Mobile Device Security
and Privacy
Information Security and Privacy Office
January 2012
Agenda
• Protecting mobile devices and your
privacy
Protecting Mobile Devices and
Your Privacy
Before We Start…
The City of Phoenix
does not endorse,
recommend, or vilify
any specific vendors,
products, apps, or
services.
Goal: Convince You To…
1. Keep your device with you – don’t
leave it unattended
2. Protect your device with a strong
password
3. Use anti-malware software
4. Read those (often boring) privacy
policies
5. Don’t download or keep apps that
request more permissions than
needed
Do You Have a Smartphone?
Pop Quiz
• How many smartphone users are there in
the U.S.?
– As of September 2011
• 87.4 million
• 33.7 million
• 946,800 thousand
Pop Quiz
• How many smartphone users are there in
the U.S.?
– As of 9/2011
• 87.4 million
• 33.7 million
• 946,800 thousand
Pop Quiz
• In the U.S. 113 mobile phones are lost
every …
• Day
• Hour
• Minute
Pop Quiz
• In the U.S. 113 mobile phones are lost
every …
• Day
• Hour
• Minute
Top 10 U.S. Cities for Cell
Phone Loss or Theft
Do You Access or Do Banking?
Using Your Smartphone
• 44% use a browser to access the Internet
– 32.5 million Americans accessed banking
• Vendors, retailers, merchants, content providers,
mobile operators, and banks are all actively
establishing new payment services
– The value of mobile payment transactions is projected
to reach almost $630 billion by 2014, up from $170
billion in 2010
Password-Protect Your Device
• 24% store computer or banking passwords on
their mobile devices
• More than half of smartphone users do not use
any password protection to prevent
unauthorized access to their device
• What’s the risk?
No Password
What’s the Harm? • Access personal email and work email
• Access your financial accounts,
like banks, Mint.com, or PayPal
• Access your data in Google
Docs, Evernote, or Dropbox
• Post embarrassing updates to
Facebook and Twitter
• So use a strong password
– Require the password after minimum period of
inactivity
When Purchasing a
Mobile Device • Ask about security features and functions
– Can you add a strong password, how are patches deployed…
– What apps are pre-loaded, are apps vetted
• Pre-loaded apps generally have more permissions than ones you
install
– What software protections can you can install after purchasing
• Do you really need all the bells and whistles
• Research the device
– What maintenance is needed, is it a hacker target or thief
magnet, how do you secure it
– Read reviews – are most consumers satisfied
Smartphone Malware
What’s the Harm? • Force the infected phone call a given phone number
– Remember 900 numbers?
• Send premium rate text
messages
• Automatically visit websites
that the malware directs it to
– Earns money for malware writer
• Steal personal information
• Be alert for unusual behaviors on
your phone, which could be a sign that it is infected
– Unusual text messages, strange charges to the phone bill, and
suddenly decreased battery life
What’s the Best
Anti-Malware Software? • Read app reviews
• Check reliable consumer
publications
• Check industry publications
• Look for names you trust
• The City of Phoenix does not endorse, recommend, or vilify any specific
vendors, products, apps, or services.
Keep a Clean Machine
• Keep your mobile security software current
• Automate software updates
– Many software programs will
automatically connect and update
to defend against known risks
– Example: Sync regularly with
iTunes – don’t just charge the
battery
Prepare for the Unthinkable
• Consider using a “find my device” to locate your
device if lost or stolen
• Enable remote wipe capability
Mobile Device Privacy
Do You Read App Privacy
Policies / Permissions?
Using Your Smartphone
• 26% of smartphone owners say they always
read the privacy policy when downloading apps
– I’m not sure I believe that
• 31% say they never read the policy
Example – Game
• New! 4 ½ Stars! Reputable Developer!
Example – Game
Why Do Apps Need “Read Phone State
and Identity” Permission?
