Mobile Device Security - Texas State Universitygato-docs.its.txstate.edu/.../Mobile-Device-Security-2011.pdf · VERIZON SAMSUNG FASCINATE 6/13/2011 16:20 iPhone 4 in blue case 6/13/2011

Mobile Device Security

Image from http://appaddict.net

http://security.vpit.txstate.edu [email protected]

Examples of Mobile Devices

- Phones – iOS (iPhone), Android, Windows, etc.

- USB devices

- Tablets (iPad, Dell/HP running Windows, WebOS, etc.) This area looks to be growing rapidly

- Laptops (usage decreasing)


A Paradigm Shift - Personal vs. Work

A growing number of personal devices are used for work

Work email and documents can be discoverable on personal devices…


A Quick Overview of Laptops…

- The same risks as other mobile devices

However, they have:

- Mature encryption technology- A full keyboard (it’s easier to have good

passwords that way)- The same protections as a desktop

- Antivirus- Regular OS updates- Regular application updates


How Powerful are Smart Phones?

iPhone as a penetration testing tool….

Image from http://www.offensive-security.com


General Current Threats

- Wireless access

- Loss and Theft

- Privacy

- Malware

- Cloud Data Storage


A note on web browsing

Always use HTTPS if you can, even if you’ve already logged in or don’t have to.

https://facebook.com - GOOD

http://facebook.com – VERY BAD


Four Types of Wireless

- “Wifi” or “Wireless” Wireless (802.11x)Texas State Campus, Home, Airport, etc.Medium range, much fasterSometimes encrypted, sometimes not

- Data Service (3G, 4G/WiMAX/HSPA+)Slower but more widespread and more secure

- NFC (Near field communication)Used for mobile payments, public transportation ticketing, etc

- BluetoothShort range, good for device to device communicationWireless keyboards, mobile phone earpieces


Wifi Snooping

Malicious user at coffee shop/airport

Image from: http://blog.meseta.co.uk/


Firesheep


More Wifi Snooping

Google Streetview Cars

Google ClientLogin Issue



VPN Can Help!


VPN Products

VPN can protect you from a majority of wireless threats. Support for mobile devices is limited but growing. We are currently testing Texas State VPN for the iPad.

Texas State VPN


A Wireless Usage Suggestion

Use your data service. Disable wifi/wireless and bluetooth unless you really need them.


NFC (Near Field Communications)


Loss and Theft Consequences

Identity Theft – work email, apps with personal information –saved credit cards, SSNs…

If your phone is used for payment (NFC/Near Field Communications), someone may be able to use your phone for purchases

FERPA violations – work email


Locking Your Phone – Now More Important Than Ever

Download an app, wave your phone in front of a scanner and get a latte…

Image from http://bits.blogs.nytimes.com/


Loss and Theft basics…

- Enable autolock with a password/swipe pattern

- Enable autowipe after a certain number of login attempts

Passwords for an iPhone under Settings, General, Passcode lock:


Android Lock

Image from https://theassurer.com


Image from http://q8geeks.org/


Remote Wipe/Lock

- Mobile Defense for Android – locate, lock, backup and wipe

- Android 2.2 and above support a remote Exchange wipe

- iPhone supports remote wipe through Exchange

- iPhone/iPad also support remote wipe through MobileMe/iCloud

Image from http://www.cellphones.ca


Device Encryption

- iPhone 3GS and newer as well as iPads are encrypted at the hardware level. This encryption is only useful if your passcode is not easy to guess or crack

- Android has software based-encryption (Part of WhisperCore)

- Windows 7 does not look like it supports on-device encryption as of yet

- DARPA has released a request for technology for encrypting many common mobile devices – April 11th, 2011


USBs and EncryptionUse encryption. Ironkey has great (waterproof) and easy to use products. Some USB security is sub-par, make sure the USB has hardware/chip level encryption.

Image from: http://www.topreviewshop.com/


An Important Tip!Keep your device in a pocket or in some way attached to you. This can be annoying but much better than the alternative.

