Data Privacy Day
is one of my favorite holidays and falls on this upcoming Monday. Every
year, for the days leading up to it, I like to talk and publish
reminders about. I normally post this on the Bethesda forums,
where I'm quite active, but now that I have a blog, why not also add it
on here? Here's part 2, it's about Smartphones. It's long, so maybe read
it in chunks. It'll always be here for you to refer to later :P
The goal of Data Privacy Day is to make people more informed about their
data and privacy. I hope you find some of this information useful and
put it into action. Security and privacy are constantly evolving items,
and what cuts it today may not in the future, but this should be a good
springboard to boost your security and privacy for Data Privacy Day and
the years to come. As always, the level of security you need will differ
from others, so you need to figure out what level is good for your
needs. Some things, though, are universally applicable to all, such as a
good password system. Another thing to remember is that even if you
follow the best of security practices, it may not be enough to stay safe
if a company who has poor security practices gets hacked (and after the
summer of 2011 hacks and the ones that followed in 2012, I think we are
all familiar with that).
Smartphones
Do note, that while this section is specifically about smartphones, since most popular tablets on the market are based off of smartphones currently on the market a good chunk of this can be applied to tablets too.
I'd argue that phones and data privacy and security don't even belong in the same playing field. Phones leak information like a sieve, and smartphones are even worse at it. Many scandals related to various smartphones have occurred in recent years. There was the iPhone location scandal, which lead to general coverage of all the information the main smartphone OSes collect on you, and then it turned out that Windows Phone 7 is as bad as the iPhone was at location leaking (Even though Microsoft went on record during the original iPhone scandal saying WP7 didn't do nearly that much), and then we found out about Carrier IQ potentially collecting all sorts of information on you for pretty much all phones (except Verizon phones), Smartphones were the last to revoke DigiNotar SSL certs and a good many smartphones still have these certs active, and there's nothing you can do about it. This year was also a big year for malware on smartphones. Malware on Android continued to get lots of coverage (though it's not as bad as the coverage made it out to be), and even the iPhone wasn't immune to it. Of course why bother with malware when you can just completely own the phone with one SMS message? Throw in some good old GSM ownage, maybe tracking down and eavesdropping on phone calls, and why not even some CDMA compromising as well as WiMAX ownage just for kicks.
Ok... I think you get the picture, the sad thing is that the above is not even close to covering all there is when it comes to smartphone (and phones in general) insecurity. Smartphones may be wonderful tools, but they definitely aren't secure. There are some things you can do about this, but the best is probably just turning the phone off when you don't need it. Really though, there's no way many of you can imagine going back to your life without a smartphone, so at least do your best to bolt down what you can, which is mostly physical security.
I'd argue that phones and data privacy and security don't even belong in the same playing field. Phones leak information like a sieve, and smartphones are even worse at it. Many scandals related to various smartphones have occurred in recent years. There was the iPhone location scandal, which lead to general coverage of all the information the main smartphone OSes collect on you, and then it turned out that Windows Phone 7 is as bad as the iPhone was at location leaking (Even though Microsoft went on record during the original iPhone scandal saying WP7 didn't do nearly that much), and then we found out about Carrier IQ potentially collecting all sorts of information on you for pretty much all phones (except Verizon phones), Smartphones were the last to revoke DigiNotar SSL certs and a good many smartphones still have these certs active, and there's nothing you can do about it. This year was also a big year for malware on smartphones. Malware on Android continued to get lots of coverage (though it's not as bad as the coverage made it out to be), and even the iPhone wasn't immune to it. Of course why bother with malware when you can just completely own the phone with one SMS message? Throw in some good old GSM ownage, maybe tracking down and eavesdropping on phone calls, and why not even some CDMA compromising as well as WiMAX ownage just for kicks.
Ok... I think you get the picture, the sad thing is that the above is not even close to covering all there is when it comes to smartphone (and phones in general) insecurity. Smartphones may be wonderful tools, but they definitely aren't secure. There are some things you can do about this, but the best is probably just turning the phone off when you don't need it. Really though, there's no way many of you can imagine going back to your life without a smartphone, so at least do your best to bolt down what you can, which is mostly physical security.
Locking your phone
Android: Android 2.2 enabled PIN and password locking, prior to that you could only do a swipe pattern*. How to enable a Password, PIN, or Pattern on Android. Later Face Unlock was introduced in Jelly Bean, but I don't really recommend that.
*Note: If using a swipe pattern, make sure to have at least one part of the pattern trace over itself. If you do not, someone can tell your pattern by looking at your smudge marks.
