Turning the Tables: Why Proactive Mobile Device Security Beats Reactive Responses
Authors – Luc Cook & Harry Gough
In an age where our smartphones are digital extensions of ourselves - housing everything from personal memories to sensitive business data - theft of a physical device is more than just an inconvenience. It’s a potential data breach, a privacy nightmare, and a security risk. Yet, many individuals and organisations still rely on reactive security measures that only kick in after something goes wrong.
At coc00n we believe there is a better way.
Defining Proactive Device Security
A proactive approach flips the script. Instead of waiting for a breach to occur, it anticipates common theft behaviours and implements safeguards that work before the device can be breached. By maintaining persistent communication channels, devices can ensure that security commands can still be executed. They can also leverage behavioural triggers to detect suspicious activity and automatically initiate protective actions, making use of native device functions to encrypt data, making it inaccessible even if the device is physically compromised, or disable key functions when theft is suspected, reducing its value to thieves and minimising the risk of data exposure.
Proactive device security can be grouped into 3 distinct approaches.
Tighter access controls when devices are unlocked
If you have used mobile banking apps, you've probably noticed that these often recheck your biometrics or require you to enter your device pin when they are opened, and this protection can easily be applied to other apps. While the consequences of a phone snatcher accessing your banking apps is obvious, consider that by applying this setting, you could effectively prevent access your photos, contacts, location history, encrypted messages and more.
Note that if you have previously granted other applications blanket access to the contents of these apps (for example giving your messaging app access to your photo library) this data could still be accessed from a non-protected app.
Automated reactive device protection
The first moments after a snatching are key for both victim and criminal. Victims will be trying to access remote lock and wipe functions, thieves know this, and so their first step will often be to activate 'airplane mode' cutting off the device from sending its location or receiving the remote wipe command.
By leveraging automations on iOS, we can use this first step as a trigger to start running device-level countermeasures, reenabling location services and remote wipe functionality, and alerting a trusted contact to the incident.
A real-life example of how an automation could be configured to protect your device is as follows:
Your device is snatched, while unlocked
Thief activates aeroplane mode to prevent remote wiping
Your device automatically locks, encrypting data on device, and disabling aeroplane mode, enabling user to track location, or initiate a remote wipe
Your device sends a text message to a trusted contact to notify of situation
This very simple implementation can be customised with extra functionality or safeguards as needed. For example, allowing aeroplane mode to be activated without triggering the automation if a specific app is open, or building in a delay before starting the automation to ensure there is a good distance between the thief and victim before countermeasures are activated.
Automations can also trigger when a specified Bluetooth device is disconnected, meaning that other attack methods (such as disabling mobile service without enabling aeroplane mode) are also covered. Countermeasures should be less aggressive in this instance, so that the trusted contact is not alerted every time you leave the house without your headphones.
Risk-based choices for proxy devices
A substitute device can be configured as a ‘proxy device’, that can be used to access essential services, so that if a snatching incident takes place, this is stolen in place of your main device.
If you frequently travel in very high-risk environments or areas of high mobile phone theft, you could make a risk-based decision on whether a proxy device should be used. Considerations for this decision would include the location and what the device purpose will be. If the risk is deemed high enough, using a proxy device allows you to access essential services without risking your main device.
It is crucial to understand that improper use of a proxy device may heighten your risk rather than mitigate it, as having multiple devices increases the potential attack surface for adversaries. It is advisable to undertake courses on effective security practices if you consider a proxy device as a viable protective measure.
Here are some guidelines for effective proxy device use.
- As with your main device, ensure you have installed the latest security updates
- Keep your main device secluded on your person and use it's WIFI hotspot to connect your proxy device to the internet while travelling. Be aware that VPN protection on your main device is not automatically extended to the proxy device, so ensure you configure this for both devices.
- Only sign into the services that you need. Secure messaging applications such as WhatsApp and Signal allow you to configure 'linked devices' whose access can be revoked from your main device in case of a snatching incident. It’s very important to regularly review the access and data that your proxy device has stored, to limit potential exposure in case of a theft.
- Develop an incident response plan to outline the procedures to follow if your proxy device is stolen. Document the services that require access revocation from your primary device. Conduct a tabletop exercise to practice implementing this process.
The coc00n approach
At coc00n, we’ve built our platform around the principle that proactivity beats reactivity. Our defence in depth architecture is designed to anticipate threats, not just respond to them.
Rather than relying solely on post-theft recovery methods, anticipate this rising threat and act before you need to. Keep your privacy protected - even when your device is in the wrong hands.
coc00n's unique mobile device protection secures phones, tablets and laptops against cyberattacks without any restriction on usability. Get in touch to find out more.
About the authors
Luc Cook is a full stack developer at coc00n. His focus is on delivering secure applications to enhance device security and tooling to help clients understand and manage their risk and security profile.
Harry Gough is coc00n’s Chief Operating Officer. He has almost a decade of experience at the forefront of cyber security within government, devising and implementing systems to protect the UK’s most high-risk institutions and individuals against cyber threats.