VERIZON SAMSUNG FASCINATE 6/13/2011 16:20iPhone 4 in blue case 6/13/2011 9:09

NIKON D50 CAMERA, LENS, 2 SD MEMORY CARDS IN BAG 6/13/2011 8:27nokia cell phone 6/13/2011 6:45LG Rumor Touch cellphone 6/12/2011 6:43blackberry curve 6/11/2011 17:05IPOD TOUCH 32 GB BLACK in a black "rubber" case 6/11/2011 17:03Blackberry curve 6/11/2011 14:51Droid 6/10/2011 22:57iPhone4 6/10/2011 15:43Steel I-pad in black "InCase" case 6/10/2011 14:52Steel I-pad in black "InCase" case 6/10/2011 14:52iPhone 6/10/2011 10:46White iPhone 3Gs, white sticker on back, cracked top 6/10/2011 9:02Nikon D3100 Camera in black case 6/10/2011 0:00Two backpacks, laptop, Australian passport 6/8/2011 21:12iphone 4 lost in Northside cab service 6/8/2011 10:33Gucci sandal 6/8/2011 9:32Black Purse with ID, Phone, Ipod, etc. 6/7/2011 16:44iphone 4 with white case 6/7/2011 8:36Cell Phone 6/7/2011 6:45Small Cingular cellphone 6/6/2011 13:07Iphone 4 6/6/2011 10:54

REWARD Black iPhone 4G with Black Case mountain on screen 6/6/2011 6:31iphone 4 6/6/2011 6:04LG Optimus black cell 6/5/2011 14:05cell phone (DROID) 6/5/2011 6:58Silver Sony Viao in black case lost on 5/30 6/4/2011 21:57Samsung phone 6/4/2011 20:02Black 32gb iPhone 3GS 6/4/2011 15:39REWARD: Lost Sony Vaio laptop and bag 6/4/2011 13:44iPhone 4G black w/ black case 6/4/2011 7:22iPhone black 6/4/2011 6:40iphone4 6/4/2011 6:33


Mobile Devices and Malware (viruses, worms, trojans, oh my…)

Image from http://www.mobiletopsoft.com/


USBs and Malware

- Incidents on campus with plugging infected USBs in to machines and vice versa

- Social engineering is an issue – leave a USB lying around at an organization and it’s highly likely someone will pick it up and plug it in…


Desktop malware migrates to mobile platforms

Image from http://techgeek.com.au/


Android Gemini

- Comes from third party app store in China

- Steals most information:Installed/Running applicationsSubscriber information (IMSI number, SIM serial number, network provider, etc.)Phone information (IMEI number, manufacturer, model, etc.)Current user’s location (via GPS)

- Probable precursor to a mobile botnet


Jailbroken iPhones

Jailbroken phones are at much higher risk for attack and infection. It’s HIGHLY recommended that you don’t do this.

Image from http://www.tipb.com/


Mobile Security


Privacy - User tracking….

From the Wall Street Journal in December of 2010

Of 101 iPhone apps:56 transmitted phones unique device ID without users’ awareness or consent47 transmitted the phone’s location5 sent age, gender and other personal details

Also, Google makes a very large amount of money through advertising. More target advertising tends to be more profitable, therefore the more they know about your habits the more profitable they are…


What is Cloud Storage?

Image from http://www.agent-x.com.au


Cloud Storage products

From the Dropbox terms of service:

“You acknowledge and agree that you should not rely on the Site, Content, Files and Services for any reason. You further acknowledge and agree that you are solely responsible for maintaining and protecting all data and information that is stored, retrieved or otherwise processed by the Site, Content, Files or Services.”


More Cloud Storage


Q & A

Documents

Mobile Device Security - Texas State Universitygato-docs.its.txstate.edu/.../Mobile-Device-Security-2011.pdf · VERIZON SAMSUNG FASCINATE 6/13/2011 16:20 iPhone 4 in blue case 6/13/2011