Author: Jared Hall
Revision: 1.3
URL: https://www.jaredsec.com/mobile-devicesmartphone-security-tips/
Date: 07/10/2017
Scope
I had originally intended this to be just some simple bullet points to add to my “Life Outside the Firewall” dissertation. As I researched expert opinions and comments, policies from device manufacturers, and combined that with some of my own ideas, this turned out to be a comprehensive article in itself. I own Android devices. I have access to an iPhone. Many years ago, I wrote a Bible Verse App for Android Gingerbread. Five years ago, I compiled an Ice Cream Sandwich ROM for my old Galaxy S2.
Presented herein are thirty great tips for preserving mobile device security. I thought writing this post would be an easy task. I was wrong.
Introduction
In the mobile device world, “iOS versus Android” reminds me of the “Mac versus PC” debates of the late 1980’s. In that battle, the PC won because its architecture was more open, bringing down the Total Cost of Ownership (TCO). In the same fashion, Android is the dominate O/S in the mobile world for the same reason: its open architecture. But that doesn’t necessarily make Android a better product. If you expect your Phone Carrier and Manufacturer to keep your phone even somewhat current, you’ll be buying two Android devices for every iPhone. On the other hand, you’ll probably get more productivity out of an Android device.
I do not discuss Windows Phone or devices at all in this document. Obviously, their claim-to-fame is compatibility with all the other Windows applications that you use at work. The same security principles apply.
As is the case with the desktop PC, Apple is somewhat limited, but what it does, it does well. I found that the average iPhone can be used for about four years from the release date before it becomes obsolete. Apple provides timely security updates throughout the product’s lifecycle. One person wrote earlier this year (2017): “The iPhone 5, for example, was released in 2013 but is still getting iOS 10 updates. Conversely, the Nexus 5, which launched at about the same time, saw its last update in December 2015 to Android 6.0 Marshmallow.” Alas, the writer spoke too soon. The March 2017 release of iOS 10.3 only supports 64-bit devices, signalling the end of the road for the iPhone 5, iPhone 5c and the fourth-generation iPad. However, the 2013 iPhone 5S (small version) has a 64-bit processor and is still getting updates. A friend of mine just got pushed a 10.3.2 iOS update for his iPhone 5S via AT&T.
By contrast, Android phones have a lifespan of two years before obsolescence. This is the mandatory minimum set by the European Union. Even worse, the average Android phone will receive only one OTA update from the manufacturer, despite monthly Android security fixes by Google. Even Google hasn’t update their own Nexus and Pixel phones. Many Android users never get any OTA updates for their phones. Google has been working on “Project Treble“, a mechanism by which core Android updates can be developed by Google independently of the device manufacturer. This is expected to be the default behavior starting with Android “O” later this year (2017). The program is starting in July 2017, beginning with their own Pixel and Nexus phones.
It is not known what, if any, impact “Project Treble” will have on individual Android users. Nobody knows what the response from board manufacturers and Carriers will be. It is more likely that bug fixes will be pushed rather than complete Android updates. But, since Android is an open architecture, there is quite a bit of active ROM (O/S) development for older phones. The more “mainstream” your phone is, the more options you will have available to you. The go-to site, for the technically savvy, is XDA Developers.
The product lifespan differences between Android and Apple devices may be dependent upon the microprocessors used. Android devices rely heavily upon Qualcomm “SnapDragon” processors running an ARM instruction set. Google blames their limited lifespan to Qualcomm’s processor production runs of two years. Google has stated that they hope to develop and/or brand their own series of microprocessors.
Apple has traditionally used their own branded versions of either Samsung or TSMC (Taiwan Semiconductor Manufacturing Company) ARM processors. Most of Apple’s latest iPhones use TSMC processors.
As always, take what you can, apply what you can, and leave the rest.
(1) PASSCODE LOCKS
Always use a locking mechanism on your phone, whether it is a pin, or a pattern. Do not use the same PIN as your ATM card. Any Android user should be running Marshmallow (6.0) or later. This requires your unlock code or pattern immediately after a startup or reboot.Use some care when unlocking your phone in public places. Try to keep the phone as close to your chest as possible. Most security cameras these days can easily pick up pattern swipes or PIN entries.
34% of phones have no lock at all. Don’t be part of that crowd.
(2) SET UP REMOTE WIPE
Android user can login to their Google account and perform “Find” and “Erase” functions. This can be done from the Google Dashboard (https://www.google.com/dashboard”) or from Android.com (“https://www.android.com/find”). You’ll have to login with your Google account
credentials.
iPhone users have a similar procedure available to them on iCloud.com. If you can’t find your device: “When in doubt, wipe it out!“
(3) SHUT DOWN WIFI & BLUETOOTH CONNECTIONS
This is also important. Your cellphone is likely to connect to any open WiFi hotspot, even those run by miscreants. If you’re not using your phone, turn it off. If you’re travelling, or may need access to your phone quickly on occasion, buy a Faraday bag and put the phone it it.
