Mobile Device Security and Privacy - phoenix.gov · Before We Start… The City of Phoenix does not...

52
Mobile Device Security and Privacy Information Security and Privacy Office January 2012

Transcript of Mobile Device Security and Privacy - phoenix.gov · Before We Start… The City of Phoenix does not...

Page 1: Mobile Device Security and Privacy - phoenix.gov · Before We Start… The City of Phoenix does not endorse, recommend, or vilify any specific vendors, products, apps, or services.

Mobile Device Security

and Privacy

Information Security and Privacy Office

January 2012

Page 2: Mobile Device Security and Privacy - phoenix.gov · Before We Start… The City of Phoenix does not endorse, recommend, or vilify any specific vendors, products, apps, or services.

Agenda

• Protecting mobile devices and your

privacy

Page 3: Mobile Device Security and Privacy - phoenix.gov · Before We Start… The City of Phoenix does not endorse, recommend, or vilify any specific vendors, products, apps, or services.

Protecting Mobile Devices and

Your Privacy

Page 4: Mobile Device Security and Privacy - phoenix.gov · Before We Start… The City of Phoenix does not endorse, recommend, or vilify any specific vendors, products, apps, or services.

Before We Start…

The City of Phoenix

does not endorse,

recommend, or vilify

any specific vendors,

products, apps, or

services.

Page 5: Mobile Device Security and Privacy - phoenix.gov · Before We Start… The City of Phoenix does not endorse, recommend, or vilify any specific vendors, products, apps, or services.

Goal: Convince You To…

1. Keep your device with you – don’t

leave it unattended

2. Protect your device with a strong

password

3. Use anti-malware software

4. Read those (often boring) privacy

policies

5. Don’t download or keep apps that

request more permissions than

needed

Page 6: Mobile Device Security and Privacy - phoenix.gov · Before We Start… The City of Phoenix does not endorse, recommend, or vilify any specific vendors, products, apps, or services.

Do You Have a Smartphone?

Page 7: Mobile Device Security and Privacy - phoenix.gov · Before We Start… The City of Phoenix does not endorse, recommend, or vilify any specific vendors, products, apps, or services.

Pop Quiz

• How many smartphone users are there in

the U.S.?

– As of September 2011

• 87.4 million

• 33.7 million

• 946,800 thousand

Page 8: Mobile Device Security and Privacy - phoenix.gov · Before We Start… The City of Phoenix does not endorse, recommend, or vilify any specific vendors, products, apps, or services.

Pop Quiz

• How many smartphone users are there in

the U.S.?

– As of 9/2011

• 87.4 million

• 33.7 million

• 946,800 thousand

Page 9: Mobile Device Security and Privacy - phoenix.gov · Before We Start… The City of Phoenix does not endorse, recommend, or vilify any specific vendors, products, apps, or services.

Pop Quiz

• In the U.S. 113 mobile phones are lost

every …

• Day

• Hour

• Minute

Page 10: Mobile Device Security and Privacy - phoenix.gov · Before We Start… The City of Phoenix does not endorse, recommend, or vilify any specific vendors, products, apps, or services.

Pop Quiz

• In the U.S. 113 mobile phones are lost

every …

• Day

• Hour

• Minute

Page 11: Mobile Device Security and Privacy - phoenix.gov · Before We Start… The City of Phoenix does not endorse, recommend, or vilify any specific vendors, products, apps, or services.

Top 10 U.S. Cities for Cell

Phone Loss or Theft

Page 12: Mobile Device Security and Privacy - phoenix.gov · Before We Start… The City of Phoenix does not endorse, recommend, or vilify any specific vendors, products, apps, or services.

Do You Access or Do Banking?

Page 13: Mobile Device Security and Privacy - phoenix.gov · Before We Start… The City of Phoenix does not endorse, recommend, or vilify any specific vendors, products, apps, or services.

Using Your Smartphone

• 44% use a browser to access the Internet

– 32.5 million Americans accessed banking

• Vendors, retailers, merchants, content providers,

mobile operators, and banks are all actively

establishing new payment services

– The value of mobile payment transactions is projected

to reach almost $630 billion by 2014, up from $170

billion in 2010

Page 14: Mobile Device Security and Privacy - phoenix.gov · Before We Start… The City of Phoenix does not endorse, recommend, or vilify any specific vendors, products, apps, or services.