For Apps there are two tools: Smart App Protector and Tasker:
Smart App Protector
Tasker - $5-7 (out of market version is cheaper and recommended for file encryption). How to lock an app with Tasker.
Why lock an app? Let's say you are letting a friend borrow your phone, but don't want them "accidentally" reading your emails or posting something from your Facebook account. Now you can lend them your phone without watching over their every move like a hawk.
iOS: with iOS4, full password support came to the iPhone. Instructions on setting up a long passcode on iOS4 -- iPhones not using iOS4 or later: 4-digit Passcode video
Unfortunately I can't find any tools in the market to lock apps. For jailbroken iPhones it looks like there are a few options for locking down your phone, one promising one is Protecti.
*Note: If using a swipe pattern, make sure to have at least one part of the pattern trace over itself. If you do not, someone can tell your pattern by looking at your smudge marks.
For Apps there are two tools: Smart App Protector and Tasker:
Smart App Protector
Tasker - $5-7 (out of market version is cheaper and recommended for file encryption). How to lock an app with Tasker.
Why lock an app? Let's say you are letting a friend borrow your phone, but don't want them "accidentally" reading your emails or posting something from your Facebook account. Now you can lend them your phone without watching over their every move like a hawk.
iOS: with iOS4, full password support came to the iPhone. Instructions on setting up a long passcode on iOS4 -- iPhones not using iOS4 or later: 4-digit Passcode video
Unfortunately I can't find any tools in the market to lock apps. For jailbroken iPhones it looks like there are a few options for locking down your phone, one promising one is Protecti.
Windows Phone 8: Unfortunately, picture passwords aren't an option, but you can have proper passwords now!. WP7 is still limited to numerical passwords. WP8 Lock Screen FAQ
Password Managment on your Smart Phone
USE ONE! KeePass-compatible, LastPass Premium, or something else, just use one! I already listed them all out in the password section, so just pick one out. Here, I'll make it easy for you: KeePassDroid for Android, 7Pass for Windows Phone 7, and either MiniKeePass (free) or one of the others on iOS. For LastPass users, $12/yr isn't much and then you can use their numerous mobile offerings. DashLane will work with limited features on smartphones for free, but you'll have to pay for all that it offers like LastPass. Don't forget pwsafe (iOS) or PasswdSafe (Android) for the Password Safe fans. I can't begin to tell you how many times I've seen someone open their smartphone's unsecured notes to find a password. Stop it! Please. Your phone is insecure enough as it is without you storing your passwords in plaintext.
Remote Locating/locking/wiping
Your smartphone contains all sorts of juicy information on you. You need to be able to remotely wipe it if you ever lose it.
Android:
Android:
The official offering by Google was made available in 2013. It's the Android Device Manager and allows you to remotely locate, lock, and wipe your Android phone. There are also many alternatives for Android, some of which offer features not found in the official Device Manager by Google. Most notably are text commands and app masking.
Avast! Mobile Security - Free for all. Remote Locate, Lock, and Wipe via either a web portal or text messages.
Lookout - Free or Premium version for $30/yr. Not only does it offer remote finding through the website, but also has an antivirus program (the usefulness of an Antivirus program on Android is highly debatable right now, but the location/wipe feature is undeniably good). The Premium features include the ability to lock your phone until you find it or wipe it clean, as well as even more goodies.
Cerberus anti-theft -- One-time fee of $5 or so bucks. Can be installed as a system app and just as capable as the big boys.
WaveSecure - $19.90/yr. You can track your phone, lock it, and back up/wipe the data.
Where's My Droid - Free for basic features (basic locate, basic remote control, basic lock), $4 for full features (remote wipe)
iOS:
Find My iPhone -- Free for all thanks to iCloud. You can even have it automatically wipe your device after 10 failed attempts.
Windows Phone 8:
Built-in feature through connected Windows live accounts using http://www.windowsphone.com/en-us -- See here for full details
Avast! Mobile Security - Free for all. Remote Locate, Lock, and Wipe via either a web portal or text messages.
Lookout - Free or Premium version for $30/yr. Not only does it offer remote finding through the website, but also has an antivirus program (the usefulness of an Antivirus program on Android is highly debatable right now, but the location/wipe feature is undeniably good). The Premium features include the ability to lock your phone until you find it or wipe it clean, as well as even more goodies.
Cerberus anti-theft -- One-time fee of $5 or so bucks. Can be installed as a system app and just as capable as the big boys.
WaveSecure - $19.90/yr. You can track your phone, lock it, and back up/wipe the data.
Where's My Droid - Free for basic features (basic locate, basic remote control, basic lock), $4 for full features (remote wipe)
iOS:
Find My iPhone -- Free for all thanks to iCloud. You can even have it automatically wipe your device after 10 failed attempts.
