From left, the Find My Phone feature on Windows Phone, the Find My iPhone app on iOS, and Android's pattern unlock feature.
It could happen to you any time, or maybe it already has: You're on the
bus playing Angry Birds or browsing Facebook on your phone, when someone
snatches your handset, sliding out the closing doors and slipping away
into the crowd. Or, worse, a thief takes your phone from you at
gunpoint. However it happens, there's no recourse. Your phone is gone,
and while you always can buy another handset, all your personal
information now lives in the hands of a criminal, petty or otherwise.
According to the San Francisco Police Department, more than 50 percent
of the robberies that occurred in the city in 2012 involved the theft of
a smartphone (the robberies are referred to as "Apple Picking"). That's
nothing to discount, and remember that the SFPD only tracks data for
crimes that were reported. The fate of your phone after it's stolen
could be just about anything. A thief may keep it himself, she may sell
it to a friend or an unsuspecting buyer on eBay, or it may have been
stolen only for the parts. Other phones may even be smuggled out of the
country where they can fetch a premium price in developing markets. For
more on that market, check out this comprehensive story from Huffington Post.
That's why if you own a smartphone and bravely brandish it on the street
or the train, it's essential that you take every step necessary to
protect your data from thieves, and to track and manage your smartphone
once it's gone. In this feature, I've described the essential security
features available for each smartphone operating system and the major US
carriers. Also, read Jessica's Dolcourt's smart tips for safe phone use
in public. The wireless industry is taking some steps to confront phone
theft like the creation of a national phone "blacklist," but that's as
far as it's willing to go for now. Some law enforcement agencies, particularly those in San Francisco and New York state,
want a "kill switch" that would essentially brick a phone, but carriers
and OEMs are balking at that idea. I'll discuss both issues in more
detail below.
Before I begin
First, there are a few things that you should know. In the first
section, I've divided each operating system into two parts: the basic
security features which come on the smartphones for preventing data
theft that use an OS, and the more sophisticated app-based services
available for tracking and wiping a device. Note also, I purposely did
not include any third-party security apps. Though such titles exist, and
many will do the job quite well, my intent is to focus on the default
solutions that are either already on a handset, or officially endorsed
by an OS provider.
Also, keep in mind that no security feature is completely foolproof. A
sophisticated thief with the right equipment may be able to bypass any
security measure. What's more, there's always the chance that a thief is
stealing your phone just for parts, and has no intention of reusing it.
In that case, a password isn't going to stop him from just taking it
apart.
iOS
Preventing data theft and casual hacking
Lock code
You can use either a 4-digit number (a "simple passcode") or a longer
"complex passcode" of case-sensitive letters, numbers, spaces, and
characters. And if you prefer, you can activate a feature where entering
a passcode incorrectly 10 times will wipe the phone. The iPhone 5S has the same passcode features, with an added Touch ID fingerprint scanner.
Lock screen features
This is important. iOS can give you access to some features without
entering your lock code. Though sensitive personal information is
not
accessible, you can use some functions of Siri, such as placing a voice
call or sending a text message, as well as reply to a missed call with a
canned text message. Though you might find those shortcuts convenient,
your handset will be more secure if you turn them off. Go to Settings
> General > Passcode Lock.
Similarly, you'll also need to turn off access to the Control Center and
the Notification Center from your lock screen. To get there, go to
Settings > Control Center, and Settings > Notification Center.
Tracking and wiping your phone
Find My iPhone
This feature enables you to track, manage, and secure your phone once
it's missing. To use it, you'll first need an iCloud account, though you
do
not need to sync any of your data, like e-mail and contacts,
to the cloud. After you're set up, then go to the iCloud page of your
iPhone's Settings and slide the Find My iPhone toggle to on.
After you sign into your iCloud account, click on the Find My iPhone option.
Once your phone has been stolen, the first step is to sign on to iCloud.com or use the free Find My iPhone app on another iOS device. Once in, you'll be able to find your device on an Apple map, but
only
if it is connected to a cellular or public Wi-Fi network (both secure
and not). If the phone is connected just to a hidden Wi-Fi network (that
is, one that does not appear in your handset's list of available
networks), you may not be able to track it. Other restrictions also
apply, but I'll get to those later.
After locating your phone and clicking on the icon, you can do a number
of things. The first is to make the phone make play a sound at full
volume for two minutes (even if it's in silent mode). As this step is
more useful if you just happen to lose your phone in your sofa cushions,
I'd advise not using it if you're certain that your handset is stolen.
It just won't do a lot of good except annoy a thief. You also can erase
your handset completely, but this step is rather premature. Instead,
first try activating Lost Mode as soon as you as you can. Not only does
it give you more options for controlling your phone, it also adds a
stricter level of security.
The online interface for Find My iPhone.
