Mobile phone security: What are the risks?

First on the list was malware — and on that front, Android definitely presents the biggest risk, because it’s such an open platform.

So, anticipating the trolls: Even though I own an Android phone and love it, and have said so several times in my CNN posts, I’m sure I’ll get lots of comments from Android fanboys complaining that I must be on Apple’s payroll.

For the record, no, I get nothing from Apple. In fact, I’m really kinda tired of iPhone fetishization, especially by tech media. I’m not anti-iPhone or anti-Apple (you’d have to pry my macbook from my cold dead fingers)

I used to own an iPhone and liked it well enough, but I AT&T really sucks in the Bay Area, so last summer I traded up to a Droid Incredible, which I generally like better. It’s got its hitches and weirdnesses, but it’s also a pretty cool device.

But being an Android owner has made me far more aware of mobile security. Ultimately, I think that’s a good thing.

So Android fanboys: Chill out. Go get some Doritos. And a reality check.

Neither am I on the payroll of Norton or Lookout, two companies whose products I mentioned as examples of the kinds of tools smartphone users can employ for mobile security. Norton did invite me to their mobile security event in SF. Yeah, I’m a journalist. I go to conferences. I meet with companies to learn what they’re doing. Shocking, I know.

My CNN post also covers premium SMS fraud, phishing, and spyware — and the spyware thing is especially creepy…

Then I found a recent bit of research that has special relevance to mobile e-mail security. So I wrote this article:  Mobile users more vulnerable to e-mail phishing scams – CNN.com.

My favorite comment: “The reason iPhone users are 8 times more likely to enter a phishing site is because with an iPhone you can actually get to the website. Ever try to use the web browser on a Blackberry…their built in phishing security is that the web browser can’t open websites.”

,http://m.cnn.com/primary/_E5uyqH-isfp12PXn2

Google Opt Out Feature Lets Users Protect Privacy By Moving To Remote Village

Thanks much to the West Seattle Blog for bringing this gem to my attention via Twitter in the wee hours of the morning. And kudos to The Onion for such impressive info-graphics! My favorites are the van, barter, and data security fence graphics.

1Password seems pretty powerful. But it’s not for me.

Reason: 1Password only integrates with Web browsers, not with 3rd party applications. For 3rd-party applications, you can generate stronger passwords using 1Password — but then you have to store them in the OSX keychain or elsewhere. If you rely on such applications regularly, this vastly reduces the potential security benefit of 1Password.

This became a dealbreaker for me. Here’s why…

On my laptop I use the Twitter applications Twhirl and Tweetdeck daily. Which means that to use the complex passwords generated by this program, I’d need to either check 1Password and copy and paste each time I wanted to log in — which is a hassle. I’d quickly tire of that hassle and then either store the passwords in the applications, or in a separate file, or in the Mac OSX keychain — all of which would defeat the purpose of using a password-management program.

1Password actively touts the advantages of its keychain over the OSX keychain. Which is why I found it ironic that today a 1Password rep recommended to me that for 3rd party apps I could still use the Mac OSX keychain for password storage. That’s kind of like saying, “Well, you can’t order the chicken, but this rat tastes like chicken.”

1PASSWORD ON IPHONE: WHAT’S THE POINT?

1Password prominently touts its iPhone application, which syncs with your Mac. This lack of integration is an even bigger problem on the iPhone, which has no copy and paste. On the iPhone I primarily use applications other than the browser to access services I use daily — including e-mail. Since 1Password doesn’t integrate with any of those applications, I’d have to manually type in those complex passwords for access, and then store them in the apps.

The only purpose of the 1Password iPhone application apparently is to securely store on your phone sensitive data, like your Social Security number. It won’t let you, say, use the complex password for your BrightKite account, which you set up via 1Password on your laptop, to log in to the BrightKite app on your iPhone. You’d have to type it in manually, or store the password in the app — which again undermines the intended security benefit.

So although 1Password appears to be useful in some ways, for me it’s got too many dealbreakers. I’ve requested a refund.

MASTER KEYWORD WOES? HOW TO START FROM SCRATCH

Oh, and: When I first installed 1Password, I had a problem with the Master Password for the 1Password keychain (something you need to enter in order to be able to use your other passwords — supposedly the only password you’ll need to remember). 1Password was not recognizing the master keyword I’d set. This may have been due to something I did wrong; I’m not blaming 1Password for this.

I ended up having to ditch my original 1Password keychain and make a clean start. In case you need to do the same thing, here are the full instructions (which I couldn’t find on the 1Password site, but 1Password rep Jamie Phelps sent them to me:

First, let’s make sure we’re starting over with a clean slate of 1Password. Make sure that 1Password is installed in your Applications folder rather than running from the disk image or the Desktop or some other location. Second, drag the following files to your desktop if you find them:

• Home > Library > Keychains > 1Password.keychain
• Home > Library > Application Support > 1Password > 1Password.agilekeychain
• Home > Library > Preferences > com.1passwd.plist

Now, try launching 1Password and you should be presented with the blue setup screen again. Go through the initial setup and see if you continue to have trouble. If your master password does not work for you after this, please let us know and we’ll investigate further.

I post that in case anyone else is having the same problem, since I could only find the first step in that process on the 1Password site.

In summary — 1Password may be a great solution if you don’t rely regularly on applications other than your browser to access online services. As I said, several people I respect have recommended it. But if 3rd party applications are crucial to your online experience (on your computer or iPhone), then think twice before buying this software.