Windows Phone 8:
Built-in feature through connected Windows live accounts using http://www.windowsphone.com/en-us -- See here for full details
Encrypting Files on your Phone
As already mentioned, your device leaks data like a sieve. Using encryption can help secure your device some (either full-disk encryption or folder encryption)
Android 3.0 and higher support full-disk encryption. Though the option may not be available for old phones that upgraded to Android 4.0+
For file encryption, you can use Tasker. The Android Market version used to not have encyption, but I don't know if this changed or not. To be safe just buy the version on the website and manually install the apk. Instructions on how to encrypt files using Tasker. Another option is Crypt4All Lite. The advantage of Crypt4All is that it's based on AES Crypt, which runs on desktops, so your encrypted files can be used on both your phone and desktop.
iOS: The phones have default built-in hardware encryption, but to make it useful you need to set a passcode. No further options exist on stock devices, however for file-level encryption, AxCrypt can be used. AxCrypt also runs on Windows with a prerelease for Mac OS X and Linux.
Windows Phone 8: Windows Phone 8 has full device encryption through a variant of BitLocker. Unfortunately it appears to be only be an Enterprise option, as it requires Echange to enable. It also doesn't encrypt removeable storage and I still can't find a tool for file-level encryption.
Windows Phone 8: Windows Phone 8 has full device encryption through a variant of BitLocker. Unfortunately it appears to be only be an Enterprise option, as it requires Echange to enable. It also doesn't encrypt removeable storage and I still can't find a tool for file-level encryption.
App Permissions
Be careful what you install. Here is a list of some of the worst offenders of apps that invade your privacy: What they Know. On Android, always pay attention to what permissions an app asks for on install and make sure it makes sense.
There are ways to restrict app permissions on Android, but they all require root and/or special ROMs/kernels:
1. PDroid -- Doesn't require root to run (but does to install, the difference being the app itself doesn't need superuser privileges), but is quite an involved setup process and only very specific ROMs are supported.
2. LBE Privacy Guard -- Requires root. Unfortunately, it's very heavy on the CPU (and therefore battery) and the latest version apparently has issues remembering blocked privileges past a reboot.
3. CyanogenMod can do it natively but it isn't without issues, so about on-par with LBE Privacy Guard.
Even for jailbroken iOS, I couldn't find anything to restrict app permissions, the best I found was a jailbroken app that alerts you when other apps try to access your contacts: ContactPrivacy.
There are ways to restrict app permissions on Android, but they all require root and/or special ROMs/kernels:
1. PDroid -- Doesn't require root to run (but does to install, the difference being the app itself doesn't need superuser privileges), but is quite an involved setup process and only very specific ROMs are supported.
2. LBE Privacy Guard -- Requires root. Unfortunately, it's very heavy on the CPU (and therefore battery) and the latest version apparently has issues remembering blocked privileges past a reboot.
3. CyanogenMod can do it natively but it isn't without issues, so about on-par with LBE Privacy Guard.
Even for jailbroken iOS, I couldn't find anything to restrict app permissions, the best I found was a jailbroken app that alerts you when other apps try to access your contacts: ContactPrivacy.
Android Specific: Apps to Improve your Security and Privacy
1. DroidWall -- it brings a firewall via iptables to your phone (requires root and doesn't work with all kernels)
2. Get an AdBlocker. Opera Mobile has it built in and you can get AdBlock Plus for Firefox. This doesn't include Apps though... How to fix this? Well if you're rooted you can use AdAway, which modifies your hosts file to completely block all apps. If you're not rooted, you still have some options, but it's not as feature-rich (though if you're rooted, it is), and the option is AdBlock Plus for Android. Yes, AdBlock Plus exists for Android as a whole so will block ads throughout it. If you're not rooted it'll only work on WiFi( and if you have an old version of Android, it'll require manual configuration).
3. Incoming calls/texts: Some ROMs have native ways of blocking incoming calls/texts. Others don't. If you want this feature you have a few options. On the rooted end, and very feature-rich is Root Call Blocker, but it seems finicky on which phones it works on. Other options that don't require root are Mr. Number and Call Control.
4. Use TOR on your phone with Orbot.
5. Get your Proxy On in Firefox Mobile via ProxyMobile. Note: this plugin is still very much in beta, so you may wish to configure your proxy by hand. This can be done by going to about:config and changing some settings. I'd also recommend changing network.proxy.socks_remote_dns to true. You can also use this with your own SSH server instead of random SOCKS proxies by using SSH Tunnel or ConnectBot (both of which allow creating SSH Tunnels). I personally have configured Firefox manually and use ConnectBot, but that's because I connect to various SSH servers frequently.