Password-Protect Your Device

• 24% store computer or banking passwords on

their mobile devices

• More than half of smartphone users do not use

any password protection to prevent

unauthorized access to their device

• What’s the risk?

Page 15: Mobile Device Security and Privacy - phoenix.gov · Before We Start… The City of Phoenix does not endorse, recommend, or vilify any specific vendors, products, apps, or services.

No Password

What’s the Harm? • Access personal email and work email

• Access your financial accounts,

like banks, Mint.com, or PayPal

• Access your data in Google

Docs, Evernote, or Dropbox

• Post embarrassing updates to

Facebook and Twitter

• So use a strong password

– Require the password after minimum period of

inactivity

Page 16: Mobile Device Security and Privacy - phoenix.gov · Before We Start… The City of Phoenix does not endorse, recommend, or vilify any specific vendors, products, apps, or services.

When Purchasing a

Mobile Device • Ask about security features and functions

– Can you add a strong password, how are patches deployed…

– What apps are pre-loaded, are apps vetted

• Pre-loaded apps generally have more permissions than ones you

install

– What software protections can you can install after purchasing

• Do you really need all the bells and whistles

• Research the device

– What maintenance is needed, is it a hacker target or thief

magnet, how do you secure it

– Read reviews – are most consumers satisfied

Page 17: Mobile Device Security and Privacy - phoenix.gov · Before We Start… The City of Phoenix does not endorse, recommend, or vilify any specific vendors, products, apps, or services.

Smartphone Malware

What’s the Harm? • Force the infected phone call a given phone number

– Remember 900 numbers?

• Send premium rate text

messages

• Automatically visit websites

that the malware directs it to

– Earns money for malware writer

• Steal personal information

• Be alert for unusual behaviors on

your phone, which could be a sign that it is infected

– Unusual text messages, strange charges to the phone bill, and

suddenly decreased battery life

Page 18: Mobile Device Security and Privacy - phoenix.gov · Before We Start… The City of Phoenix does not endorse, recommend, or vilify any specific vendors, products, apps, or services.

What’s the Best

Anti-Malware Software? • Read app reviews

• Check reliable consumer

publications

• Check industry publications

• Look for names you trust

• The City of Phoenix does not endorse, recommend, or vilify any specific

vendors, products, apps, or services.

Page 19: Mobile Device Security and Privacy - phoenix.gov · Before We Start… The City of Phoenix does not endorse, recommend, or vilify any specific vendors, products, apps, or services.

Keep a Clean Machine

• Keep your mobile security software current

• Automate software updates

– Many software programs will

automatically connect and update

to defend against known risks

– Example: Sync regularly with

iTunes – don’t just charge the

battery

Page 20: Mobile Device Security and Privacy - phoenix.gov · Before We Start… The City of Phoenix does not endorse, recommend, or vilify any specific vendors, products, apps, or services.

Prepare for the Unthinkable

• Consider using a “find my device” to locate your

device if lost or stolen

• Enable remote wipe capability

Page 21: Mobile Device Security and Privacy - phoenix.gov · Before We Start… The City of Phoenix does not endorse, recommend, or vilify any specific vendors, products, apps, or services.

Mobile Device Privacy

Page 22: Mobile Device Security and Privacy - phoenix.gov · Before We Start… The City of Phoenix does not endorse, recommend, or vilify any specific vendors, products, apps, or services.

Do You Read App Privacy

Policies / Permissions?

Page 23: Mobile Device Security and Privacy - phoenix.gov · Before We Start… The City of Phoenix does not endorse, recommend, or vilify any specific vendors, products, apps, or services.

Using Your Smartphone

• 26% of smartphone owners say they always

read the privacy policy when downloading apps

– I’m not sure I believe that

• 31% say they never read the policy

Page 24: Mobile Device Security and Privacy - phoenix.gov · Before We Start… The City of Phoenix does not endorse, recommend, or vilify any specific vendors, products, apps, or services.

Example – Game

• New! 4 ½ Stars! Reputable Developer!

Page 25: Mobile Device Security and Privacy - phoenix.gov · Before We Start… The City of Phoenix does not endorse, recommend, or vilify any specific vendors, products, apps, or services.

Example – Game

Page 26: Mobile Device Security and Privacy - phoenix.gov · Before We Start… The City of Phoenix does not endorse, recommend, or vilify any specific vendors, products, apps, or services.

