What our covid-19 smartphone usage means for cybersecurity

The world before covid-19 is a familiar yet strange place.

Reading technology trend articles from just before the pandemic can be an odd experience. It’s a little like glancing through the window into a more innocent parallel universe.

Many of these articles focus on the amount of time spent on mobile devices. In late 2019 and early 2020 it seems it was hard to imagine how we might use them more frequently.

According to some we were already at something of a crisis point. Pedestrians distracted by their phone were having accidents. And etiquette experts were weighing in on excessive mobile phone use at the dinner table.

Little did we know that the phone was about to take on even more of our day-to-day tasks.

In this article we’ll explore how the pandemic has transformed the way we use our phones. And we’ll examine what our covid-19 smartphone usage means for cybersecurity.

In the middle of March 2020, Yuval Noah Harari penned an article for the Financial Times.

In it, he wondered - and worried - about the paths the pandemic might lead us down. One paragraph in particular appears quite prophetic 18 months on:

"Many short-term emergency measures will become a fixture of life. That is the nature of emergencies. They fast-forward historical processes. Decisions that in normal times could take years of deliberation are passed in a matter of hours. Immature and even dangerous technologies are pressed into service, because the risks of doing nothing are bigger. Entire countries serve as guinea-pigs in large-scale social experiments. What happens when everybody works from home and communicates only at a distance? What happens when entire schools and universities go online? In normal times, governments, businesses and educational boards would never agree to conduct such experiments. But these aren’t normal times."

Even before covid, there was a sense that the smartphone and social media were changing the world more quickly than we could write the rules to keep people safe. We were so quick to embrace a culture of convenience that important questions about privacy and ethics were often ignored.

And the pandemic has only sped up this process.

Before we knew it we were downloading covid-19 apps designed to keep track of how many people were falling ill and to stop the spread of the virus.

Analysts questioned the security of these apps. But, as Harari said, the risks of doing nothing were bigger.

As the months passed and the impact of the pandemic shifted like the sands of a desert, so did the way we used our phones.

As we started to work remotely, the phone became more important for work-related tasks. For example, it often became a second screen used for video calls while we continued to work on our laptops.

Authorities increasingly preached the importance of keeping a safe social distance from one another. And it turned out that the device in our pockets allowed us to do just that.

Instead of queuing to order at a bar we could use our phones to scan QR codes. Instead of crowding into a shop at the same time, a business could send us a notification via an app when it was our turn to enter. And while some of us had already ditched cash before covid, the pandemic acted as the final death knell. Cash was seen as unclean, so more than ever we left our wallets at home and used the digital wallets on our phones instead.

In recent months mobile devices have also become de facto passports. We now use them to check into venues. We use them to store proof of our vaccination status or of a negative covid test. We hold them up for inspection at airports.

On the surface, these changes seem positive. An example of a crisis forcing us to become more efficient.

But there’s an alternative way to look at how covid-19 has transformed the way we use our phones. That is that they’re now being used in a way they were never designed to be used. A way that makes them a more tempting target for cybercriminals.

After all, when we look back at how we used our phones during the pandemic, another trend will likely come to mind:

The amount of bogus text messages we received from bad actors claiming to be banks or health care providers.

In some ways the pandemic marks the end of a more innocent relationship with the smartphone. It used to be a safe place - somewhere to laugh with friends or share silly videos of cats. Yes, there were a few reminders of creepy privacy issues and brands wanting more permissions than they really needed. But when people thought about the darker side of the internet - like phishing and scams - they tended to think of laptops and email.

Cybercriminals, though, are smart. During the pandemic they not only saw how much more time we were spending on our phones. They also realized that we act differently on them compared to when we’re on our computers.

Phishing and malware attacks jumped from 5,000 per week in February 2020 to 200,000 per week in April 2020. Such a hike isn’t a coincidence.

Hackers have also targeted mobile applications more than ever before during the pandemic. They recognize that because apps are taking on an increasing number of daily tasks, that means they’re collecting more and more valuable personal information. They also know that not all apps use robust protection and that some rely on platform security alone.

But iOS and Android security doesn’t stop tampering, man-in-the-middle attacks, or static and dynamic analysis. And it doesn’t allow developers to check the environment their application is run in. For modern mobile apps in industries such as finance, healthcare, and the public sector, this kind of protection is a must.

The pandemic has proved to us that cyber threats are getting more subtle and more sophisticated. They’re also evolving all the time. This is the main source of fear about the rapid shift in smartphone usage during covid-19. Could it be that new attack vectors have opened up without us knowing?

Take our current habit of constantly scanning QR codes, for example. Something we now do without thinking.

In theory, a bad actor could use a QR code to direct people to a malicious link. QR codes can also add a new network to a device’s list of trusted networks, make a payment, add a new contact, or send a user’s location to an app.

So, yes, many of the ways smartphone usage has evolved during covid-19 are positive. But only if we make sure people can carry out these new daily tasks securely.

We have to be aware that when we open a door into a new way of using our phone, that door doesn’t always lock behind us. And when it doesn’t, cybercriminals can follow us inside.

We’ve spent a lot of time this last year or two being wary. Mainly, though, this has been in the physical spaces we inhabit. We’ve got used to keeping our distance, wearing masks, and using hand sanitizer. But our phones have been somewhere to escape from covid-19. A place to let our guard down and relax.

Sad though it sounds, we could probably all benefit from being a little more suspicious. If you receive a message from your bank when you normally don’t - or if it’s asking you to do something different to the norm - then it’s a good idea to stop and think. Could it be a scam?

And the responsibility here doesn’t only fall on the end user. After all, the stakes are just as high for the businesses developing the apps we rely on. As we’ve said many times on this site, it only takes one security breach for a company to lose its hard-earned reputation. The more people are exposed to cyber attacks in the press, the more likely they are to see security as a key metric. In the near future consumers are unlikely to trust a company that doesn’t take cybersecurity seriously.

That’s why another mentality shift is required in the post-covid-19 world. Developers have to start thinking about security throughout the whole development process. Only by embracing security by design processes can they be sure of combatting ever-changing cybersecurity threats.

That means having the empathy to step into the end user’s shoes and thinking about attack vectors they might be exposed to. Beyond that, developers of critical apps will also want to protect where platform security cannot. This includes implementing code hardening, runtime application self-protection mechanisms, and integrity checks - before an application is published.

Global crises have a habit of changing our habits and behaviours. The same thing happened after the global financial crisis earlier this century. When the smoke cleared, we were suddenly riding Ubers to work and staying at Airbnbs on vacation.

In years to come, we might look back on the pandemic as a time when the phone ceased to be only a leisure and communication tool. We’ll see this as the time the device also became a way to gather data on a massive scale.

This rapid increase in mobile phone usage is also happening at the same time as the arrival of 5G. So, everything points to even more usage possibilities.

But let’s not forget that the phone was originally designed to be a phone. It wasn’t designed to be a passport. Nobody foresaw us using a stream of apps that would collect data that could tell a bad actor more about us than we even know ourselves.

The way we use the phone has fundamentally changed. And that means our attitude to security needs to change with it.