Mobile Device Talk
-
Upload
matthew-hoy -
Category
Documents
-
view
111 -
download
0
Transcript of Mobile Device Talk
![Page 1: Mobile Device Talk](https://reader036.fdocuments.in/reader036/viewer/2022062306/587bf77d1a28ab7c668b4d4d/html5/thumbnails/1.jpg)
Smartphone Security and Privacy for the General Public
Matt (mattrix) HoyDavid (davo) Khudaverdyan
![Page 2: Mobile Device Talk](https://reader036.fdocuments.in/reader036/viewer/2022062306/587bf77d1a28ab7c668b4d4d/html5/thumbnails/2.jpg)
About Matt (mattrix) Hoy
• @mattrix_ on twitter• Has fancy security alphabet certs• Prefers scotch from Scotland
![Page 3: Mobile Device Talk](https://reader036.fdocuments.in/reader036/viewer/2022062306/587bf77d1a28ab7c668b4d4d/html5/thumbnails/3.jpg)
About David (davo) Khudaverdyan
• Twitters: @deltaflyerzero• Drinks whisky from Japan (scotch can come
too)• Has Cat pics:
![Page 4: Mobile Device Talk](https://reader036.fdocuments.in/reader036/viewer/2022062306/587bf77d1a28ab7c668b4d4d/html5/thumbnails/4.jpg)
Smartphone Security and Privacy for the General Public
• Why?– It’s the title, duh!– This is what the GENERAL PUBLIC can do about
mobile security and privacy• What this covers:– Do you trust your device?• TAO on iOS/Android
– iOS vs. Android Privacy Granularity
![Page 5: Mobile Device Talk](https://reader036.fdocuments.in/reader036/viewer/2022062306/587bf77d1a28ab7c668b4d4d/html5/thumbnails/5.jpg)
Smartphone Security and Privacy for the General Public
• What this covers (cont.)– What cloud are you on?– What carrier are you on?– What apps should you use?– Recent advances in mobile security– Recent fails in mobile security– It’s all the user’s fault!
![Page 6: Mobile Device Talk](https://reader036.fdocuments.in/reader036/viewer/2022062306/587bf77d1a28ab7c668b4d4d/html5/thumbnails/6.jpg)
Do you trust your device?
• Shrink Wrapped Compromise• SIM Card Security• The Fappening
![Page 7: Mobile Device Talk](https://reader036.fdocuments.in/reader036/viewer/2022062306/587bf77d1a28ab7c668b4d4d/html5/thumbnails/7.jpg)
iOS Privacy Granularity
• iOS has built-in granular privacy controls for:– Location Services– Contacts– Calendar– Reminders– Photos– Bluetooth Sharing
– Microphone– Camera– “Health”– “HomeKit”– Motion & Fitness– “Social Media”
• Facebook• Twitter• etc
![Page 8: Mobile Device Talk](https://reader036.fdocuments.in/reader036/viewer/2022062306/587bf77d1a28ab7c668b4d4d/html5/thumbnails/8.jpg)
iOS Privacy Granularity
• When does it ask you?– When the app needs access to that feature
• What if you don’t want to give the app access– The app just has to deal (Thanks Apple!)
• What if I changed my mind?– Settings -> Privacy -> App Name, flip the switch
next to the app. Easy.
![Page 9: Mobile Device Talk](https://reader036.fdocuments.in/reader036/viewer/2022062306/587bf77d1a28ab7c668b4d4d/html5/thumbnails/9.jpg)
iOS Privacy Granularity
• What about options?– For Location Privacy:• Never: It never happens• While Using the App: Only when the app is ON THE
SCREEN• Always: Even if the app is running in the background
– Everything else:• Keep it simple, the app has access or it doesn't.
![Page 10: Mobile Device Talk](https://reader036.fdocuments.in/reader036/viewer/2022062306/587bf77d1a28ab7c668b4d4d/html5/thumbnails/10.jpg)
iOS Privacy Granularity
• Siri and iCloud Spies on you– How They do it• Location History – Apple Maps, Frequent Locations• Siri – “Siri, when do you track me?”• Safari History
– How to disable• Turn off iCloud• Limit Location use
– Turn off Frequent Locations!• Change your advertising ID / Limit Ad tracking
![Page 11: Mobile Device Talk](https://reader036.fdocuments.in/reader036/viewer/2022062306/587bf77d1a28ab7c668b4d4d/html5/thumbnails/11.jpg)
Android Privacy Granularity (or not)
• No unless you root– If you root you’re not secure!