(4) USE CAUTION WITH OPEN/PUBLIC WIFI NETWORKS
If you must use Public WiFi systems, like in a coffee shop or store, make sure that any connection you log into uses an https connection. Otherwise, some creep lurking around with a laptop can sniff the WiFi system and pickup your login credentials.
Generally speaking, if all of your apps connect securely through SSL or other encryption mechanisms, this is not much of a problem. But how about your company’s Email servers or your personal EMail accounts? And of course, we all have Apps on our phones that we’re not sure of – like that Coupon/Sales App, Map Software, Movie App, etc.
If you’re not sure your Apps communicate securely, don’t use them on Public/Open networks.
(5) ENCRYPT STORAGE (DATA AT REST)
This is a feature available with Android Marshmallow (6.0) and later. This should be enabled whenever possible. Note that with Android, expansion of the internal drive to an external SD-Card is available by means of “Adopted Storage”. Applications as well as data can be stored there.
Adopted Storage, by default, is encrypted. This is because Google felt that the SD-Card might be removed for inspection by miscreants.
(6) ENCRYPT CALLS & TEXTS (DATA IN TRANSIT)
There are a variety of applications that can do this. WhatsApp and Telegram are popular. When asked, I will instruct users to use Signal, which can be used to make secure phone calls and texts. The message store for texts can be encrypted as well. It has minimal “Junk”; a simple replacement for your phone’s SMS/MMS Messaging application. It is cross-platform; available for iPhone and Android users. It is also the only App approved for use by the US Senate. Signal’s Moxie Marlinspike (of SSL fame) developed the encryption protocols that most of the other Apps use.
(7) AVOID EMAIL PHISHING
The same care you must use on your office workstation applies to your mobile devices as well. Both Android and iPhone devices use “sandbox” techniques which makes them usable again after reboot. But, nothing is perfect. Assuming otherwise will eventually lead to a breach. Don’t phall for the phish!
(8) CONFIGURE AUTO-ERASE
This is the draconian “auto-destruct” feature for the most paranoid of individuals. Since most smartphones have business-oriented data on them, should it fall into enemy competitor’s hands, it’s better to blow up your phone than compromise your business. This is an available option unique to Apple iPhones when set to high security. There is no active Android equivalent. The smart play for Android users is to use Remote Wipe.
(9) ENCRYPT & ANONYMIZE TRANSACTIONS
If you have access to a VPN service, use it whenever possible. This ensures that everything you send from your phone will be secure (at least up to the VPN provider’s endpoint).
You still need to make sure that your Apps communicate securely as well.
(10) AVOID PASSWORD REUSE (BUSINESS/PERSONAL)
Never use the same password on your mobile device Apps that you use for your business logins. Ever.
(11) AVOID PASSWORD REUSE (OAUTH)
OAuth is a type of web-based Open Authentication mechanism, similar to RADIUS authentication in the days of Internet dialup. It was originally designed by Twitter to support third-party developers. Apps can authenticate via Twitter, without having to reveal passwords to the OAuth provider.
OAuth was subsequently pushed by Google and is now an Internet standard. I’m sure that by now everybody has some App that says “Login with Google” or “Login using Facebook“. That’s OAuth in action. In the Smartphone world, there are four major OAuth providers:
♦ Twitter
♦ Facebook
♦ Google
♦ Microsoft
Passwords should not be the same (reuse) for any OAuth provider.
(12) INSTALL SECURITY SOFTWARE
Always use antivirus for your mobile devices. There are plenty of free versions to choose from if you’re low on dough. No excuses. I also recommend the installation of “one-time” malware scanners also, like MalwareBytes.
Regrettably, there are no third-party security solutions for iPhone. There is a certain amount of arrogance from Apple in this regard considering that about 20% of all spam last year came from hacked (not jailbroken) iPhones. There is no such thing as perfect security. iOS users still benefit from “sandboxing”, so it is a good idea to Power Off and On your iPhone at least once a day.
(13) NEVER JAILBREAK/ROOT YOUR DEVICE
This is always good advice. Rooting an Android phone is not for the faint of heart, and with it comes a great deal of responsibility and requires Unix know-how. But there are some good reasons for doing so.
♦ Audiophiles can take advantage of unparalleled excellence in the Viper Audio system. It makes BEATS Audio sound like a tin can. There is an endless amount of Convolver (Convolutional Coder/Decoder) Impulse samples to choose from, and special effects galore.