Why Do Apps Need “Read Phone State

and Identity” Permission?

• Phone State

– Lets the app tell whether you’re on a call or if the phone’s ringing

– Allows games, media players, podcasts to pause while you’re on

a call

• Phone Identity

– Developer may need a way to assign a unique ID to you for

registration/activation purposes

– Many ad publishers use this permission to get the Phone ID for

tracking purposes

• App may not know who you are exactly, but tracking your usage over time

allows a company to build a profile of your individual activity

Page 27: Mobile Device Security and Privacy - phoenix.gov · Before We Start… The City of Phoenix does not endorse, recommend, or vilify any specific vendors, products, apps, or services.

True or False

• A basic Android application has no

permissions associated with it

– This means the app cannot do anything that

would adversely impact the user experience

or any data on the device

Page 28: Mobile Device Security and Privacy - phoenix.gov · Before We Start… The City of Phoenix does not endorse, recommend, or vilify any specific vendors, products, apps, or services.

True!

• App developer must specifically state the

permissions he wants the app to have

Page 29: Mobile Device Security and Privacy - phoenix.gov · Before We Start… The City of Phoenix does not endorse, recommend, or vilify any specific vendors, products, apps, or services.

Flashlight App

Page 30: Mobile Device Security and Privacy - phoenix.gov · Before We Start… The City of Phoenix does not endorse, recommend, or vilify any specific vendors, products, apps, or services.

Compare – Flashlight App

• Free! 5 Stars! Lots of installs!

Page 31: Mobile Device Security and Privacy - phoenix.gov · Before We Start… The City of Phoenix does not endorse, recommend, or vilify any specific vendors, products, apps, or services.

Example – Flashlight App

Page 32: Mobile Device Security and Privacy - phoenix.gov · Before We Start… The City of Phoenix does not endorse, recommend, or vilify any specific vendors, products, apps, or services.

Example – Flashlight App

Page 33: Mobile Device Security and Privacy - phoenix.gov · Before We Start… The City of Phoenix does not endorse, recommend, or vilify any specific vendors, products, apps, or services.

True or False

• Most free app developers rely on

advertising to fund their businesses

Page 34: Mobile Device Security and Privacy - phoenix.gov · Before We Start… The City of Phoenix does not endorse, recommend, or vilify any specific vendors, products, apps, or services.

True!

• Most free app developers rely on advertising to

fund their businesses

Page 35: Mobile Device Security and Privacy - phoenix.gov · Before We Start… The City of Phoenix does not endorse, recommend, or vilify any specific vendors, products, apps, or services.

Why the App’s Free

• Free and cheap apps are usually supported by ads

– Marketers want to know user demographics to better target ads

• The advertising company pays the app developer and

supplies a library (of code/programs) that the developer

links to within the application

– The app developer might not really even be aware of what the

ad libraries do

• The ad library “piggybacks” on the app’s permissions

• So, for example, if the app can read your contact list, the

advertiser (through the library) can read your contact list

Page 36: Mobile Device Security and Privacy - phoenix.gov · Before We Start… The City of Phoenix does not endorse, recommend, or vilify any specific vendors, products, apps, or services.

“Read Phone State and Identity”

Trade-off • Some advertising systems, like AdMob, require

developers to use this permission so the advertiser can

collect statistics

• This means:

• Both the advertiser and the app publisher can track your

usage of the app, and your usage across multiple apps if

they collect all that data centrally (which advertisers

definitely do)

Page 37: Mobile Device Security and Privacy - phoenix.gov · Before We Start… The City of Phoenix does not endorse, recommend, or vilify any specific vendors, products, apps, or services.

I Know You

• Sign up for something and give your email address or

Facebook login

– Ties all of the profile information to a real individual

• I know where you live, work, and shop

– Because of your GPS info

• I know what you like

– Because of Facebook and your shopping

profile

• I know your friends and family

– Because of Facebook and device contacts and messaging

Page 38: Mobile Device Security and Privacy - phoenix.gov · Before We Start… The City of Phoenix does not endorse, recommend, or vilify any specific vendors, products, apps, or services.

Before Downloading that App

• Be especially wary of typically-suspicious apps

(like ringtone apps) that use unneeded

permissions

• Only install apps with

potentially harmful

permissions from

developers you trust

• Check the app’s marketplace rating to determine

safety

– Not a perfect indicator (like with Flashlight)

Page 39: Mobile Device Security and Privacy - phoenix.gov · Before We Start… The City of Phoenix does not endorse, recommend, or vilify any specific vendors, products, apps, or services.