• Rebuild Manifest using Android SDK– Who has time for this?– Also this talk is for people that are not doing
infosec/IT for a living
![Page 12: Mobile Device Talk](https://reader036.fdocuments.in/reader036/viewer/2022062306/587bf77d1a28ab7c668b4d4d/html5/thumbnails/12.jpg)
Android Privacy Granularity (or not)
• Google Spies on you– How they do it
• Voice and Audio Activity – Google Now• Search History – Web Searches• You Tube History– Anything you watched on You Tube• Location History
– Applications Drawer• Account History > Web and App Activity > Manage History• Tap the Settings Button (looks like a gear) and delete
everything
![Page 13: Mobile Device Talk](https://reader036.fdocuments.in/reader036/viewer/2022062306/587bf77d1a28ab7c668b4d4d/html5/thumbnails/13.jpg)
Google Spies on you
![Page 14: Mobile Device Talk](https://reader036.fdocuments.in/reader036/viewer/2022062306/587bf77d1a28ab7c668b4d4d/html5/thumbnails/14.jpg)
Google Spies on you
![Page 15: Mobile Device Talk](https://reader036.fdocuments.in/reader036/viewer/2022062306/587bf77d1a28ab7c668b4d4d/html5/thumbnails/15.jpg)
Google Spies on you
![Page 16: Mobile Device Talk](https://reader036.fdocuments.in/reader036/viewer/2022062306/587bf77d1a28ab7c668b4d4d/html5/thumbnails/16.jpg)
Google Spies on you
![Page 17: Mobile Device Talk](https://reader036.fdocuments.in/reader036/viewer/2022062306/587bf77d1a28ab7c668b4d4d/html5/thumbnails/17.jpg)
To Illustrate
![Page 18: Mobile Device Talk](https://reader036.fdocuments.in/reader036/viewer/2022062306/587bf77d1a28ab7c668b4d4d/html5/thumbnails/18.jpg)
To Illustrate
![Page 19: Mobile Device Talk](https://reader036.fdocuments.in/reader036/viewer/2022062306/587bf77d1a28ab7c668b4d4d/html5/thumbnails/19.jpg)
What cloud are you on?
• Google– Makes money from Targeted Advertising
• iCloud– Takes your money but who has access?
• Microsoft– Microsoft has a cloud?
• Box– Pretty good actually…
![Page 20: Mobile Device Talk](https://reader036.fdocuments.in/reader036/viewer/2022062306/587bf77d1a28ab7c668b4d4d/html5/thumbnails/20.jpg)
What carrier are you on?
• Supercookie anyone?– AT&T: Unknown– T-mobile: Unknown– Sprint: Unknown– Verizon: Now allows opt out
![Page 21: Mobile Device Talk](https://reader036.fdocuments.in/reader036/viewer/2022062306/587bf77d1a28ab7c668b4d4d/html5/thumbnails/21.jpg)
What carrier are you on?
• No longer using carriers internet– VPN• Need L2TP IPSEC VPN with Secret or Certs
– Mattrix’s choices – so fuckin 1337 I need two» AceVPN » Private Internet Access
– Davo’s choice – fast and simple» VyprVPN (Golden Frog)
![Page 22: Mobile Device Talk](https://reader036.fdocuments.in/reader036/viewer/2022062306/587bf77d1a28ab7c668b4d4d/html5/thumbnails/22.jpg)
What Apps should you use?
• For Enhanced Privacy– Signal– Peerio– STRIP– Burner– iMessage
![Page 23: Mobile Device Talk](https://reader036.fdocuments.in/reader036/viewer/2022062306/587bf77d1a28ab7c668b4d4d/html5/thumbnails/23.jpg)
Advances in Smartphone Security
• iOS – Encryption (Hardware Based) with iOS 7 • iOS – Full Device Encryption (Hardware Based) with iOS
8• Android – Full Device Encryption (Included SD Card) -
Jelly Bean• Android – Full Device Encryption (What’s an SD Card?)
– Lollipop• It must be good since there was a recent Senate
Hearing on why we should not have encryption on any Smartphone
![Page 24: Mobile Device Talk](https://reader036.fdocuments.in/reader036/viewer/2022062306/587bf77d1a28ab7c668b4d4d/html5/thumbnails/24.jpg)
Fails in Smartphone Security
• Android Lollipop – Encryption not enabled out of the box
• iOS – Encryption but a 4 digit pin out of the box• Samsung Galaxy S5-6 – Fingerprints not encrypted
and accessible by rogue apps• Android App Store – 1228 Vulnerable to FREAK• iOS 8 – Wifi Denial of Service• Gemalto – Entire SIM Card Plant compromised by
stolen encryption keys
![Page 25: Mobile Device Talk](https://reader036.fdocuments.in/reader036/viewer/2022062306/587bf77d1a28ab7c668b4d4d/html5/thumbnails/25.jpg)
This is YOUR fault!
• <rant>• You LET them do this!• You, the consumer.• You thought it would be more convenient.• Now we all use smartphones that SUCK on security• How could you let this happen?• Why didn’t you stop it when you had the chance?• </rant>
![Page 26: Mobile Device Talk](https://reader036.fdocuments.in/reader036/viewer/2022062306/587bf77d1a28ab7c668b4d4d/html5/thumbnails/26.jpg)
The Compromised Solution
• Verizon DBIR suggests that no breaches occurred by compromised mobile devices yet
![Page 27: Mobile Device Talk](https://reader036.fdocuments.in/reader036/viewer/2022062306/587bf77d1a28ab7c668b4d4d/html5/thumbnails/27.jpg)
The Paranoid Conclusion
• Don’t Piss off a Nation State• Don’t use a smartphone• Learn what each app is capable of doing– If you are on iOS 8.x you can limit your exposure– If you are using Blackberry you can limit your
exposure ( but there really are no apps on BB)
![Page 28: Mobile Device Talk](https://reader036.fdocuments.in/reader036/viewer/2022062306/587bf77d1a28ab7c668b4d4d/html5/thumbnails/28.jpg)
Questions
• There’s no such thing as a silly question…