Lost Mode
Lost Mode does a couple of things, the first of which is give you more
features for controlling your device. To begin, if you haven't yet
secured your device with a passcode (and, really, there's no reason why
you shouldn't), you'll be able to select a four-digit simple passcode
and lock the screen remotely. At the very least, that will prevent all
but the most sophisticated thieves from accessing your personal
information. Remember, though, that to make your phone as secure as
possible, you should have already deactivated lock screen access to the
features I mentioned previously.
The next step is to send a custom message to your handset's lock
screen that can't be erased. You can write whatever you want, from your
name or phone number, to a plea to contact you, to a more colorful
message telling thieves what you really think of them. The latter,
however, probably isn't the wisest course of action.
Lost Mode also lets you see a history of your phone's location over the
last 24 hours with points displayed as pins on the aforementioned map.
Finally, if all hope is gone, you can erase your device completely. Once
you erase it, you'll lose the ability to track it further, but your
lock code and onscreen message will remain.
Comparing Security features by OS
| Mobile app |
Yes |
No |
No |
| Device Tracking |
Yes |
Yes |
Yes |
| Remote wipe |
Yes |
Yes |
Yes |
| Remote screen lock |
Yes |
Yes |
Yes |
| Play a sound |
Yes |
Yes |
Yes |
| Onscreen message |
Yes |
No |
Yes |
| Prevent new activations |
Yes |
No |
No |
| Lock code choices |
4-digit PIN or password |
4 to 17-digit PIN, password, pattern, or face unlock |
4 to 16-digit PIN only |
| Features accessible from lock screen |
Siri (including placing a call, or sending a text), Notification and Control centers |
Missed calls & text messages |
None |
Activation Lock
Lost Mode also plays a role in Activation Lock, which is a few feature added in iOS 7. Built after Apple users rightfully complained
that Find My iPhone wasn't comprehensive enough, Activation Lock tries
to close the loop by preventing a thief from reusing your device after
you've accepted that it's gone for good.
Running in the background from the moment you turn on Find My iPhone,
Activation Lock pairs your Apple ID and password with the serial number
of your handset in Apple's servers. Your ID and password are then
required before anyone can turn off Find My iPhone on your handset,
attempt to erase any data (that's assuming they aren't stopped by your
password), reactivate your phone under a different account, or claim a
new phone under your warranty. Activation Lock also remains in place if a
thief tries to swap out your SIM card. If you happen to get your phone
back and can't remember your password, you can retrieve it by calling
Apple support and properly identifying yourself.
Now, the fine print
Don't forget that Find My iPhone only works as long as your device is
online through your carrier's cellular network or Wi-Fi. If a thief
turns off your phone or manages to activate Airplane Mode, you won't be
able to track it. You can send commands to erase the phone, lock it, and
add an onscreen message, but those commands won't be carried out until
the phone reconnects. There may be a short gap between when a phone
comes back online and when your request to erase it comes through, but
setting a passcode ahead of time will keep a thief from accessing
anything during that period.
The bottom line
Between Find My iPhone and Activation Lock, iOS has the most
comprehensive solutions for protecting your phone (iPhones also are the
most popular smartphone targets for thieves). As a result, though, you
need to spend more time getting everything set up and running. And with
so many features accessible from the lock screen at default, there's
more responsibility on the user to lock down the phone as tightly as
possible.
Android
Preventing data theft and casual hacking
Lock code
You can secure your handset with either a numerical PIN of four to 17
digits, a password of case-sensitive letters, numbers, and characters
(but no spaces), or a pattern. If you use the latter, though, remember
that a thief may be able to see your unlock pattern by following the
finger smudges on your display. That's another reason why it's a good
idea to wipe your handset's screen often.
Android phones that run Jelly Bean
and above also have the face unlock feature. That feature can be a
kick, but it's definitely the less secure option. Beyond a lock code,
the new HTC One Max has a fingerprint scanner.
Lock screen features
Like with iOS, Android will let you access some features from the lock
screen. The list here is smaller -- just your missed calls and a preview
of any missed texts -- but you must disable access by accessing the
Security page of the Settings menu.
Tracking and wiping your phone
Android Device Manager
Similar to Find My iPhone,
Android Device Manager
lets you control access to your phone if it's stolen. Activate the
feature by going to the Google Settings menu and choosing Android Device
Manager option. Then, check the boxes for remotely locating, locking,
and resetting your phone.
Locate your phone with Android Device Manager
To locate a lost device, you'll first need to sign onto the Android Device Manager site
using your Google ID and password (there's no corresponding mobile app
in Google Play). You'll then see a list of all devices connected to your
account. Clicking on each device will show you its location on a Google
Map. Of course, the device must be connected to a cellular network or a
public Wi-Fi or you won't be able to locate it.
