smartphones' security

Smartphones SecurityIT-Sicherheit

Hochschule für Technik, Wirtschaft und Kultur Leipzig

Why is Smartphones Security Important?

Our smartphones are more than our wallets, because they can store:● credit cards number● contacts● email accounts● websites passwords● et cetera

Too Many Features

Which features can be dangerous?

and

Which features can help users to increase their security and privacy?

Bluetooth

Vulnerable to:● BlueBug, bug with which is possible: make a copy of

contacts; listen calls; send and read SMS messages and force connection to Internet

● BlueSmack, denial of service attack● Eavesdropping● Man in the middle● ...

How Use Bluetooth Safely

For improve our security using Bluetooth we can:● choose PIN codes that are long and not trivial,● avoid pairing between Bluetooth devices in

crowded places,● disable it or use in hidden mode to increase

the time of a possible attack.

Near Field Communication

● Set of standards for radio communication between close devices

● No protection against eavesdropping● Vulnerable to data modifications

Applications that use NFC should encrypt the comunications!

Services for Remote Control

Some services for remote control that we can find in our devices are:

– Secure Shell

– File Transert Protocol

– Package Manager

All these services are possible points of access to our devices.

How can the average user disable them?

Summarizing we can say that we should use an approach of

"Principle of Least Privilege"enabling a feature only when needed

Which Features Users Should Use

● Screen Lock● Data Encryption● Remote Wipe Service● Antivirus● Two-factor

Authentication

Install an Antivirus

Mobile malware attacks are on the rise, this because smartphones offer easy and fast ways for make profits:● mobile payments● directly charging on the phone bill of the device's owner

A 40% of modern smartphones don't have antivirus because users think that they don't need one.

Some antivirus also offer tracking and remote wipe services, thus providing three important functions with a single application.

Use the Two-factor Authentication

Two-factor authentication (TFA) is an authentication which requires the presentation of two of the three authentication factors: “something the user knows”, “something the user has” and “something the user is”.

Something the user has: its smartphone

The user receives an SMS with an extra code or the code is generated by a dedicated application.

How keep smartphones and privacy more safe?

● Remember that it's not “Just a Phone”● Say yes to updates● Understand allowed permissions● Don't download Apps from untrusted sources● Keep strong password and don't be lazy● Be careful free Wi-Fi

Be careful with free Wi-Fi

In free Wi-Fi networks lots of plain text is exchanged and a big part of most popular

websites do not offer an encrypted connection

Published Date: January 14, 2013 on www.trustworthyinternet.org

Be careful with free Wi-Fi

Some websites use an encrypted connection only for login

They are vulnerable to "Session Hijacking"

Solutions for free Wi-Fi

● Use secure channels:– HTTPS for surfing web sites;

– SSL when using applications that access the Internet such as a mail client.

● Use a Virtual Private Network or a tunnel SSH● Do not use free Wi-Fi

Which Measures SmartphonesManufacturers and Software

Developers Should Take?

We will see solutions from the project phase of hardware and software to the phase after the

sale of the device.

Opportunity to Create Different User Profiles

Create a profilejust for children

Separate and secure work and personal informations

Provide Long Term Support

● Provide long term support with updates is extremely important for keep devices safe.

● Is possible find devices for sale with a version of the OS no more supported.

● Most users don't know how to upgrade the OS● Manufacturers want that users buy another

phone as soon as possible.

Android' situation

More than 60% have a version released before the October 2011

Improve security on App Stores

● Check authors' identity● Run a new application, checking for malicious and

hidden behaviors● Use restricted policies against spam and fake apps● Deny applications that download others applications● Offer a payment system for purchases that

guarantees users and sellers

Separate Running Programs

Separate Running Programs

This prevents that any compromised app will have access to not allowed lower system levels, including:● reading or writing the user's private data (like

contacts or emails)● reading or writing another application's files● performing network access ● et cetera

Implement Protocols Correctly.

Developers should make attention when use third party libraries such as OpenSSL or JSSE.

Some implementations perform the SSL certificate validation incorrectly or not at all.

Insecure against man in the middle

Chain of trust

A chain of trust is made by validating each component of hardware and software from the bottom up.

Only signedsoftware can be booted.

Conclusion

Like for computers, smartphones security is a process that involves manufactures, developers and users.

This is why, is not enought that devices and softwares are safe and poka-yoke (“idiot proofing”) but we also have to hope that in a future users will be aware.