Mobile Security - Why You Should Care

Nearly all professional working people in the western world, have access to a mobile phone.  These phones are generally not just phones.  They're portable laptops, with processing and storage capabilities greater then a desktop PC 25 years ago, yet we treat them like toys that can easily be replaced.

With every pay monthly contracted sold (especially in the UK), an equivalent monthly insurance policy is sold too.  We're constantly reminded about the dangers of dropping the phone down the toilet, or smashing the screen, after inadvertently leaving the phone in your back pocket, or by damaging the outer casing by not having the correct protective membrane.  For another £12 a month, you can have 'piece of mind' that you're protected.  Great.

But what about the stuff the phone is actually used for?  Does that get protected too?  What stuff, why should I care about protecting that?



Why Should I Care?

Well, if your phone is used for work, it's quite likely you'll have a list of contacts.  Number information, perhaps email address information and perhaps address, job title and so on.  You may also have
 cross linked social networking account data for these contacts too - Twitter, LinkedIn, Facebook amongst others.  This is basically the digital version of your 'little black book'.  But they're just contacts, not really bothered about that.  Well you should be.

But it's not just your contact list that is on your phone.  What about all the emails you've sent and received?  If you use your mobile for full on work communication, this is the bit where the CISO/Infosec Manager has a bit of a wobbly over the whole Bring Your Own Device (BYOD) piece.  Your phone is suddenly an inadvertent extension of the corporate network.  Albeit, not particularly regulated or managed by the corporation.  Work related emails (should) contain work related content.  Attachments.  PDF's, spreadsheets, numbers, policies, customer details, accounts, records, meetings and so on.  All stored locally on your phone.

From a personal perspective, other aspects of data storage are a concern.  Geolocation data is now common to make the most out of a lot of key applications, like navigation and recommendation apps.  Suddenly your phone can easily pin point to the nearest metre where you are, and where you have been.  Social networking is all about the 'now' and being portable gives a smartphone the biggest edge over many social networking clients on the web and laptop platforms.  But how many times do you type in your username and password to access Twitter or Facebook on your phone?  With those tiny keys on the touch screen, you'll do it once or maybe twice, before hitting the 'save username and password' details button.  Singe Sign On is basically configured on your device.  Get access to the phone, get access to all your web and social networking related clients.

Attack Vectors

OK, so there's quite a lot of data on my phone.  But that's no different to my laptop right?  What's the big deal.  Well there are several.  The attack vectors for a smart phone are more prominent and more vulnerable than a laptop.  The first port of call, is that laptop and desktop operating systems, for all their issues and vulnerabilities, are more mature than smartphone operating system's like IOS or Android.  That maturity comes in the form of patching and basic approaches to security and protection.  Many smart phone operating systems are difficult to patch due to bandwidth limitations.  The second main difference between laptops and smart phones is anti-virus.  How many have AV for their phone?  Very few.  Whilst there are some smartphone specific iterations of AV software, many are incomplete or expensive, limiting their uptake.

The biggest threat to a smartphone is that of a physical attack.  Mainly due to it's size and value, theft is a major concern.  Once a physical device is stolen, there are two attack vectors.  One is via the console of the phone the second is via direct physical access to the SIM, on board memory and storage card memory.

Another major area of concern for phone security, is regarding the apps that get installed on a daily basis.  Many apps are free, with no real training, configuration or reputation support.  How do you know that an app is 'safe' or correctly coded to a standard that is stable or non-malicious?  Whilst both Apple and Google are attempting to put verification processes in place to help identify rogue developers, the sheer size of the available app pool will give access to malicious software.

Countermeasures?

From a basic standpoint, the phone should have a PIN to access the console.  Simple.  Everyone knows that.  iPhones provide a 4 digit capability whilst a lot of the Android devices can provide 6 digit PIN protection.  In general password management, the longer and more complex the password, the more secure this becomes.  This is mainly due to the increased time it takes to brute force the string.  This would generally point to showing that a 6 digit PIN is stronger than a 4 digit PIN.  True.  But NOT if that 6 digit PIN is your data of birth - big fail.  The majority of 6 digit PINs contain date of birth values.   Aim for a PIN that isn't your landline or date of birth and if it's a 6 digit PIN, perhaps contain a repeating value.

Many networks now provide a 'lose and wipe' feature that effectively wipes data from the phone remotely if it becomes lost or stolen.  Whilst this seems an extreme approach, many corporate owned devices will have this type of protection in place as standard.

Disk encryption on laptops and servers is pretty common.  Even free and easy to configure software like Truecrypt can provide adequate protection for the home user.  Many operating systems like Android can now provide phone and SSD storage encryption.  It normally isn't configured as default and will require poking around the settings of the phone, but it's not particularly complex and worth doing.

Finally, when it comes to apps, there are few basic steps that can be taken.  If there are apps you need, try and download from a developer with a significant download history.  Having 500k + downloads provides a little credibility that the app does what it says without any side effects.  Try and avoid the app with 6 recommendations that seem to give an overly glowing reference.  They're probably either the developer themselves or friends and relatives.  Keep your apps up to date.  Many apps have small code bases which will be constantly evolving and improving, perhaps as much as once a week.  Whilst having the newest release can often bring new feature bugs, it's often worth the risk to have the most recent version from a security perspective.

Spring clean!  If you have an app installed that hasn't been used in the last 6-8 weeks, un-install.  Only keep the apps you use and keep those updated.

I for one, would be pretty lost without my phone, but it takes only a few seconds to be compromised, but only a few minutes to be a little safer.

(Simon Moffatt)