6. Go a step further and use a VPN. Android has built-in support for various VPN protocols like IPSec, L2TP, and PPTP (those are the common ones supported out of the box). VPN settings can usually be found in the network settings. OpenVPN support can be found in various roms like Cyanogen as well as through apps like FeatVPN and OpenVPN for Android.
2. Get an AdBlocker. Opera Mobile has it built in and you can get AdBlock Plus for Firefox. This doesn't include Apps though... How to fix this? Well if you're rooted you can use AdAway, which modifies your hosts file to completely block all apps. If you're not rooted, you still have some options, but it's not as feature-rich (though if you're rooted, it is), and the option is AdBlock Plus for Android. Yes, AdBlock Plus exists for Android as a whole so will block ads throughout it. If you're not rooted it'll only work on WiFi( and if you have an old version of Android, it'll require manual configuration).
3. Incoming calls/texts: Some ROMs have native ways of blocking incoming calls/texts. Others don't. If you want this feature you have a few options. On the rooted end, and very feature-rich is Root Call Blocker, but it seems finicky on which phones it works on. Other options that don't require root are Mr. Number and Call Control.
4. Use TOR on your phone with Orbot.
5. Get your Proxy On in Firefox Mobile via ProxyMobile. Note: this plugin is still very much in beta, so you may wish to configure your proxy by hand. This can be done by going to about:config and changing some settings. I'd also recommend changing network.proxy.socks_remote_dns to true. You can also use this with your own SSH server instead of random SOCKS proxies by using SSH Tunnel or ConnectBot (both of which allow creating SSH Tunnels). I personally have configured Firefox manually and use ConnectBot, but that's because I connect to various SSH servers frequently.
6. Go a step further and use a VPN. Android has built-in support for various VPN protocols like IPSec, L2TP, and PPTP (those are the common ones supported out of the box). VPN settings can usually be found in the network settings. OpenVPN support can be found in various roms like Cyanogen as well as through apps like FeatVPN and OpenVPN for Android.
iOS Specific: Apps to Improve your Security and Privacy
1. Get an Adblocker. Unfortunately the only option I'm aware of requires a jailbreak, and that's AdBlocker
2. Incoming calls/texts: Once again, jailbreak is needed. It can be done with iBlackList
3. Use TOR on your phone. This one doesn't require a Jailbreak! A Miracle by any meaure :P Just install the Onion Browser. Unfortunately it doesn't seem like it works out well for most people, so there's a jailbreak option with more success
4. Set up a VPN on iOS. You can also connect to OpenVPN, but that requires a jailbreak.
2. Incoming calls/texts: Once again, jailbreak is needed. It can be done with iBlackList
3. Use TOR on your phone. This one doesn't require a Jailbreak! A Miracle by any meaure :P Just install the Onion Browser. Unfortunately it doesn't seem like it works out well for most people, so there's a jailbreak option with more success
4. Set up a VPN on iOS. You can also connect to OpenVPN, but that requires a jailbreak.
Android Specific: Rooting and ROMs (and a bit on jailbreaking for iOS)
To root or not to root is a very good question. There are pros and cons to both. Rooting itself isn't much of a desired thing for your average, though if you are careful with your superuser privileges, it's certainly adds a lot of new capabilities. When flashing ROMs, it's important to make sure that you secure new vulnerabilities you may have gained, such as an ssh server. Same for iOS users: If you jailbreak your device, you now have SSH access that has a default and well-known username and password, so change it. There's been scattered incidents of jailbroken and rooted phones being hacked due to unchanged SSH credentials.
On to ROMs specifically, I suggest everyone using Android looks into them, especially after your 1 or 2-year warranty is up. The reason? Security patches. Many phones get abandoned and never receive critical android security patches. By running your own ROM you no longer have to wait for slow companies to patch your devices, but rather generally speedy groups of people who want to ship the latest Android in their ROM.
On to ROMs specifically, I suggest everyone using Android looks into them, especially after your 1 or 2-year warranty is up. The reason? Security patches. Many phones get abandoned and never receive critical android security patches. By running your own ROM you no longer have to wait for slow companies to patch your devices, but rather generally speedy groups of people who want to ship the latest Android in their ROM.
Smartphones: The remaining stuff
Disable Bluetooth when not using it.
Watch your picture uploads, especially if paranoid. By default the metadata in the picture will include geolocation information that you may not want out there. It's relatively simple to disable by just changing some settings.
Watch your picture uploads, especially if paranoid. By default the metadata in the picture will include geolocation information that you may not want out there. It's relatively simple to disable by just changing some settings.
0 comments:
Post a Comment