To be clear, mobile security always needs to be taken seriously. It not only has vulnerabilities, but some very unique ones, owing to the way smartphones work. People are regularly targeted with spam and fraud calls, and it’s all too easy for a scam center to bombard users with “smishing” texts — SMS phishing attacks. At the extreme, authoritarian regimes willl use spyware like Pegasus to follow people around, take photos, and even listen in on conversations — all possible because most people carry their phone wherever they go. If you’re worried about that degree of intrusion, there’s not much more you can do other than keep politically sensitive interactions offline.
In this piece, I’m just interested in dispelling the notion that mobile browsers are inherently more dangerous than what you’re using on your Mac or PC. They actually have the advantage, in some cases, owing mostly to the way Apple and Google have designed iOS and Android. It should all make sense in a moment.
Smartphone operating systems are heavily sandboxed
Security over liberty?
In the security world, “sandboxing” refers to the idea of limiting how much any individual app (or OS feature) can interact with others. When a sandboxed app is compromised, it can only do so much damage to the rest of your software, since it never had that much reach in the first place. Think of it like keeping an out-of-control zoo animal in its cage — you’ll be safe as long as you don’t climb inside or open the gate.
When a sandboxed app is compromised, it can only do so much damage to the rest of your software, since it never had that much reach in the first place.
Both iOS and Android are more heavily sandboxed than Windows and macOS. This is often considered a negative, since it means mobile apps can’t do as much as their desktop counterparts, but it’s also a deliberate choice in the face of security threats. The result is that if you accidentally tap a phishing link in the mobile versions of Chrome or Safari, the greatest danger (in most cases) will come from your being tricked into sending money or sharing private data. On a Mac or PC, there’s a much higher risk of your system being taken over, at least if you don’t use a comprehensive suite of malware tools, and/or fail to keep all your software updated. I recently had a ransomware scare myself. Thankfully, it turned out to be more bark than bite — killing Chrome in Task Manager and restarting the browser fresh was all I needed. I made sure to scan my system and update Windows anyway, just to be sure.
All mobile apps are reviewed by Apple and Google
Outside of Europe, anyway
Whenever a new or updated app is submitted to the Apple App Store or Google Play Store, it undergoes a basic code review/testing process. Though it’s not impossible for serious bugs or security vulnerabilities to slip through, it’s very unlikely. This improves the security not just of third-party browsers, but of iOS and Android overall, since there shouldn’t be any deeply compromised apps a web link can bump you into.
Conversely, one of the benefits of Windows and macOS — the ability to download apps from anywhere — means that if users aren’t careful, they can be tricked into downloading spyware, botware, or openly hostile apps like ransomware. There are a variety of tools and settings you can use to protect against this without having to shop at the App Store or Microsoft Store, yet it’s impossible to deny that if you’re worried about viruses, you’ll have better odds on an iPhone or Android device.
This improves the security not just of third-party browsers, but of iOS and Android overall.
I should add that in some countries, legal rulings have opened up smartphones to third-party app stores. I’m generally in favor of this, since it’s about time developers were allowed to break Apple and Google’s monopolies, but be sure that any store you choose is doing adequate security screening before you trust it. You may also want to check customer opinions on sites like Reddit.
As a rule, it’s best to steer clear of sideloading apps unless you’re a developer. This isn’t automatically going to harm your phone, but just about anything that’s safe and legal will be on a public storefront.
It’s easier to reset and recover a phone
When all else fails
If a browser-based attack succeeds in compromising a Mac or PC, it may be possible to scrub it and start again fresh, if all else fails. This can become a complicated process, however, at least outside of enterprise environments that are prepared for it. Too often, a reset can mean losing critical files that were stored on your computer and nowhere else.
Most users have some level of cloud backup that’s easy to restore when setting up a phone again.
iOS and Android alike have baked-in Recovery Modes that will quickly let you wipe a phone clean and revert to factory settings. These can be triggered by special button commands at any time, so there’s no need to connect to a computer first, or hope your phone is working well enough to use a software-triggered reset. Recovered iPhones do need a connected computer to get back on their feet, but it doesn’t even have to be your own. A technician at an Apple Store can probably help you.
Critically, most users have some level of cloud backup that’s easy to restore when setting up a phone again. It’s something I take advantage of every time I buy a new iPhone — within minutes, all of my previous content starts downloading again, how and where I like it. There’s a low penalty for wiping a phone in the (extremely) rare chance of a system-wide infection.
Phones are more likely to have biometric locks
Passcodes and passwords are still essential
Although facial and/or fingerprint recognition are often options on computers, let’s face it — many PCs still aren’t equipped for it, and some Mac users are going to prefer passwords anyway. That’s not necessarily an issue, since a strong password can be difficult to guess or brute-force even if someone manages to gain physical access. Biometric security is inherently more resilient, however, since it’s tied to secure chips, not a cloud or software account. There’s no way of remotely forcing your way past it unless you’ve intentionally set up your device to allow remote access.
Newer versions of iOS and Android let you hide whole apps behind a biometric login.
Phones are getting better and better about using biometrics. Past an initial unlock, biometrics are often required for accessing passwords, payments, or key settings. Newer versions of iOS and Android let you hide whole apps behind a biometric login. If you’ve got particularly sensitive web browsing to do, you can use a hidden browser separate from your “public” one.
Biometric systems aren’t invincible, naturally. These inevitably rely on a passcode or password as fallback, so if you choose something weak, there’s still a chance someone will get through if they’ve got your device. Every passcode should be six digits or longer, and every password complex. If you have trouble remembering passwords, try smashing together a “pass-sentence” instead.