Setting up Android's Face Unlock feature
The next set of options include the ability to lock the your phone with a
new lock code, make it ring for five minutes at full volume (even if
it's set to silent), and erase your handset completely. Though Android
Device Manager does not have an official "Lost Mode," you still can take
most of the same preventive measures that you can with iOS, except
adding a message to your device's home screen (that option isn't
available here). Android does not have its own version of Activation
Lock either, but such features are available through third-party apps.
Now, the fine print
Like with iOS, you won't be able to track a device that is powered down
or offline. If you send any commands to the phone during that period,
though, they also will be carried out when the handset reconnects. You
will not be able to track a device after you wipe it, but you will be
able to track it if the thief swaps out the SIM card. Also important:
you can't wipe microSD cards remotely, only the phone's internal memory.
So be careful what you store on a memory card.
The bottom line
Android delivers the essential protection features in an attractive,
easy-to-use interface and it runs circles around its rivals with lock
code options (big points for the ability to use spaces). On the other
hand, the ability to add an onscreen message and a mobile app would make
Android Device Manager even more useful. Also, Google needs a service
comparable to Apple's Activation Lock.
Windows Phone
Preventing data theft and casual hacking
Lock code
Though you can lock your phone only with a four to 16-digit PIN,
Exchange users can add a separate code to access their e-mail. Windows
Phone does not make features accessible from the lock screen.
Tracking and wiping your phone
Find My Phone
As this feature is active from the moment you start using your handset,
there's no separate set up process. Yet, you can choose to save your
handset's location periodically on Microsoft's servers under the Find My Phone
option in the Settings menu. Doing so will make it easier to find your
device and track its movements. If your device is stolen, sign into WindowsPhone.com
using your Microsoft ID, select your handset from the drop-down menu at
the top right of the page, and choose the "Find My Phone" app.
Microsoft does not offer a companion Find My Phone mobile app.
Find My Phone has a plainer interface, but it's just as useful.
As long as your device has a cellular or public Wi-Fi connection, you'll
see a Bing Map with your device's approximate location and three
options. They include making it ring (even if it's in silent mode),
erasing it completely, and locking it with a PIN. If you choose the
latter, you also have the option to make the phone ring as it locks and
add a message on the screen. Windows Phone does not have anything
directly comparable to Apple's Activation Lock.
Now, the fine print
Here again, you won't be able to track a device that that's off or not
connected to the network. But, if you send any commands to the phone
during that period, they will be carried out when the handset
reconnects. Also, if you can't find your device right away, Microsoft's
system will keep trying to locate it, which saves you from constantly
refreshing the page. And if you wish, Microsoft will send you an e-mail
when it pinpoints your device's location. Like with iOS and Android, you
won't be able to track a device after you wipe it, but you will be able
to track it if the thief swaps out the SIM card.
Find My Phone will send you an e-mail like this when it locates your device.
The bottom line
There's no set-up process and Windows Phone deserves praise for offering
features that Android lacks (an onscreen message and the automated
e-mails). Yet Microsoft needs to give customers a mobile app for Find My
Phone and its own version of Activation Lock.
Carriers
All US carriers will suspend service to your phone once you report it as
lost or stolen. When you make the report, the unique number that
identifies your phone to the carrier (called an IMEI on a GSM phone, and
an ESN on a CDMA phone) will be entered in a "blacklist." As a result,
the network will reject service (calls and data) to any device if its
IMEI or ESN is on the list (it would be able to access Wi-Fi, though).
Also, since the IMEI on a GSM phones is independent from the SIM card,
swapping the SIM for the same carrier would not make a difference. It's a
different story if your handset is unlocked, but I'll get to that
later.
Sprint, AT&T, and T-Mobile
have partnered with third-party developers like Lookout Mobile Security
and Assurion to either load tracking and protection apps directly on
the handset, or to make them available for download. The apps are
similar to Android Device Manager and Find My iPhone, though you'll need
to purchase monthly insurance programs to use them.
Verizon Wireless does things bit differently by offering its own branded
app for controlling a handset once it's gone. Like with Big Red's
carrier rivals, you'll need to subscribe to Verizon's Total Mobile Protection insurance program ($10 per month).
Verizon's security app has far more features for Android users.
The free app is available for both
iOS and
Android
users (download it from the iOS app store or Google Play), but Android
users get far more options. They'll be able to locate their handset on a
map, sound an alarm, lock it, or wipe it completely. On the other hand,
iOS users can only see their iPhone's last known location. As such, if
you have an iPhone and are on Verizon, stick with Find My iPhone. It's
free and has more features.
U.S. Cellular has its own app
which is part of the carrier's Mobile Data Security Plan ($2.99 per
month). Features include remote locate, wipe, and lock, and it's
compatible with a long list of devices. MetroPCS's
MetroGuard app is comparable, but costs $1 per month.