♦ Since the typical life of an Android phone is so dismal, you might be able to get new ROMs (Operating System) for your phone from XDA Developers. I have a three year old phone that started out Lollipop and is now Nougat.
♦ All the best, comprehensive backup solutions for Android usually require SuperUser (*root*) privileges.
At the time of this writing, there have been no Jailbreak kits for Apple iOS in about a year. The law of diminishing returns applies.
(14) BACKUP YOUR PHONE
Apple backups are best done using iCloud, but iTunes can be used as necessary. Apple iPhone users have it a little better in this regard.Android users by default will have applications logged at Google Play, and they will download automatically to a new device. Google backs up just basic information about your phone and is relatively useless for third-party Apps.
Titanium and Nandroid backups are great ways to completely recover your Android phone; and their backups can be automatically scheduled. However, both of these require *root* privileges.
(15) USE PASSWORD MANAGEMENT APPS
Apple iPhone users seem to like iPassword and it can even be used on Windows phones. Alas, there is no iPassword App for Android. There’s always some additional considerations to be taken into account if online password managers are used; namely the problems with Cloud Security in general.
I prefer the use of a local, encrypted, “Master Password” store on the device. One such Android App is PassKeep. PassKeep can auto-destruct the “Master Password” store if there are too many login failures. There are many other Apps to choose from.
(16) TURN OFF LOCK SCREEN MESSAGES
Both Android and iPhone devices will display messages in the lock screen. What’s the point of doing that? On iPhone devices tap “Settings” and then “Notifications.” Tap “Messages” and then tap the ON/OFF toggle to the right of “View in Lock Screen“. Press the “Home” button to save your changes and close the Settings app. You should probably turn off “Today View” panels, Wallet access, Siri, Home Control, and “Return Missed Calls.”
On Android devices, go to Settings -> Notifications, then scroll down to your messaging app, click it, then under the parameter “On the Lock Screen” select “Hide sensitive notification content“. Now, you’ll be notified that something is there, but the contents won’t be visible on the Lock Screen. You’ll have to do this for each application- Email, Messaging, Messenger, Facebook, Linkedin, Telegram, Signal, WhatsApp, Twitter, Calendar, etc. This feature is available in Android Lollipop and later.
You may also want to visit the “Lock Screen shortcuts” available in the “Gear icon” next to “Screen Lock” in the “Security” section. On older systems, this might be under Settings > Quick Settings > Lock Screen -> Swipe Options. Remove the Camera and/or microphone from the lockscreen.
(17) DOWNLOAD APPS FROM TRUSTED SOURCES ONLY
For most users, this is limited to Apple App Store and Google PlayStore for Android users. However, there has been an international backlash against both of these sites due to the contamination of Apps by the NSA/CIA, and other miscreants. This has resulted in a number of “third-party” app stores. Some of the more reputable Android stores include:
♦ Amazon Underground
♦ AppBrain
♦ Apptoide
♦ Opera Mobile
♦ Getjar
♦ F-Droid
♦ XDA Labs
For Apple some of these include:
♦ Vshare
♦ HipStore
♦ AppCake
♦ AppAddict
(18) KEEP YOUR OPERATING SYSTEM CURRENT
This is far easier for Apple iPhone users than Android users. Google provides ROM developers with security updates every month. However, most Android users only get system updates that the phone company provides (if any); certainly not timely Android security fixes.
The lack of Carrier-based OTA (Over The Air) updates is the biggest security threat to Android phones. Google’s “Project Treble” has just kicked off (July 2017) in an effort to bolster overall Android security as mentioned in this article’s Introduction.
Apple iOS users that use iTunes to update software should make sure that iTunes is up-to-date prior to an upgrade. Also, make sure you’ve got at least a Gigabyte of space left on the device.
(19) KEEP APP SOFTWARE CURRENT
This is important and is automatically enabled by default on Apple and Android devices. On Android, this is setup in the PlayStore application under “Settings“. Obviously, it does not update non-PlayStore applications. Apps do a fine job o updating themselves by default! Make sure that “Auto-Update” is enabled on your device.
(20) REVIEW APP PERMISSIONS
Apple started to manage App permissions in iOS 6.0. Android came along later with their own settings in Jelly Bean (4.1 through 4.3.1) and the 4.4 – 4.4.1 versions of KitKat. Android permisssion settings were pulled starting with the 4.4.2 KitKat version through Lollipop (5.X). They were later restored in Marshmallow (6.X) and exist in the current Nougat releases (7.X).