• Phone State
– Lets the app tell whether you’re on a call or if the phone’s ringing
– Allows games, media players, podcasts to pause while you’re on
a call
• Phone Identity
– Developer may need a way to assign a unique ID to you for
registration/activation purposes
– Many ad publishers use this permission to get the Phone ID for
tracking purposes
• App may not know who you are exactly, but tracking your usage over time
allows a company to build a profile of your individual activity
True or False
• A basic Android application has no
permissions associated with it
– This means the app cannot do anything that
would adversely impact the user experience
or any data on the device
True!
• App developer must specifically state the
permissions he wants the app to have
Flashlight App
Compare – Flashlight App
• Free! 5 Stars! Lots of installs!
Example – Flashlight App
Example – Flashlight App
True or False
• Most free app developers rely on
advertising to fund their businesses
True!
• Most free app developers rely on advertising to
fund their businesses
Why the App’s Free
• Free and cheap apps are usually supported by ads
– Marketers want to know user demographics to better target ads
• The advertising company pays the app developer and
supplies a library (of code/programs) that the developer
links to within the application
– The app developer might not really even be aware of what the
ad libraries do
• The ad library “piggybacks” on the app’s permissions
• So, for example, if the app can read your contact list, the
advertiser (through the library) can read your contact list
“Read Phone State and Identity”
Trade-off • Some advertising systems, like AdMob, require
developers to use this permission so the advertiser can
collect statistics
• This means:
• Both the advertiser and the app publisher can track your
usage of the app, and your usage across multiple apps if
they collect all that data centrally (which advertisers
definitely do)
I Know You
• Sign up for something and give your email address or
Facebook login
– Ties all of the profile information to a real individual
• I know where you live, work, and shop
– Because of your GPS info
• I know what you like
– Because of Facebook and your shopping
profile
• I know your friends and family
– Because of Facebook and device contacts and messaging
Before Downloading that App
• Be especially wary of typically-suspicious apps
(like ringtone apps) that use unneeded
permissions
• Only install apps with
potentially harmful
permissions from
developers you trust
• Check the app’s marketplace rating to determine
safety
– Not a perfect indicator (like with Flashlight)
Look For Apps That Tell You
How It’s Using Permissions
Does the App Want
Passwords? • Think twice before giving an app
passwords
– Example: Some apps ask for passwords to
popular services, like GoogleDocs and
Dropbox to upload and store things
App Stores
• Apple reviews all apps in its store and tries to
verify…
– Does the app do what it says it does? Does it function
reliably? And does it respect the limitations that Apple
has put on developers?
– This process does weed out some security threats,
like apps that carry malware
– Does not eliminate all risks to your privacy
• Android apps are not vetted
– Android market is considered the “wild, wild west”
Example: Movie Trivia Game
Uses internet connection to see
what the rest of the world has
answered to current question
Example: Whole Foods App
iOS Location Services
• Tell if an iOS app is using location services
• Look for the arrow next to the battery
indicator
eBook Reader Privacy
• Electronic Frontier Foundation researched
and published a guide to eReader privacy
– https://www.eff.org/deeplinks/2010/12/2010-e-
book-buyers-guide-e-book-privacy
Quiz:
Would you use this IM service? From an instant messaging site
Are You Convinced To…
1. Keep your device with you – don’t
leave it unattended
2. Protect your device with a strong
password
3. Use anti-malware software
4. Read those (often boring) privacy
policies
5. Don’t download or keep apps that
request more permissions than
needed
More Cowbell
(Supplemental Info)
What’s Wrong With This
Picture?
QR Codes
• Quick Response codes are popping up
everywhere
– Magazine ads, newsletters, real estate signs,
newspaper ads, trade show booths
• A QR code is basically a 2D barcode that can be
read by smart phone users
– An easy way to direct a user to a website – just scan
the QR code
• Could be a link to a malicious website
Malicious QR Codes are
Coming • QR codes will come in email messages
• QR codes will be physically distributed around
– Flyers in a parking lot
– Malicious stickers pasted over different legitimate ads
• Only use QR code reader software that allows
you to confirm the action to be taken, such as
visit a website link
• If you do not know and trust the link, cancel the
action
Top Related