A national blacklist
As mentioned, individual carrier blacklists only go so far. If a thief
unlocks an AT&T phone (or the handset is unlocked to begin with),
for example, the IMEI of that device wouldn't be on record with
T-Mobile. The
CTIA, the wireless industry's lobbying group in Washington, D.C., worked with carriers to set up a nationwide blacklist
that went into effect in October 2012, but it was limited to phones
that used 3G networks (both CDMA and GSM). Granted, a thief probably
won't bother stealing a non-3G phone, but you can't argue that the list
was fully comprehensive.
Jamie Hastings
Fortunately, that list will be expanded
to include all LTE devices by November 30, but even then some gaps will
remain. First off, it won't include phones that don't have LTE. While
that's a fast dwindling group, it doesn't include the iPhone 4, 4S, or the LG Nexus 4,
among others. Also, though the CTIA says that 92 percent of US carriers
are supporting the list, it won't cover prepaid customers regardless of
carrier. Now, that's not a huge number either, but as the industry
moves away form the traditional contract model, the number of prepaid
customers will grow.
A more pressing issue, however, is that a US-centric list does nothing
to stop phones from being reactivated in other countries. Or as New York
Attorney General Eric Schneiderman put it, "This is an international
problem that demands an international solution."
The CTIA says that it supports an international list, but it stopped
short of recommending a detailed plan for getting there. "We also need
more countries and carriers to participate in the database so that when
criminals try to sell them internationally, the stolen devices would be
blacklisted and would not reactivate," said Jamie Hastings, the CTIA's
vice president for external and state affairs, in a statement to CNET.
Is a Kill Switch the answer?
The CTIA is not, however, signing on to the idea of a "kill switch"
that some law enforcement officials support. Though San Francisco
District Attorney George Gascón has not advocated for a specific
technology or solution, he wants carriers to use a kill switch to
remotely deactivate all features of a phone (possibly via a text
message) and render it completely useless.
"The solutions we're demanding will eliminate the value of stolen
devices on the secondary market," Gascón said in a statement to CNET.
"We commonly refer to this technology as a kill switch, since it
'bricks' the central features of the phone, making its value equivalent
to that of a paper weight. We know this technology exists."
Essentially, that's pretty much what Apple's Activation Lock already
does. But Gascón wants carriers and manufacturers to put it on all
phones and be more vocal about encouraging customers to use it.
"The only way thieves will stop robbing people for their devices is if
they know there's no payoff," he said. "That's going to require a
comprehensive deterrent that renders stolen devices useless."
George Gascon
But that's not how the CTIA sees it. Though the organization would not
provide CNET with a spokesperson to talk about the issue, it said via a
position paper that a kill switch carries too many risks. For example,
because the customer information and the related technology would be
shared by multiple parties such as carriers and OS developers, there
would be no way to keep it secret. As a result, anyone from terrorists
to amateur hackers, to vengeful lovers and employees could steal and
misuse the technology. What's more, if a customer happened to recover
their device after using the kill switch, they wouldn't be able to use
it again.
"Where mobile devices are permanently disabled by malicious use of a
'kill switch,' the safety of subscribers may be jeopardized as they will
be unable to make emergency calls," the paper said. "Even if
technically feasible to develop, a permanent kill switch has very
serious risks."
Those are valid risks, but they may not be the whole story. In a CBS News story
posted this morning, Gascón said that a kill switch would eat into the
revenue that carriers make from customer insurance plans. Also today,
the New York Times reported that carriers prevented Samsung from installing kill switch-like technology in its smartphones.
As an alternative, the CTIA would support the Mobile Device Theft Deterrence Act of 2013 (S.1070). Introduced
by Sen. Charles Schumer (D-NY), the legislation would impose a
five-year criminal penalty for tampering with the IMEI or ESN of a cell
phone. Changing the IMEI or ESN, which would a allow a stolen phone to
be reused, is a loophole that skilled thieves have begun to exploit.
"We strongly support and need Sen. Schumer's legislation to pass that
would impose tough penalties on those who steal devices or modify them
illegally since it would help dry up the market for those who traffic in
stolen devices," said CTIA's Hastings. As of last May, though, the bill
is still in the House Judiciary Committee and has not come up for a
vote.
More could be done
If cell phone theft continues to grow, and (heaven forbid) becomes more
violent, then perhaps the industry will be open to more solutions like a
better blacklist. No industry, though, loves government regulation, so
the chances of more happening are slim. The CTIA in particular, will do
what it can to stop anything resembling a kill switch. So, for now,
smartphone users need to take care when using their devices in public,
and take every available measure for securing and remotely managing
their devices. And, if Google and Microsoft can develop comprehensive
features like Activation Lock, then that will be even better. Because at
least then, your phone may be gone, but you'll have the satisfaction of
knowing that anyone else will have a hell of a time trying to use it.