Look For Apps That Tell You

How It’s Using Permissions

Page 40: Mobile Device Security and Privacy - phoenix.gov · Before We Start… The City of Phoenix does not endorse, recommend, or vilify any specific vendors, products, apps, or services.

Does the App Want

Passwords? • Think twice before giving an app

passwords

– Example: Some apps ask for passwords to

popular services, like GoogleDocs and

Dropbox to upload and store things

Page 41: Mobile Device Security and Privacy - phoenix.gov · Before We Start… The City of Phoenix does not endorse, recommend, or vilify any specific vendors, products, apps, or services.

App Stores

• Apple reviews all apps in its store and tries to

verify…

– Does the app do what it says it does? Does it function

reliably? And does it respect the limitations that Apple

has put on developers?

– This process does weed out some security threats,

like apps that carry malware

– Does not eliminate all risks to your privacy

• Android apps are not vetted

– Android market is considered the “wild, wild west”

Page 42: Mobile Device Security and Privacy - phoenix.gov · Before We Start… The City of Phoenix does not endorse, recommend, or vilify any specific vendors, products, apps, or services.

Example: Movie Trivia Game

Uses internet connection to see

what the rest of the world has

answered to current question

Page 43: Mobile Device Security and Privacy - phoenix.gov · Before We Start… The City of Phoenix does not endorse, recommend, or vilify any specific vendors, products, apps, or services.

Example: Whole Foods App

Page 44: Mobile Device Security and Privacy - phoenix.gov · Before We Start… The City of Phoenix does not endorse, recommend, or vilify any specific vendors, products, apps, or services.

iOS Location Services

• Tell if an iOS app is using location services

• Look for the arrow next to the battery

indicator

Page 45: Mobile Device Security and Privacy - phoenix.gov · Before We Start… The City of Phoenix does not endorse, recommend, or vilify any specific vendors, products, apps, or services.

eBook Reader Privacy

• Electronic Frontier Foundation researched

and published a guide to eReader privacy

– https://www.eff.org/deeplinks/2010/12/2010-e-

book-buyers-guide-e-book-privacy

Page 46: Mobile Device Security and Privacy - phoenix.gov · Before We Start… The City of Phoenix does not endorse, recommend, or vilify any specific vendors, products, apps, or services.

Quiz:

Would you use this IM service? From an instant messaging site

Page 47: Mobile Device Security and Privacy - phoenix.gov · Before We Start… The City of Phoenix does not endorse, recommend, or vilify any specific vendors, products, apps, or services.

Are You Convinced To…

1. Keep your device with you – don’t

leave it unattended

2. Protect your device with a strong

password

3. Use anti-malware software

4. Read those (often boring) privacy

policies

5. Don’t download or keep apps that

request more permissions than

needed

Page 49: Mobile Device Security and Privacy - phoenix.gov · Before We Start… The City of Phoenix does not endorse, recommend, or vilify any specific vendors, products, apps, or services.

More Cowbell

(Supplemental Info)

Page 50: Mobile Device Security and Privacy - phoenix.gov · Before We Start… The City of Phoenix does not endorse, recommend, or vilify any specific vendors, products, apps, or services.

What’s Wrong With This

Picture?

Page 51: Mobile Device Security and Privacy - phoenix.gov · Before We Start… The City of Phoenix does not endorse, recommend, or vilify any specific vendors, products, apps, or services.

QR Codes

• Quick Response codes are popping up

everywhere

– Magazine ads, newsletters, real estate signs,

newspaper ads, trade show booths

• A QR code is basically a 2D barcode that can be

read by smart phone users

– An easy way to direct a user to a website – just scan

the QR code

• Could be a link to a malicious website

Page 52: Mobile Device Security and Privacy - phoenix.gov · Before We Start… The City of Phoenix does not endorse, recommend, or vilify any specific vendors, products, apps, or services.

Malicious QR Codes are

Coming • QR codes will come in email messages

• QR codes will be physically distributed around

– Flyers in a parking lot

– Malicious stickers pasted over different legitimate ads

• Only use QR code reader software that allows

you to confirm the action to be taken, such as

visit a website link

• If you do not know and trust the link, cancel the

action