SMARTPHONE SECURITYProtecting Your Privacy

TEKDESKA Division of COIN:

The Community Opportunity &

Innovation Networkwww.tekdesk.org

www.coin-ced.org

Made possible by a grant from the Office

of the Privacy Commissioner of

Canadahttp://www.priv.gc.ca

INTRODUCTION A smartphone is a cell phones that can

connect to the internet and run a number of programs called apps chosen by the user.

Smartphones have reached about half of the Canadian market. Their market share is only expected to increase.

Smartphones store a lot of personal information: your address book, email, Facebook and more. Lots of apps need or want personal information. This can threaten your privacy.

BASIC FACTS ABOUT SMARTPHONES Smartphones have operating systems just like computers. In

Canada, the most common are: iOS, used for Apple’s iPhones and iPads. Android, used for smartphones and tablets from many different

companies. BlackBerry OS, used for RIM’s BlackBerry phones. Windows Phone, used for certain smartphones from various

companies, particularly Nokia. Software developers create programs – apps – for each

operating system. Manufacturers list them at online stores you can download them from. Some are free, some cost money. Apps include games, Facebook, Twitter, special messaging programs and even lightweight versions of office software.

WHERE DO SMARTPHONE PRIVACY THREATS COME FROM? Physical: If someone gets a hold of your phone,

they might be able to access your personal information.

The User: You might mistakenly share your information over the internet using your phone.

Software: The app may be designed to share your personal information in some way you don’t want.

In addition to these, you may face High Security Situations where you should turn off your phone and if possible, remove its battery.

WHAT COULD HAPPEN IF MY PRIVACY IS BREACHED? Cyberbullying: If you are in danger of being bullied, your

private information can be used to say hurtful things to you or an online audience.

Cyberstalking: Your personal information could be used to track your movements and actions to harass you.

Identity Theft: This is a form of fraud where someone pretends to be you for financial gain, such as using your credit card or getting loans in your name.

Human Rights Violations: Your private information may be used to commit a human rights violation.

Stress: Privacy loss is a stressful event, no matter what happens. Do not underestimate the effects of stress.

HOW DO I PROTECT MY PRIVACY? The formula:

Technology knowledge + common sense = security! You probably already have the common sense –

it’s just the technology you’ll need help with. Let’s talk about the ways we can protect against

privacy threats that might come up through these three avenues.

We’ll also talk about some general best practices to protect your privacy.

PRIVACY VERSUS CONVENIENCE To use a smartphone responsibly, you need to strike a balance

between your privacy needs and ease of use. The best way to keep an app or other feature from damaging your

privacy is to not use it, deactivate it, or remove it. If you use your phone for work, ask if the workplace has any

policies you should be aware of. Assess your privacy needs:

Do you plan on using your smartphone for work or financial transactions? Do you regular look at sensitive information? Are you responsible for dependents? You need to safeguard their privacy

as well as your own. Are you likely to face privacy-related threats such as harassment, stalking

and identity theft? In this course we will highlight essential privacy safeguards with

red text. Do more if you need to.

PHYSICAL SECURITY Physical security protects against the dangers of

someone getting a hold of your phone. This could be someone stealing your phone or

sneaking a peak while you’re asleep, distracted or elsewhere.

THE FIVE STAGES OF LOSING A SMARTPHONE

PHYSICAL SECURITY SCENARIOS Jane leaves her purse at her table while she gets a

refill for her coffee. A man on the way out grabs the phone right out of her purse. He uses her Facebook and email to trick Jane’s friends out of money by pretending to be her.

Tony does not feel safe with his partner, but they still share the same apartment. He has been planning to leave. After his partner turns on Tony’s phone, he reads email Tony sent to friends about the situation.

PHYSICAL SECURITY: ALWAYS BY YOUR SIDEThere are three appropriate places for your phone:

1. In a pocket of something you are wearing right now.

2. Within arm’s reach.

3. At a set location in your home or another secure area.

PHYSICAL SECURITY: LOCK SCREEN PASSWORDS Your phone has a lock screen: a screen that comes up

before you use the phone for anything. Your lock screen should always be password protected

to prevent peeking. There are multiple types of “passwords” to choose

from depending on the phone, like standard passwords, swipe passwords and face recognition. No matter what you pick, you will always be asked to have a standard password as well.

Some phones offer a default 4 character password. Look for an option that lets you use a longer, secure password.

