Author: Scott Doudera, Information Technology Page 3 of 4

Navigating the Wild Wi-Fi West

Sticky post

Ahh……. traveling through the countryside again.     I’m thrifty, and don’t have unlimited cell service.  I don’t want to use up all my cell phone data out here downloading movies for my kin.    That’s fine, free public wireless Wi-Fi networks are everywhere.    Everyone likes to get online for free.  But what does “free” often mean. There are a lot of security issues with public Wi-Fi.  I like to think of them as the wild-wild west.  This blog will go over the big dangerous amidst many public Wi-Fi spots and how to navigate them.

Malicious Hotspots

Howdy partner, welcome to free Wi-Fi.   So, you’re having dinner at the Texas Steakhouse.  Is the free public Wi-Fi really offered by the diner, or supplied by the guy renting an apartment next door?  Perhaps someone nearby setup a rogue network to entice people to connect and snoop on your web browsing.  It’s a good practice to ask an employee, or the front desk what the name of their Wi-Fi is before just jumping on the first network you find.  A legitimate Wi-Fi network will be less dangerous then a malicious hotspot that is anonymously owned.  You don’t want to shoot yourself in the foot, so to speak…

Wi-Fi sniffing

Just because you found the restaurant’s Wi-Fi network doesn’t make it safe either.  One of the tools that hackers are using on public networks is the Pineapple Wi-Fi device.  Originally developed for penetration and security testing, they can be repurposed for Man-in-the-middle attacks.  After determining what websites you access, the device can thoroughly mimic preferred networks.  All your information is then routed through the device. You may think you’re sending information to a HTTPS website, but it’s actually a spoofed website that the device created.  What’s worse is the Pineapple can save user session and cookie information and continue masquerading as your device, long after your gone.  You may need to call the local Sheriff on this network. 

How do you protect yourself?

When you connect be sure you select the Public network option when connecting to public Wi-Fi, keep your computer up to date, and leave your firewall enabled.  These options will protect your computer or device from being breached. 


When you leave a public Wi-Fi, be sure to delete, or “forget” the network in your phone or laptop.  This will keep your device from automatically reconnecting to a similar rogue network at another location.

Cautious browsing

So, we have learned how to protect your device, but what about protecting your online browsing transactions.  Limiting your internet searches to informational websites that don’t pass sensitive credentials is the best practice.  Logging into your online bank, even though an installed App should be avoided.  What about credit card purchases?  Just say no!  Ok, I just want to send an email.  Unless your email is encrypted (most isn’t) even email shouldn’t be checked on public Wi-Fi.  Do your email servers authenticate exclusively with secure HTTPS?  If you’re not 100% sure, don’t chance it.  So, what about Netflix, you like watching movies don’t you?  It depends….   If you can set your online accounts up with different passwords, in the event you are hacked they will only get onto that one site.  Not too much at risk with a compromised Netflix account if your passwords are all unique.  Plus, I get an email when another device logs on my account, so you know you can cut them off at the pass!

VPN – Circle the Wagons

What if you really need to get some work done, cellular service is not available and public Wi-Fi is your only option?  Well that’s when you need to invest in a VPN service.  A virtual private network (VPN) is a technology that allows you to create a secure connection over a less-secure network between your computer and the internet. This is beneficial because it guarantees an appropriate level of security and privacy to the connected systems. This is extremely useful when your Wi-Fi infrastructure may not support it.  It’s like sitting inside a protective circled wagon.

If your company can setup a VPN for you that would be the best option.  The next best would be a paid VPN service that’s based in the United States.  Most of these run under $10 per month.  Though there are many good ones outside of the States.    The following VPN Services have been highly rated by CNET for 2019. 

ExpressVPN
IPVanishVPN
Norton Secure VPN
Private Internet Access VPN

So, chock up and stay away from those free VPN services.  Because as we just learned from this blog, nothing in life is “free”.  Now head ’em up, and move ’em out

When you’re away, do your apps play?

Would it make you uncomfortable if your children or your neighbor grabbed your smart phone and started looking around?  Probably not, but what about a complete stranger?  This is often what happens when you download an app from app stores without doing some due diligence.  Many apps ask for you to open doors they have no business accessing.  This can open up your phone to more then just an app you thought you could trust.

Official app Stores vs. third party app stores

Apple® AppStore and Google Play™ are the two biggest official app stores. You can go there to download mobile applications for your iPhone or Android device.

Are they safe?  Apps in the official app stores usually follow strict development criteria. The official stores also test the applications for malware.  This is the safest place to get apps.