When comparing this feature, neither iPhone or Android has any real advantage. Purists might say that Android offers more granularity, but “robustness” does not necessarily mean “better”. Android forces developers to call out their permissions in the manifest, so that the user sees them prior to download. But most users just simply download the program anyway. Both O/Ses will popup messages when an App needs a permission, and the user can opt do Deny a certain permission at that time.
Perhaps Android might migrate to a system where the user can Access/Deny individual App permissions PRIOR to download. To view ALL app permissions, Apple iPhone users can go to Settings, then tap “Privacy“. For Android, got to Settings, then Apps, then click the “Gear Icon” on the top-right of the screen. In both Android and iOS, you can always click on an individual App to view/change permissions.
It is a good idea to review permissions from time to time.
IOS App Permissions
♦ Contacts
♦ Microphone
♦ Calendars
♦ Camera
♦ Reminders
♦ HomeKit
♦ Photos
♦ Health
♦ Motion activity and fitness
♦ Speech recognition
♦ Location Services
♦ Bluetooth sharing
♦ Media Library
♦ Social media accounts (Twitter/Facebook)
Android App Permissions:
♦ In-app Purchases
♦ Device and app history
♦ Cellular data settings
♦ Identity
♦ Contacts
♦ Calendar
♦ Location
♦ SMS
♦ Phone
♦ Photos/Media/Files
♦ Camera
♦ Microphone
♦ Wi-Fi connection information
♦ Bluetooth connection information
♦ Wearable sensors/activity data
♦ Device ID & call information
♦ Other
(21) SETUP A LOCK SCREEN MESSAGE
On most Android devices, this can be setup under your “Lock Screen” settings. In Marshmallow and later, this is found in Security, then hitting the Gear icon next to “Screen lock”. Here you can set a “Lock screen message“. DO NOT use your name. Put in your Email address. First off, if a good Samaritan (airport/hotel/restaurant employee, etc) finds your phone, your name is probably useless to them. If a friend or coworker finds your phone, well, they probably already know who you are anyway.
Secondly, Android Lollipop and later devices have a “Smart Lock” section in their Security options. This allows you to setup “Trusted Locations”. This enters GPS coordinates into your phone that allows you to bypass the Pin/Passcode function of the Screen Lock. So, if you’re at home you don’t need to constantly swipe or PIN to access your phone. You don’t want some miscreant looking up your name in the phone book and driving by your house to unlock the phone.
Apple iOS users should also setup a Lock Screen message. This is not easily done, but there are some Apps available that sllow you to easily create a custom wallpaper to use on your Lock Screen and add text. Again, use your email address.
Whatever the case, never put your name on the Lock Screen.
(22) LIMIT AD TRACKING
Apple allows advertisers to track a device through an IDFA (IDentifier For Advertisers). In Settings, tap Privacy, then Advertising. and then turn ON “Limit Ad Tracking“.
Google is pretty much powered by advertising, so it does the same thing. Your Android phone has an Advertising ID. Go to Settings, then tap Google. Find the section called “Services” then tap on “Ads”. Tap “Opt out of Ads Personaiization“. Then tap “Reset advertising ID“. You’ll see your Advertising ID change at the bottom of the screen.
(23) NEVER GIVE OUT YOUR DEVICE IMEI/MEID NUMBERS
Except for DIY users during setup of a new phone (when you have a new SIM card), never give these numbers out, even to your carrier. They already know what they are.
(24) DON’T SHARE YOUR DEVICE WITH OTHERS
Any system that isn’t physically secure, isn’t secure at all. If a lost phone is returned to you, do a Factory Reset and reload your applications and data from backup.
If your phone has some community use, like at the home, consider setting up or installing, password protection for sensitive Apps. Such Apps include Banking, Email, and Text Message services. Cyanogen-based ROMs (Android XDA Developer) like CM or Lineage have this feature built into all releases starting with KitKat (Settings -> Privacy -> Protected Apps).
(25) DISCARDING OLD DEVICES
Before you discard or sell your mobile device, make sure you do a Factory Reset. If you’ve socked data away outside the normal storage locations for the phone, make sure that is deleted also. The Factory Reset isn’t likely to pick those files up.
(26) AVOID CHARGING FROM YOUR COMPUTER
Always charge your mobile device from the standard A/C adapter. Your phone will charge faster. Using the computer’s USB port may be fine, but it looks like another attached device to the PC. So, when ransomware or malware infects your computer files, it will likely toast the files on the mobile device as well.
There are a few protocols that a mobile device supports on its USB ports, MTP, PTP, and MSC. MTP is Media Transfer Protocol, and is used to “sync” files back and forth between your mobile device and the computer. It is very ideal because it supports metadata as well as the files themselves, so you don’t run into DRM (Digital Rights Management) problems with copyrighted content. MTP can stream content as well.