PHYSICAL SECURITY: DISPOSAL Your phone should never be sold, traded, or disposed of

without wiping all of your information first. This is true even if you’re throwing the phone out, returning it

you the carrier, or giving it to a family member or close friend. Remove the phone’s memory (SD) card. Do not just delete its

contents, as these can be recovered. Check with your carrier about deactivating the phone’s SIM card.

Every smartphone can be “factory reset:” returned to the condition it was in when originally purchased, with no personal information beyond a phone number. Do this (or have someone do it) to every phone you plan on getting rid of.

Removing the phone’s SD card does not take the place of resetting the phone. You must remove the card and reset the phone.

PHYSICAL SECURITY: OTHER TIPS Report a lost or stolen phone immediately! Your

carrier may be able to remotely deactivate it. If your phone is a popular brand (such as an

iPhone) pick a case that changes its shape, and use headphones or ear buds of a different brand than your phone.

If you feel confident doing so, take a look at software that may help you track a stolen phone, such as Prey: www.preyproject.com.

THE USER Knowledge is your best defence against privacy

threats. Do you know what your phone does? Do you know the information your apps send? Does your carrier offer any services that could threaten your privacy?

Even tech-savvy people run into problems.

BURGLAR WAS FACEBOOK “FRIEND”

THINGS USERS NEEDS TO KNOW ABOUT THEIR PHONES Carrier Services: Does your carrier offer services

that can be used to spy on you? Apps: Are you accidentally using app features that

share private information? What You’re Saying: Are you texting or posting

anything on social networks that could be dangerous to your privacy?

USER SECURITY SCENARIOS Bob posts publicly on Facebook that he just got

home. He doesn’t know that his post includes his physical location, which he accidentally allowed it to add.

Mary goes to a shelter. Her abusive partner finds her location via the Rogers Phone Finder service they were registered under. This pins her phone’s location on a map. He tracks her down.

John mentions on Twitter that he’s going on vacation for a week. When he returns, he finds his apartment has been robbed. The thieves knew he was away.

USERS AND CARRIER SERVICES Bell, Telus and Rogers all provide services that allow

people to track the locations of their own phones, and sometimes others. Bell Seek and Find Rogers Phone Finder Telus Asset Tracker (Business)

For the best security, make sure your phone cannot be tracked by these services. Contact your carrier and look up these services online.

Other carrier services include the ability to look at texts and perform other functions on a distant phone from your computer. If you use these services, never share your password. For best protection, don’t use them!

USERS AND APPS Learn about the apps you use. Some of them have features

that let you share private information – you might do this accidentally.

Facebook is the app/service people accidentally share information with the most. For example, it allows you to add your location to almost everything you post, and nags you to do it. It also allows you to enter your phone number, which can be harvested by your friends’ address books.

Look out for location/GPS features as well. They may add location listings to your posts, or add location based metadata (information that appears with a file) to pictures.

People are especially prone to accidentally sharing private information with social media and messaging apps.

USERS AND POSTING Even if you master your apps’ risky features,

there’s always the danger of sharing information through your own words and pictures that could damage your privacy.

Be especially careful about posting your location, family information and anything that could reveal financial information, such as the bank or credit card you use. Most people would never post their credit card or bank account numbers, but you should also think twice about posting the bank or credit card brand you use.

APP PRIVACY Apps on your smartphone require permission to

use certain files and capabilities on your phone, such as your address book (or contacts) or your camera.

Some apps ask for permissions that could threaten your privacy.

APPS UPLOADING YOUR CONTACTS

APP PRIVACY SCENARIOS Carol downloads a messaging app. It

automatically emails all of her address book contacts to let them know she’s using it, but her contacts include a former harasser who she had an email conversation with two years ago.

Farooq uses a blogging app to write anonymous articles on politics. Advertisers use this information to tailor ads on websites. When he surfs the web to do research at work, his supervisors notice that the ads he encounters reflect his politics.

WHAT ARE APP PERMISSIONS? By default, apps can only run in their own little section of the

phone’s system, called their sandbox. An app that can only use the sandbox would be pretty useless. A

web browser app needs to use the internet, and an app that lets you add filters to your pictures may need your phone’s camera, photo gallery, or both. Letting an app do this gives it permissions, so that’s what these features are called.

If an app needs permissions, you normally have to give them to use the app properly, or you are assumed to give them if you download it.

