Monday, September 1, 2014

Mobile Device Security ( my quick thoughts )

In this post,  I will ramble about mobile device security.

The reason mobile device security is a must;
"we are using  mobile devices on a day-2-day basis and don't even think about it. It's has became 2nd nature".

Between Nokia, Android, iPhone, RIM,etc.... mobile devices sales are growing at an alarming rate.

The facts are;  1> we are spending a lot of time on these devices 2>  all platforms sales are increasing every year 3>  sadly, end-user education and security practices are lagging behind.

One of the biggest data collection network is the "internet",  and then fueled by a bunch of devices that access the network on a day in and out basis , we have tons of user data present in the cloud.

Then we have Google being a massive storage-house of  our activities. We use the internet, but most never really think of the impact of the internet, and the what/whos doing with our data and information.

I was not surprised when I installed the viaprotect app on a few of my droid devices for testing and  seen that over 60%+ of my data is going to  google on any given day/week/month.



It's no secret that google tracks you. Heck they even have a website that explains some of this this information;  http://www.google.com/analytics/

As you sign up and tether your horse to the google camp, you ULTIMATELY became an agent of google.

And how much information is actually shared between Google and others is a big question? And they will not fully disclose this information or shed full light on google practices.

Is google really an secret proxy-agent of the NSA? , CIA?   or FBI ? ( we  can only  guess )



Qs you should ask yourself;
  • Okay, do we know for sure if the  data we sent & collected,  is it secured in the cloud ?
  • Who/What has access to it ? And for how long ?
  • What apps have access to your data ( contacts, sms, email, privacy-information )?
Myself have asked these question over, and over & I  don't really have any solid answers to provide you and nobody else that I spoken to, seem to have the answers either.



I was in a deep skype chat with a mobile-device forensic expert friend of mine a few months back. He's contracted with a few Sheriff depts in  the Cali area, and was telling me a story of a suspect drug dealer that Law-Enforcement agency contracted to have his iPhone stole , so they could harvest "investigative leads" to further there criminal investigation & and evidence collection & analysis.

Another horror story he told me, was of a Android developer that built a trojan app to replace an existing app on a suspect phone. The suspect was pickup and  detained and then release.  During his detainment, the app was swapped for the legit app and then they use the trojan for tracking  the user whereabouts.

Yes this crap really happens and we are clueless on the potential of data in these devices. A phone holds a lot of information on your activities such as;

 who your in  contacts with  ( phone/email/business/address/etc...)

 who your contacting  via SMS/emails/phone ( logs )

 the dialogs of your discussions

 call logs or call details ( who, when, & how long )

 who's calling you 

 locator information

 photos ( yes this is a big piece of investigative leads ), who you hang outs are, and where and who 
they are

Photos also have  accurate time/date stamps that further place you at a location

I'm not a drug dealer, criminal , nor terrorist & have nothing to hide , but the above got me thinking ;

" if my phone should disappear , what would anybody find?"




================= Tips for Mobile Device Security =================

1: Here's my most important rule.

Google is not your friend , nor should trusted them blindly. Hundreds of apps exists within the playstore that  involves some type of encryption. You should find & install and uses these in your day-2-day activities. The same applies for itune-store and iphones.


2: Email transmissions should be secured as required

All email communications should used PGP encryption at minimum. Or encrypt all dialog as a attachment and then send this via the mobile device email app. If it's really important and you don't have a secure email app, wait till you get back to the office,  or home and use your personal computer and a PGP enabled email client.

NOTE:Make sure you use secured email access  ( POP and IMAP  secured )

4: The same goes for SMS messages
 
All SMS  messages should be encrypted  imho.

I personally use the TetxtSecure App by openwhisper
https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms&hl=en

It provides basic encryption and allows for the simple execution of  secured and insecure SMS messaging by the toggle of a lock.

I've seen people blindly seen sensitive information  such as; bank PINs,  passwords,  credit cards information, and once I a capture someone sending the house alarm code and his address for the maid to access.


I'll give you a tip, this ( SMS  )  is not secured transmission facility,  sms gateways regularly transmits the messages in clear-text


5: GEO-tag information should be turned off for photos

You recall my buddy that's contract to a sheriff dept investigations-unit, they hack phone devices and review photos to gather geo-tagging information. This helps the investigation team track the suspect location and possible correlate major case events or to build a timeline.


 The photos could include geo-tag information , if you didn't disable this function from the camera app.

( see screen shot of me ;) and geo information viewed by EXIF on MACOSX )



This information could be used to track you down or the assist the Possibly of a stalker to find your address, whereabouts, your hangout places, etc...  Most social meeting sites, strip this information when posting photos online, but you should never enabled this,  or if you have it enabled , you should be aware of  the risk. Also don't expect websites to always strip this information.

 tip; my camera phone GPS coordinates  has tracked me within a <100ft resolution not bad if you think about it :)

6: FileSystem encryption should be used all of the time


Iphone/Android/BB, etc... have some time of  filesystem encryption. This should be used , & if available. If your version doesn't support encryption 1> upgrade or 2> change the device. I use  encryption to encrypt files on my  microSD card such as photos.

7: Phone backups should be encrypted natively or .........

Yeap, a phone backup stored on a cd, usb-drive or in the cloud,etc..... should be encrypted natively. You could also used a 3rd party application to secured the data with a strong pass phrase.

8: Phone Recycling

When  you sale off that phone online, ebay, criagslist or donated it to abused-womans group, wipe the data and factor reset it. Yes this has been over looked on a few phone devices that I've done forensics on in the past.

9:  For the Android devices, use the Chrome Browser

Yes it's still a google product,  but chrome is slightly faster and more secured than others browsers.

10:  Use common sense

That's right, treat your phone like a computer. This means all of the following;

       1: lock the screen when not in use ( always )
       2: check for https  vrs http websites b4 placing your credentials
       3: keep  the phone  in your Possession all of the time or locked away if not  in use.

11:  Banking application should be downloaded from a an approved store or from a hyperlink from the bank website

I never use banking apps on my mobile devices, but if you do. Try to grab the apps from  the  source directly.

e.g ( citibank links )

https://online.citibank.com/US/JRS/pands/detail.do?ID=CitiMobileApp

12:  Avoid rooting your device

If you must root your device, know the risk that your are exposing your self? and is it worth it?

I have rooted phones for testing, but my day-2-day phone is factory android on the most up to date  version for that model.

13:  Understand your apps permissions and access on your device

This is not too clear for a non technical person, but better judgement and common sense should come in play. A SMS/Email programs most likely need access to your contacts,  BUT a banking application most likely does not. What your app is asking  permissions for, should be scrutinized imho.

14:  Make backup  on a regular schedule

This doesn't nothing from a security standpoint, but if your phone is lost, stole, or heck falls out of your pocket into the toliet, you will have some means of recovering your data.

15:  Avoid placing user information on the home screen

I try personally to avoid displaying user information on the screen. This include displaying any personally photos or name.

16: Monitor where your device send data to 

The viaProtect  app can provide details on your phone activities and sheds some light on your data security.  Understanding your traffic behavior , will help you get an ideal of your mobile device security practices.

https://play.google.com/store/apps/details?id=com.viaforensics.viaprotect.android.agent&hl=en






Just be safe and understand that your phone/tablet is a over price small Miniature  computer ;)

Ken Felix
Security and Network  Engineer
kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^
=(   2   2  )=
         o
      /     \

1 comment:

  1. There's a chance you are eligible for a free Apple iPhone 7.

    ReplyDelete