Microsoft Windows has built-in MTP support through its Windows Media Player. Sometimes an iPhone won’t work with Windows and you have to go to Windows Device Manager, find the “Unknown MTP Device”, delete the device, then rescan for new hardware. There is also PTP, or Picture Transfer Protocol. This is designed to transfer files from a digital camera to a PC.
Most other devices use a protocol known as MSC (Mass Storage Class) on the USB port. These are things like Flash Drives and othe peripheral’s drives. This can be dangerous because the computer can now format that drive causing the mobile device to lose its data. This is how the old iPod worked when connected to a PC.
The Mass Storage Class relies on FAT32 file-system support, which is not multi-user. As such, there is no support in newer Apple devices, including the iPhones without “Jailbreaking” the phone. Apple users can use iFunbox instead of iTunes if they want this functionality.
Connecting portable devices to PCs gives me the Heebie-jeebies. Consider all of the SSL exploits found over the last 6 years – and this was using a protocol that (1) was in heaby use for at least 15 years, and (2) is fairly easy to test (SSL over TCP). Such exploits included the 2011 BEAST (Browser Exploit Against SSL/TLS), 2012 CRIME (Compression Ratio Info-leak Made Easy) 2013 BREACH (Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext), 2014 Poodle (Padding Oracle On Downgraded Legacy Encryption), 2014 Heatbleed, and 2016’s DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) and Sweet32. How secure do you think that the MTP, PTP, or MSC protocols are?
I would not be surprised one bit to find active State-level exploits associated with these protocols. After all, what self-respecting world leader or terrorist (or both!) doesn’t plug their phone into their PC? Some AntiVirus vendors, like Sophos, have options to block these protocols altogether.
Hook your mobile device up to sync/manipulate your files, then unplug it. Use the standard wall charger to charge it.
(27) REPORT LOST DEVICES PROMPTLY
Most of us have some type of business information on their cellphones – business contacts, customer contacts, calendar schedules, Email, etc. After all, a smartphone allows us to work “smarter”. But this also means that your business has some “exposure“. Report any missing devices to your IT department promptly.
The term “promptly” depends upon your organization’s policies. I would think however, that if your phone is missing Friday afternoon and you don’t report it until Monday, you have probably waited too long. Most people will just end up having new Email and Calendar logins waiting for them on Monday.
(28) REVIEW LOCATION REPORTING & PRIVACY
As mentioned earlier in this article, both Apple iOS and Android Marshmallow (6.0) or later will popup a dialog box when an application requests location information. You can always deny the request. Obviously, that might not be a good idea if your calling a Lyft or Uber, or running a Map/Direction App. I may be a little more permissive with location services than others, but I use a Faraday bag often.
I can imagine that on many electronic maps of my travel, I just “magically” appear at one location, then another. That’s how I roll.
(29) SERVICING BROKEN DEVICES
You should care about the information that is on your device so use due diligence and good judgement when taking your device into a shop for service. There has been a lot of talk lately about replacement screens with monitoring chips built-in to them.
Since the most common problem is a broken/cracked screen, do a Factory Reset before taking the device in for service. The shop technician can fix your device without having any of your login credentials. Restore your Apps and data from backup.
(30) USE A FARADAY BAG
A Faraday bag is a special bag, case, or pouch that is a lined with layers of metallic foil, mesh, or both for the purpose of attenuating RF signals. There are a lot of manufacturers, shapes, and sizes to choose from; just go to eBay or Amazon and do a search. Do not confuse Faraday bags with Anti-Static bags. Not all Faraday bags are equal. Some, for instance, block EMP (Electro-Magnetic Pulse) which is great for surviving a nuclear war, but useless for blocking cell tower signals.
You can actually get away with using a stainless-steel cocktail shaker if need be, but that may be difficult to fit in your purse or briefcase. The cost for a decent Smartphone bag or pouch is probably going to be between $30 and $75, depending upon features. The thicker the metal mesh, the better. If specifications are provided, you want at least 60 – 80 dB of attenuation of the cell signal bands (including 4G LTE), both 2.4 and 5 GHz WiFi bands, GPS, Bluetooth, and RFID It’s a fluid market, but some of the reputable brands out there, at the time of this writing are (listed OK to Best):
♦ Black Hole
♦ Mission Darkness (MOS Equipment)
♦ Digi-Guard
♦ Faradaybags.com
♦ Silent Pocket
Prices continue to be driven down as Faraday bags have become more commonplace.
Be responsible; bag your phone before you drive!