Some apps ask for permissions they don’t really need to function so they can promote themselves, send data to advertisers or track user behaviour to improve themselves.

A few apps are malware – they steal information or change how your phone works for malicious or criminal purposes.

WHY CAN PERMISSIONS BE A PROBLEM? They share information you don’t want to share. They perform an action that compromises your

privacy. Some of them enable true malware designed for

criminal activities, but most of these problems come from incompetent or greedy app development.

TEKDESK RESEARCH: PHASE 1 In 2012 The Office of the Privacy Commissioner of Canada funded

a Tekdesk project to research the privacy effects of smartphone apps.

Our initial research of the literature indicated the following: Many users don’t understand smartphone permissions, and don’t pay

much attention to them. Free apps were much more likely to possess questionable permissions

than paid apps. In many cases, the problem isn’t malware, but app developers getting

sloppy. To make it easy on themselves, they ask for wide ranging permissions.

App developers have also taken security shortcuts. For example, some apps uploaded contacts without encrypting them. This might allow a hacker to intercept that information.

In some cases, the permissions you see don’t match what an app actually does. For example, in one court case, the plaintiff alleges that her Windows Phone device continued to transmit location-based information after she specifically disallowed that permission.

TEKDESK RESEARCH: PHASE 2 Phase 2 of our research looked at the permissions requested by the

top 50 free and paid apps for the four major smartphone platforms, according to their app stores.

We discovered the following: Android and Windows Phone apps from their official stores tell you

permissions before you download. iOS and BlackBerry apps don’t. iOS only provided standardized permissions for push notifications and location-based services.

As of December 2012 the BlackBerry OS lets you change virtually any permission. For others, you are mostly restricted to changing location-based services.

Developers tend to ask for standardized sets of permissions, no matter the app. For example, every single BlackBerry OS smartphone app allows access to email, organizer data (calendars contacts), files, and security data by default. This may allow problem apps to conceal themselves as “wolves in sheep’s clothing.”

Virtually every app requests local network and internet access, even when the app doesn’t have any obvious use for it.

HOW DO WE FIND OUT ABOUT APP PERMISSIONS?Each mobile operating system has a different method of listing

permissions, and different permissions categories. Android: Read permissions in the Google Play app store or website

before you download. iOS: You need to download the app first. The app will ask for some

permissions. Others require you to take a close look at what the app does. Go to Settings to see some apps’ permissions, such as permission to use push notifications.

BlackBerry: You need to download the app first. Look at the app under Options>Device>Application Management in BlackBerry phones made before 2013.

Windows Phone: The Windows Phone Apps+Games Store lists permissions for apps. Read them! In addition, after you download the app may ask permission for some functions, such as location-based services (GPS, Wi-Fi triangulation).

LOOKING OUT FOR PERMISSIONS Every operating system describes privileges in a

slightly different fashion, but they’re all talking about basically the same things. Some permissions are no big deal, but a few require your close attention because if they’re misused by the app, they can compromise your privacy.

When you see a suspicious permission, ask yourself if the app really needs that to function. Remember that some apps are ad-supported, and have extra permissions for that reason.

PERMISSIONS TO WATCH Address book/contacts and calendar: Legitimately used for

messaging, calendar and some social media. Otherwise, do not allow.

Geolocation/location-based services: Legitimately used for navigation, mapping and some social media (Facebook, Foursquare). Some apps (such as weather) also give custom content based on location, but should not need to know your fine, GPS-based location – just your general area.

Camera: Only apps that use your camera or affect photos need this permission. Otherwise, it can be used to take photos without your permission.

Phone calls and texting (SMS/MMS): Legitimately used for some messaging apps. Otherwise, it can be used to run up charges on “premium” phone calls and texts.

BEST PRACTICES FOR APPSIn order of importance:

1. Research before you install. Google it!

2. Look up permissions as soon as you can.

3. Ask yourself: “Does this app need this permission?”

4. Read the app developer’s privacy policy. There should be one for every app that has access to your personal information.

5. Disable any permissions you don’t need, if you can.

6. Uninstall apps you no longer use.

7. Back up, wipe and restore your phone periodically.

OFFICIAL APP STORES, ALTERNATIVES AND SIDELOADING The most common way to get apps is to download them from official

app stores for each operating system/device. There are alternative app stores out there. For some phones

(especially iPhones), you need to void your warranty by adding the ability to use them. For iPhones, this is called jailbreaking.

