Smart Phones and Tablets:
Security Issues
S. Roy
1
Acknowledgement
In preparing the presentation slides and the
demo, I received help from
• Professor Simon Ou
• Professor Gurdip Singh
• Professor Eugene Vasserman
• Fengguo Wei
2
What is a Smart Phone?
• Smart Phone = Phone + Computer + Sensors
• Provides various services
– phone call, SMS, computation, storage, accessing the Internet, data
download, GPS, camera, and so on …
•
•
•
•
•
•
OS: Android, iOS, Windows Mobile, BlackBerry
OS Make: Google, Apple, Microsoft, BlackBerry
Device Make: Samsung, Apple, HTC, BlackBerry
Popular models: Galaxy S III, iPhone 5
Connection/Service Providers: Att, Verizon, T-mobile
Connection types: 3G, 4G, Wi-Fi, Bluetooth
3
What is a Tablet?
• Tablet is a specialized mobile computer with a big screen
– primarily operated by touching the screen
– used for reading books, watching videos, accessing the Internet, and
so on
– wireless connections: 3G, 4G, Wi-Fi, Bluetooth
– OS: Android, iOS
– popular models: Samsung Galaxy Tab, Apple iPad
4
Why to Secure Smart Phones/Tablets?
•
•
•
•
•
These devices can do most of what a computer (e.g. a laptop) does.
Smartphones have extra features, such as GPS, phone calls, SMS.
Smartphones/tablets probably contain lot of personal information.
There is some chance that we can lose these devices.
Recent study shows these devices are a growing target for malware.
• Smartphones and tablets need to meet the same security standards
as any computer.
• The security issues of a smart phone are similar to those of a tablet.
• So, without loss of generality, we will focus only on smart phone
security in this class.
5
Risks a Smart Phone Faces
1. Include risks of insecure Wi-Fi
– if this device uses an open Wi-Fi
2. Include risks of insecure Web browsing
– if done from this device
3. Include additional risks:
– Physical vulnerability (e.g. attacker physically capturing
the phone and performing comprehensive scan)
– Sensitive information (GPS location, photo, contact list,
etc.) leakage
6
Installing a VPN Client
• To avoid the risk of using a smartphone in a
public Wi-Fi, you may install a VPN client
• As an example, visit KSU ITS website to get the
instructions for installation
–
–
Android : https://www.ksu.edu/its/security/vpn/androidinstall.html
iOS: https://www.ksu.edu/its/security/vpn/iosinstall.html
• Finally, you can use your KSU eID as the
username and KSU password as the password
to connect to the KSU VPN server.
7
Installing the VPN App on Android: Step 1
8
Installing the VPN App on Android: Step 2
9
How to Start the KSU VPN Client?
10
Connected to the KSU VPN Server
11
Accessing the IEEE Xplore Library from any
Physical Location
12
Now let’s do the Hands-On Activity
• Search the Cisco VPN client app at the App store, and
download it on your phone
• Install it and make the proper setting so that it can connect
to the KSU VPN server
• Start / Run the VPN client; then securely browse web sites
(e.g. yahoo email)
• Take screenshots of your activities
• Connect your phone to your computer to transfer the
screenshots
• Use a “paint/photo” edit software to erase any private
information present on the screenshots
• You may need to submit the screenshots while doing the
homework
13
Minimize the Phone Data Loss Risk: Using
a PIN or Password
• A user should lock the phone screen with a
numeric PIN or a password.
– How long/complex should this PIN be to thwart
cracking in a reasonable amount of time?
• Set a timeout (after this interval the phone
gets locked and the user needs to enter PIN)
• Before doing the PIN setup, ensure that your
Android device has the latest updates.
14
Setting Lock in an Android Device: Step 1
• Navigate to your devices settings, and
select Security, then select Set up screen lock.
Acknowledgement: http://xbase.ucdavis.edu/itexpress
15
Setting Lock in an Android Device: Step 2
• Choose one option among the available ones:
a Pattern, PIN, or Password.
16
Setting Lock in an Android Device: Step 3
• Depending on which option you chose, you
will see one of the following three screens:
17
Setting Lock in an Android Device: Step 4
• Return to the Security settings and set the lockout time.
• This feature locks your phone after it has been inactive for the
length of time you choose.
18
Setting Lock in an iOS Device: Step 1
• To set a passcode navigate through the following:
Settings > General > Passcode Lock > Turn Passcode On.
Acknowledgement: http://xbase.ucdavis.edu/itexpress
19
Setting Lock in an iOS Device: Step 2
• Enter a four digit passcode twice and then return
to the Passcode Lock settings page.
Acknowledgement: http://xbase.ucdavis.edu/itexpress
20
Setting Lock in an iOS Device: Step 3
•
•
•
You can create a more complex passcode with spaces and alphanumeric
characters, not just numbers.
You can also change the Require Passcode timing. This feature locks your phone
after it has been inactive for the length of time you choose
At this location you can also enable the Erase Data feature, which will wipe your
personal information from your phone after 10 failed passcode attempts.
Acknowledgement: http://xbase.ucdavis.edu/itexpress
21
Unlocking an iOS Device
• Your passcode should unlock your iOS device once the
screen has been turned off for the specified Require
Passcode timing.
Acknowledgement: http://xbase.ucdavis.edu/itexpress
22
Further Improvement on Security
• Back up data on the device
– to be sure the data can be recovered
• Turn off unused services if any
– such as Wi-Fi, Bluetooth or VPN.
– unused services could expose your device to unwelcome
remote connections.
– turning off unused services can also prolong the device’s
battery life
• Label the device with minimal contact information
– such as an email address or office phone number.
– If you lose the device, report the loss to police.
23
Encryption and Remote Wipe Options
• An iPhone (and an android phone) can encrypt all
the data stored using the user’s passcode.
– by using the feature available on your smartphone
– or consider using a reputable data encryption app.
• You may protect yourself for when you lose a
mobile device
– by using the “remote wipe” feature, which can work
via a Microsoft Exchange server
– but the benefit of “remote wipe” feature is debatable
24
How an App can Exploit the Security Model
• An example with Android:
– the user installs a third-party app P from the Android market
– P does not demand (to require) “Internet” permissions during the
installation time, so the user does not suspect P
– later P sends a request (called Intent) to the standard “browser” app
to open an Internet connection on behalf of P
– thus P exploits the permission model and can harm the user (e.g. by
leaking the user’s sensitive information to outside).
• Mitigation:
– Android market or you should have a tool for rigorous vetting of an
app before the user install/use it
– User should think twice before granting critical permissions during
the app installation
– We should always upgrade the apps and the system
25
Comparing the Security Model of Android
and iPhone (iOS)
• Android allows anybody to develop an app and
make it available in the market with minimal
vetting process;
– On the other hand, Apple claims to rigorously vet a
third-party app before it goes into the App Store.
• The user grants permissions to an Android app
during the installation time (all or none
permission policy) and there is no run-time
monitoring
– iOS may ask the user for permission in run-time (and
an app can run with partial permission set).
26
Managing the Phone Settings
• In the default setting, numerous apps open
themselves in an automated fashion on a
smart phone. The user needs to be informed.
• As an example, on an Android phone all
Google apps (Gmail, Google Plus, etc.) are
always ON by default.
• The user needs to modify the settings to
securely manage the apps: email apps, social
network apps, messaging apps, etc.
27
Summary
• We discussed common security issues of smart
phones/tablets.
• We presented a few standard countermeasures
to mitigate the risks
• Remainder:
– the next homework is due before the next class (1pm
on March 7)
– the next class will be held in Room 128
28