. In such cases, you should be suspicious of the public WLAN connection and avoid transmitting any sensitive data.
  Remember, both your browser and apps are capable of creating data connections to the Internet. These data connections may also be insecure.

  Be careful if you use your mobile device to set up your own hotspot for other users. With tethering, your smartphone acts as a hotspot for other devices so that they can use its WLAN to access the internet. These kinds of connections should always be protected with a secure password, because anyone who knows or can guess the password can access the internet via the mobile data connection of the hotspot owner. Often it is possible to filter the access to individual devices. Additional confirmation is required when a device establishes contact for the first time. Switch off your hotspot when it is no longer needed.

• Do not leave your device unattended.
  To protect your devices against unauthorised access and manipulation, never leave smartphones or tablets unattended.
  There are a number of apps that you can use to lock lost or stolen devices remotely. Some device manufacturers have their own apps that you can use to locate a stolen device.
  Important: Always ensure that you use apps from trusted providers for this purpose.
  If you lose your smartphone and want to lock it, many of these apps allow you to do so by sending a predefined message containing the correct command code to your own mobile phone number. This action will delete or lock the personal data on your device. In some cases, it may also be possible to locate a smartphone or internet-enabled tablet via the network operator using the unique IMEI number of the device. Make a note of this number.

  You can find the IMEI of your device in the settings app or by entering the code *#06#. This can sometimes also be found on the packaging or invoice from your service provider. It can be used to prove that you own the device if it is stolen.
  Once the device has been successfully locked, you should also ask your provider to block the SIM card. It is important to do things in the right order. Once you deactivate the SIM card, the device will no longer be able to receive a locking code.
  Only install mobile device security solutions (including location, remote locking, encryption and anti-virus apps) that meet your exact needs and think carefully about whether you are prepared to permanently share information such as your location in order to use these apps.

• Protect your data
  In modern smartphones, your internal memory is encrypted by default. Any data on an SD card is not usually protected by the device encryption technology. This means that photos and other data can be read externally simply by removing the card.
  To encrypt an SD card, it needs to be formatted as an internal memory. If the SD card is formatted as a portable memory, the data on it will be stored without being encrypted.

  Create regular backups of your mobile devices on an appropriate medium, for example USB or online storage options.
  Important: An SD card formatted as an internal memory cannot be read outside of your smartphone.

Measures to take as required

• Clear all memories before you sell or dispose of the device
  If you sell, gift or dispose of your mobile phone, make sure you clear the memory of the device first. If you fail to do so, the device may contain traces of data that could give the new owners or criminals private information about you. Resetting the device to factory settings renders all of the data in the internal memory unusable. You can find the option to do this in the settings menu.
  Remember to remove any additional storage media such as external SD cards. You can securely delete any content on an SD card using a reader connected to your PC. You should also always remove and destroy the SIM card, unless you intend to reuse it. Do not forget to cancel the associated contract, if you have one.
  

• Check numbers you don't know before returning the call
  Be suspicious of calls from any unknown or withheld numbers. Some criminals try to obtain passwords or PINs by phone. Never call unknown numbers that you have not first checked. The latest information on misused telephone numbers is published on the Federal Network Agency website. If necessary, ask your network provider to block outgoing calls to numbers linked to value-added services, which can result in expensive bills if you call them back.

• And what about VPNs?
  If you have the option to use a virtual private network (VPN) to connect to your home network/home router, you can browse the internet just as securely from public WLAN hotspots as you do at home. A VPN is a highly secure connection between two points. The connection creates a tunnel from your device, such as a smartphone, to your home network via the public internet connection, which then enables you to use your own internet access to get online on your device. Modern routers often offer the option of setting up a VPN.

• And how about work mobile phones?
  Work mobile phones are often subject to further technology and user requirements.

Brochure

Our handy A6 brochure sets out our tips to help you use smartphones, tablets and other devices securely:

Go to the download area to download this brochure and brochures on a range of other topics, including the Internet of Things and social media.