Official app stores use some safeguards against malware and security risks, but apps often get past them. Alternative app stores do not have these guarantees.

It’s also possible to install apps from your PC or through an SD storage card. This is called sideloading. Sideloaded apps may or may not be safe, depending on the app, but there are no guarantees.

Alternative app stores and sideloading are not recommended for most users.

Just because an app comes from an official app store doesn’t mean it’s automatically safe.

HIGH SECURITY SITUATIONS Some jobs and other circumstances create high

security situations where you should take every precaution against privacy breaches and surveillance.

Examples of high security situations include: Work that brings you into contact with people in crisis. Visiting a shelter for individuals coping with violence. Any time you believe there would be a serious threat

to your privacy, and you are not sure how to protect it.

SMARTPHONE ENABLES STALKING

HIGH SECURITY SCENARIOS Zenia is staying at a shelter to escape a violent ex-

partner. Her partner secretly installed tracking software on her phone. He activates it. The software doesn’t leave any sign that it’s active. He uses the phone’s location to track her down. Zenia turned off the phone’s GPS, but the software used Wi-Fi triangulation as well, and it’s good enough to find her rough location.

Jeff works at a youth shelter. A shelter resident steals Jeff’s phone, and not only uses the phone to arrange a drug deal (which may get Jeff in trouble) but gets enough of Jeff’s personal information to harass him later.

ON, OFF AND STANDBY Your phone must be completed powered down to be

truly turned off. It is not off when the screen is dark and you’re not

using it. It’s on standby. This is true even if you have set your phone to be silent or block calls and texts.

Some apps and hacking techniques can be used to use your camera and microphone, or read information from your phone (including location) while your phone is on standby.

Some phones cannot be completely powered down even when turned “off” according to the device’s settings. You must remove the battery.

STEPS TO SECURE YOUR PHONE IN A HIGH SECURITY SITUATION Ask about cell phone policies for that site or job.

If they recommend additional steps, use them. If they don’t, take the other steps anyway.

Power down your phone. Hold down the power button and select the option that shuts down your phone.

For extra protection, remove the battery if you can. If you can’t, consider leaving your phone in a secure location, away from the high security situation.

ALTERNATE PHONES If you will regularly enter high security situations, consider getting

a dedicated phone to use when they arise. Some jobs offer these phones to workers. For the best security, this phone should not be a smartphone. If it

is, it should contain virtually no non-work information—don’t use it for Facebook, for example.

The most secure option is a prepaid/pay as you go phone that is not registered under your name.

Use this phone for communication in high security situations, such as talking to clients or calling in and out of facilities.

Do not enter any private information in to this phone, and limit communication with private life connections to emergencies only.

In situations like this, it is perfectly reasonable to carry two phones.

SUMMARY Threats to your privacy come from losing physical

security (someone gets their hands on your phone), user actions (you do something to release private information) and software (the app does something to release private information). Some high security situations require additional precautions.

Don’t let your smartphone out of your sight! Learn about your carrier, smartphone, and apps. Just because your friends and family aren’t concerned

doesn’t mean you shouldn’t be. Everyone is different. Technology knowledge + common sense = security!

Keep learning and thinking.

CONDENSED TIPSTo protect your smartphone’s physical security:

1. Keep your phone by your side or in a secure location at all times.2. Use a password-protected lock screen.3. Wipe your phone with a factory reset and wipe/remove the SD card before you

get rid of it.

To prevent yourself from accidentally sharing information:4. Study the apps you use for features that share too much, such as GPS location.5. Don’t post sensitive information, especially about your location or finances.6. Make sure you cannot be tracked through carrier services.

To prevent apps from breaching your privacy:7. Research apps online before you download them.8. Look up their permissions to see if they want to do something they don’t need

to do.

In a high security scenario:9. Completely shut down your phone. For extra protection, remove its battery.10. Use the strongest combination of site security policies and what you learn

here.11. If you can’t remove the battery, consider leaving the phone in a secure place

away from the high security location.12. Keep an alternate phone, such as a prepaid phone that is not activated under

your name.

THANK YOU!For more information, contact Tekdesk: www.tekdesk.org info@tekdesk.org www.twitter.com/tekdesk Look for us on Facebook – search for Tekdesk

Peterborough