Tips on Securing Mobile Devices
Tips on Securing Mobile Devices
October 5, 2012
Preston Wiley, Network Security Manager, CISSP
Mike Hill, Project Manager / Systems Analyst, CISSP
W
HAT IS A
M
OBILE
D
EVICE
?
•
Highly Portable
•
Constantly connected to the Internet
•
Able to run a variety of applications
•
Easily stolen or misplaced
•
Smartphones, Tablets
•
Personally managed
M
OBILE
D
EVICE
O
PERATING
S
YSTEMS
• iOS
• iPad
• iPhone
• iPod Touch
•
Android
•
Nexus 7
•
Samsung Galaxy
•
HTC One, Desire, Evo, etc.
•
Motorola RAZR
•
MANY MANY MANY Others
•
Blackberry, Symbian, Windows
W
HY DO WE HAVE
M
OBILE
D
EVICES
?
•
Highly Portable
•
Convenient
•
Always Stay Connected
•
Remain Productive
•
Coolness Factor
W
HY SHOULD WE SECURE THEM
?
•
As mobile devices become ingrained into our life, we store more and more data in them, such as: o o o
Contacts
Photos
• and we use various apps to make our lives easier: o
Social: Facebook, Twitter, LinkedIn o o o o
Financial: Paypal, eBay, Amazon
Cloud Storage: Dropbox, Google Drive
Maps: Mapquest, Google Maps
Games: Angry Birds, Bad Piggies
T
IP
#1: L
OCK
D
EVICE
•
Passcodes o
Pins o o o
Pattern (Android)
Facial Recognition (Android 4)
Passwords
•
Auto-Lock (Screen Timeout) o
1 minute to 5 minutes o
Shorter time is more secure o
Be aware of apps that can be accessed when locked
T
IP
#2: U
PDATE
A
PPS
•
Keep apps up-to-date using official sites o
Apple App Store (iOS) o
Google Play (Android)
• Be wary of 3rd party apps from unofficial sites (Android) o
When you allow unknown apps on Android, you allow them from ALL sources o o
Only turn this option on if you need it and turn it off when you don't need it.
There are legitimate stores other than Google Play that require this to be turned on:
Amazon App Store
T
IP
#3: D
ISABLE
N
ETWORK
S
ERVICES
•
Benefits to disabling services o
These services can pose security risks o
Can also extend battery life
•
WiFi o
Constantly scans for WiFi networks o
Beware of open networks (unencrypted)
• Bluetooth o
Turn off or set to non-discoverable if not needed o o
Used for hands free devices and wireless keyboards
Can be used to view your contacts and make calls with your phone.
T
IP
#4: B
EWARE OF
QR
CODES
Which QR code is the malicious one?
Tips 5-10
T
IP
#5: U
PDATE
O
PERATING
S
YSTEM
•
Update OS to latest version available to you o iOS 6 o o o
Android 4.1 (Jelly Bean)
BlackBerry 7.1 OS
Windows Phone 7.5
*Data as of October 1, 2012 *Data as of September 30, 2012
T
IP
#6: C
ONFIGURE
L
OCATION
S
ERVICES
•
Popular features of location services o
Photos - geotagging o
Maps - turn by turn navigation
• Beware of disclosing location publicly o o
Please Rob Me (2010)
U.S. Army warns about geotagging (2007)
•
Recommended Configuration o
Disable if not needed o
Only enable for specific apps when needed
T
IP
#7: B
ACKUP
D
EVICE
T
IP
#7: B
ACKUP
D
EVICE
•
Backup your device o
Device should not be sole source of this data o o
Data can be encrypted during backup to iTunes (iOS)
Backups based on Google Account (Android)
•
Be aware of any sensitive data on device o
Financial documents o
Tax records o o
Health records
Passwords
T
IP
#8: W
IPE
D
EVICE
•
Erase data on device before o
Return o o
Repair
Resale
•
Auto-Wipe o
Erases data after 10 failed attempts (iOS) o
Autowipe app (Android 2.2+)
•
Remote Wipe o
Gives you the ability to remotely wipe device
T
IP
#9: F
IND
D
EVICE
•
Find My iPhone (iOS) o
Requires iOS 5+ o o o o
Locate your device on a map
Display custom message
Remotely lock or wipe device
Lost Mode (iOS 6)
•
LocateMyDroid (Android) o
Available on Android OS 2.2+ o o
Visually see your phone on a map
Remotely lock/wipe phone (admin)
•
Create ICE for lock screen
T
IP
#10: S
ECURE
B
ROWSER
S
ETTINGS
•
Recommended Settings o
Block Pop-ups o o
Enable Private Browsing
Enable Fraud Warning (iOS) o o o
Disable AutoFill
Disable Location Services
Clear history and cookies
W
RAP
-U
P
• 10 Tips for Increased Security
1.
Lock Device
2.
3.
4.
5.
Update Apps
Disable Network Services
Beware of QR Codes
Update Operating System
6.
7.
8.
9.
10.
Configure Location Services
Backup Device
Wipe Device
Find Device
Secure Browser Settings
S
ERIOUS ABOUT
S
ECURITY
P
ODCAST
•
New episodes recorded every two weeks
http://www.cerias.purdue.edu/site/sas_podcast
•
Twitter: @SASPodcast
Q&A
•
Mike Hill
E-mail: mikehill@purdue.edu
Twitter: @Purdue_Mike
•
Preston Wiley
E-mail: pswiley@purdue.edu
Twitter: @PrestonSecure
R
EFERENCES
• Android Distribution Chart
• https://developer.android.com/about/dashboards/index.html
• iOS Distribution Chart
• http://insights.chitika.com/2012/ios-by-device/
• Permission to use Dilbert comics provided by Universal Uclick
• Please Rob Me
• http://pleaserobme.com
• U.S. Army warns about the risks of geotagging
• http://nakedsecurity.sophos.com/2012/03/14/us-army-warns-aboutthe-risks-of-geotagging/