Third-party app stores may not use the same level of scrutiny toward the apps they allow to be listed in their app stores. Third-party app stores might offer plenty of safe applications. But there’s also a higher chance they might offer dangerous ones.  Third-party app stores should be avoided as much as possible.

Certain categories of applications were also more likely to contain malware.  Arranged by likelihood:

  1. Lifestyle apps
  2. Music and Audio
  3. Books and Reference
  4. Entertainment
  5. Tools

Grayware apps

Many apps contain grayware.  This is a term used to classify apps that behave in an undesirable manner, but not classified as malicious malware.  A common type of grayware is mobile adware which contains popup ads in your phone’s notification bar.

Symantec reported a 20% increase in grayware application variants recently, for a total of 3,655 types.  Norton research shows that more than 60% of Android apps contain adware or other grayware.  Of these:

  • 63% were found to have leaked the device’s phone number
  • 37% leaked device location
  • 35% leaked installed application information

There are security apps such as Norton Mobile and Trend Micro Mobile Security that can protect your phone from malware and annoying grayware, but perhaps the best thing to do is understand what happens when you install a new app.  Many potentially unwanted app behaviors are written on purpose and documented in the app’s user agreement.  Reading app disclosures and agreements before installing is the best practice.

When an app first installs, it asks you for permissions.  To combat grayware, you should question what an app really needs permission to do.

Does your new weather app really need permissions to access your contacts and calendars?  Often when prompted for access you should just say no.

Permission to Do What?

There are hundreds of types of permissions, and many apps ask for more permissions than they need.  Most people don’t know what they mean. They just enable everything.  This is a bad practice.  You should disable everything unless you know why the app needs it.  The more restricted you keep your apps the safer your data will be.  Here’s a list of a few of the most common permissions:

  • Storage: modify/delete storage contents – apps that store pictures and video will require this.
  • Network communication: full access – many apps need to access the internet, this often relates to ads as well
  • Your location: network-based – weather and travel apps, free games, often contain ads so they can deliver targeted ads based on your location.
  • System tools: prevent device from sleeping – usually means that when you’re using the app, it will keep your phone from going to sleep or from entering into a reduced power mode.
  • Your personal information: read contact data – most social media or messaging apps will request access to your contact information
  • Root: super user access – When an app asks for root access you should seriously consider whether it needs super user access.  Firewalls and backup apps often require root access.  Most apps don’t

Android vs IOS which is safer?

There are millions of apps available for download.  There are twice as many apps on the Google Play store then on the Apple® AppStore.  The number alone at Google Play makes it a more dangerous place to find apps.  If the app is available for iPhone and Android there is a higher probability that it is safer, but no guarantee.

There’s no doubt Android is a bit more of a risk than iOS, but, with the right precautions, it can still be a safe platform. If you must install apps from anywhere on an Android phone, at least do everything you can to ensure they’re safe before you let them loose on your contacts, messages and social media accounts. Install a scanning app such as Norton Mobile Security,  or Google Play Protect and use it wisely on new downloads to prevent any malicious activity.

What about Jailbreaking my phone?

Sometimes an app developer does not play by the rules and the only way to get the app to the public is to recommend jailbreaking your phone.  Jailbreaking your device frees the OS to run unapproved applications.  The process of jailbreaking is legal but it’s not a good practice.   Jailbreaking allows unapproved code, voids your warranty, and can cause stability and security concerns.

Also, if your company issues you a work phone this would generally be prohibited.  Most companies have policies for what you can do with their phone when using it for work.  Unless you’re a tech guru and the risk is worth the reward, jailbreaking is a bad idea.  I refuse to do this on my personal devices.

Is this app Secure?

Apple® AppStore has made it mandatory for all developers to require new apps use a secure connection such as https.   The Android developer platform has also just finalized this process in 2018.   Still, older grandfathered apps exist on app stores that were original approved using unsecure http.  So, check the reviews, and check the date of the last review.  If its 3 years old, perhaps its time to look for a better solution.  Also, it is a good practice to update your apps anytime there is a security update.    A trendy app is no longer great if your connection to their server is compromised on public Wi-Fi.  So, stick to the Official app stores and update your apps often.

Does Spectrum Financial have an app?

I’m glad you asked!  Now would be a great time to download the Spectrum Access app available at both the Apple® AppStore and Google Play™ It’s a secure way for our clients to view

  • Aggregation of all household accounts
  • Account Activity, holdings, and balances
  • Performance Summary
  • Quarterly Statements
  • General tax and beneficiary reports
  • Invoices

Page 3 of 4

Spectrum Financial, Inc 2023