The reason mobile device security is a must;
"we are using mobile devices on a day-2-day basis and don't even think about it. It's has became 2nd nature".
Between Nokia, Android, iPhone, RIM,etc.... mobile devices sales are growing at an alarming rate.
The facts are; 1> we are spending a lot of time on these devices 2> all platforms sales are increasing every year 3> sadly, end-user education and security practices are lagging behind.
One of the biggest data collection network is the "internet", and then fueled by a bunch of devices that access the network on a day in and out basis , we have tons of user data present in the cloud.
Then we have Google being a massive storage-house of our activities. We use the internet, but most never really think of the impact of the internet, and the what/whos doing with our data and information.
I was not surprised when I installed the viaprotect app on a few of my droid devices for testing and seen that over 60%+ of my data is going to google on any given day/week/month.
It's no secret that google tracks you. Heck they even have a website that explains some of this this information; http://www.google.com/analytics/
As you sign up and tether your horse to the google camp, you ULTIMATELY became an agent of google.
And how much information is actually shared between Google and others is a big question? And they will not fully disclose this information or shed full light on google practices.
Is google really an secret proxy-agent of the NSA? , CIA? or FBI ? ( we can only guess )
Qs you should ask yourself;
- Okay, do we know for sure if the data we sent & collected, is it secured in the cloud ?
- Who/What has access to it ? And for how long ?
- What apps have access to your data ( contacts, sms, email, privacy-information )?
Myself have asked these question over, and over & I don't really have any solid answers to provide you and nobody else that I spoken to, seem to have the answers either.
I was in a deep skype chat with a mobile-device forensic expert friend of mine a few months back. He's contracted with a few Sheriff depts in the Cali area, and was telling me a story of a suspect drug dealer that Law-Enforcement agency contracted to have his iPhone stole , so they could harvest "investigative leads" to further there criminal investigation & and evidence collection & analysis.
Another horror story he told me, was of a Android developer that built a trojan app to replace an existing app on a suspect phone. The suspect was pickup and detained and then release. During his detainment, the app was swapped for the legit app and then they use the trojan for tracking the user whereabouts.
Yes this crap really happens and we are clueless on the potential of data in these devices. A phone holds a lot of information on your activities such as;
who your in contacts with ( phone/email/business/address/etc...)
who your contacting via SMS/emails/phone ( logs )
the dialogs of your discussions
call logs or call details ( who, when, & how long )
who's calling you
locator information
photos ( yes this is a big piece of investigative leads ), who you hang outs are, and where and who
they are
Photos also have accurate time/date stamps that further place you at a location
I'm not a drug dealer, criminal , nor terrorist & have nothing to hide , but the above got me thinking ;
" if my phone should disappear , what would anybody find?"
================= Tips for Mobile Device Security =================
1: Here's my most important rule.
Google is not your friend , nor should trusted them blindly. Hundreds of apps exists within the playstore that involves some type of encryption. You should find & install and uses these in your day-2-day activities. The same applies for itune-store and iphones.
2: Email transmissions should be secured as required
All email communications should used PGP encryption at minimum. Or encrypt all dialog as a attachment and then send this via the mobile device email app. If it's really important and you don't have a secure email app, wait till you get back to the office, or home and use your personal computer and a PGP enabled email client.
NOTE:Make sure you use secured email access ( POP and IMAP secured )
4: The same goes for SMS messages
All SMS messages should be encrypted imho.
I personally use the TetxtSecure App by openwhisper
https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms&hl=en
It provides basic encryption and allows for the simple execution of secured and insecure SMS messaging by the toggle of a lock.
I've seen people blindly seen sensitive information such as; bank PINs, passwords, credit cards information, and once I a capture someone sending the house alarm code and his address for the maid to access.
I'll give you a tip, this ( SMS ) is not secured transmission facility, sms gateways regularly transmits the messages in clear-text
5: GEO-tag information should be turned off for photos
You recall my buddy that's contract to a sheriff dept investigations-unit, they hack phone devices and review photos to gather geo-tagging information. This helps the investigation team track the suspect location and possible correlate major case events or to build a timeline.
The photos could include geo-tag information , if you didn't disable this function from the camera app.
( see screen shot of me ;) and geo information viewed by EXIF on MACOSX )
This information could be used to track you down or the assist the Possibly of a stalker to find your address, whereabouts, your hangout places, etc... Most social meeting sites, strip this information when posting photos online, but you should never enabled this, or if you have it enabled , you should be aware of the risk. Also don't expect websites to always strip this information.
6: FileSystem encryption should be used all of the time
Iphone/Android/BB, etc... have some time of filesystem encryption. This should be used , & if available. If your version doesn't support encryption 1> upgrade or 2> change the device. I use encryption to encrypt files on my microSD card such as photos.
7: Phone backups should be encrypted natively or .........
Yeap, a phone backup stored on a cd, usb-drive or in the cloud,etc..... should be encrypted natively. You could also used a 3rd party application to secured the data with a strong pass phrase.
8: Phone Recycling
When you sale off that phone online, ebay, criagslist or donated it to abused-womans group, wipe the data and factor reset it. Yes this has been over looked on a few phone devices that I've done forensics on in the past.
9: For the Android devices, use the Chrome Browser
Yes it's still a google product, but chrome is slightly faster and more secured than others browsers.
10: Use common sense
That's right, treat your phone like a computer. This means all of the following;
1: lock the screen when not in use ( always )
2: check for https vrs http websites b4 placing your credentials
3: keep the phone in your Possession all of the time or locked away if not in use.
11: Banking application should be downloaded from a an approved store or from a hyperlink from the bank website
I never use banking apps on my mobile devices, but if you do. Try to grab the apps from the source directly.
e.g ( citibank links )
https://online.citibank.com/US/JRS/pands/detail.do?ID=CitiMobileApp
12: Avoid rooting your device
If you must root your device, know the risk that your are exposing your self? and is it worth it?
I have rooted phones for testing, but my day-2-day phone is factory android on the most up to date version for that model.
13: Understand your apps permissions and access on your device
This is not too clear for a non technical person, but better judgement and common sense should come in play. A SMS/Email programs most likely need access to your contacts, BUT a banking application most likely does not. What your app is asking permissions for, should be scrutinized imho.
14: Make backup on a regular schedule
This doesn't nothing from a security standpoint, but if your phone is lost, stole, or heck falls out of your pocket into the toliet, you will have some means of recovering your data.
15: Avoid placing user information on the home screen
I try personally to avoid displaying user information on the screen. This include displaying any personally photos or name.
16: Monitor where your device send data to
The viaProtect app can provide details on your phone activities and sheds some light on your data security. Understanding your traffic behavior , will help you get an ideal of your mobile device security practices.
https://play.google.com/store/apps/details?id=com.viaforensics.viaprotect.android.agent&hl=en
Just be safe and understand that your phone/tablet is a over price small Miniature computer ;)
Ken Felix
Security and Network Engineer
kfelix ----a---t---socpuppets ---d---o---t---com
^ ^
=( 2 2 )=
o
/ \
No comments:
Post a Comment