tips on securing mobile devices october 5, 2012

Tips on Securing Mobile Devices

October 5, 2012

Preston Wiley, Network Security Manager, CISSPMike Hill, Project Manager / Systems Analyst, CISSP

WHAT IS A MOBILE DEVICE?

• Highly Portable

• Constantly connected to the Internet

• Able to run a variety of applications

• Easily stolen or misplaced

• Smartphones, Tablets

• Personally managed

MOBILE DEVICE OPERATING SYSTEMS• iOS

• iPad• iPhone• iPod Touch

• Android• Nexus 7• Samsung Galaxy• HTC One, Desire, Evo, etc.• Motorola RAZR• MANY MANY MANY Others

• Blackberry, Symbian, Windows

WHY DO WE HAVE MOBILE DEVICES?

• Highly Portable• Convenient• Always Stay Connected

• Remain Productive• Coolness Factor

WHY SHOULD WE SECURE THEM?

• As mobile devices become ingrained into our life, we store more and more data in them, such as:o E-mail o Contacts o Photos

• and we use various apps to make our lives easier:o Social: Facebook, Twitter, LinkedIno Financial: Paypal, eBay, Amazono Cloud Storage: Dropbox, Google Driveo Maps: Mapquest, Google Maps o Games: Angry Birds, Bad Piggies

TIP #1: LOCK DEVICE • Passcodes

o Pins o Pattern (Android)o Facial Recognition (Android 4)o Passwords

• Auto-Lock (Screen Timeout)o 1 minute to 5 minuteso Shorter time is more secureo Be aware of apps that can be accessed when locked

TIP #2: UPDATE APPS

• Keep apps up-to-date using official siteso Apple App Store (iOS)o Google Play (Android)

• Be wary of 3rd party apps from unofficial sites (Android)o When you allow unknown apps on Android, you

allow them from ALL sourceso Only turn this option on if you need it and turn it off

when you don't need it.o There are legitimate stores other than Google Play

that require this to be turned on: Amazon App Store

TIP #3: DISABLE NETWORK SERVICES• Benefits to disabling services

o These services can pose security riskso Can also extend battery life

• WiFio Constantly scans for WiFi networkso Beware of open networks (unencrypted)

• Bluetootho Turn off or set to non-discoverable if not neededo Used for hands free devices and wireless keyboardso Can be used to view your contacts and make calls

with your phone.

TIP #4: BEWARE OF QR CODES

Which QR code is the malicious one?

Tips 5-10

TIP #5: UPDATE OPERATING SYSTEM• Update OS to latest version available to you

o iOS 6o Android 4.1 (Jelly Bean)o BlackBerry 7.1 OSo Windows Phone 7.5

*Data as of October 1, 2012 *Data as of September 30, 2012

TIP #6: CONFIGURE LOCATION SERVICES• Popular features of location services

o Photos - geotaggingo Maps - turn by turn navigation

• Beware of disclosing location publiclyo Please Rob Me (2010)o U.S. Army warns about geotagging (2007)

• Recommended Configurationo Disable if not neededo Only enable for specific apps when needed

TIP #7: BACKUP DEVICE

TIP #7: BACKUP DEVICE

• Backup your device o Device should not be sole source of this datao Data can be encrypted during backup to iTunes (iOS)o Backups based on Google Account (Android)

• Be aware of any sensitive data on deviceo Financial documents o Tax recordso Health recordso Passwords

TIP #8: WIPE DEVICE

• Erase data on device beforeo Returno Repairo Resale

• Auto-Wipeo Erases data after 10 failed attempts (iOS)o Autowipe app (Android 2.2+)

• Remote Wipeo Gives you the ability to remotely wipe device

TIP #9: FIND DEVICE• Find My iPhone (iOS)

o Requires iOS 5+o Locate your device on a mapo Display custom message o Remotely lock or wipe deviceo Lost Mode (iOS 6)

• LocateMyDroid (Android)o Available on Android OS 2.2+o Visually see your phone on a mapo Remotely lock/wipe phone (admin)

• Create ICE for lock screen

TIP #10: SECURE BROWSER SETTINGS• Recommended Settings

o Block Pop-upso Enable Private Browsing o Enable Fraud Warning (iOS)o Disable AutoFillo Disable Location Serviceso Clear history and cookies

WRAP-UP

• 10 Tips for Increased Security1. Lock Device2. Update Apps3. Disable Network Services4. Beware of QR Codes5. Update Operating System6. Configure Location Services7. Backup Device8. Wipe Device9. Find Device 10. Secure Browser Settings

SERIOUS ABOUT SECURITY PODCAST• New episodes recorded every two weeks

http://www.cerias.purdue.edu/site/sas_podcast• Twitter: @SASPodcast

Q&A

• Preston WileyE-mail: pswiley@purdue.eduTwitter: @PrestonSecure

• Mike HillE-mail: mikehill@purdue.eduTwitter: @Purdue_Mike

REFERENCES

• Android Distribution Chart• https://developer.android.com/about/dashboards/index.html

• iOS Distribution Chart• http://insights.chitika.com/2012/ios-by-device/

• Permission to use Dilbert comics provided by Universal Uclick

• Please Rob Me• http://pleaserobme.com

• U.S. Army warns about the risks of geotagging• http://nakedsecurity.sophos.com/2012/03/14/us-army-warns-about-

the-risks-of-geotagging/