Smartphones' Security

26
Smartphones Security IT-Sicherheit Hochschule für Technik, Wirtschaft und Kultur Leipzig

Transcript of Smartphones' Security

Page 1: Smartphones' Security

Smartphones SecurityIT-Sicherheit

Hochschule für Technik, Wirtschaft und Kultur Leipzig

Page 2: Smartphones' Security

Why is Smartphones Security Important?

Our smartphones are more than our wallets, because they can store:● credit cards number● contacts● email accounts● websites passwords● et cetera

Page 3: Smartphones' Security

Too Many Features

Which features can be dangerous?

and

Which features can help users to increase their security and privacy?

Page 4: Smartphones' Security

Bluetooth

Vulnerable to:● BlueBug, bug with which is possible: make a copy of

contacts; listen calls; send and read SMS messages and force connection to Internet

● BlueSmack, denial of service attack● Eavesdropping● Man in the middle● ...

Page 5: Smartphones' Security

How Use Bluetooth Safely

For improve our security using Bluetooth we can:● choose PIN codes that are long and not trivial,● avoid pairing between Bluetooth devices in

crowded places,● disable it or use in hidden mode to increase

the time of a possible attack.

Page 6: Smartphones' Security

Near Field Communication

● Set of standards for radio communication between close devices

● No protection against eavesdropping● Vulnerable to data modifications

Applications that use NFC should encrypt the comunications!

Page 7: Smartphones' Security

Services for Remote Control

Some services for remote control that we can find in our devices are:

– Secure Shell

– File Transert Protocol

– Package Manager

All these services are possible points of access to our devices.

How can the average user disable them?

Page 8: Smartphones' Security

Summarizing we can say that we should use an approach of

"Principle of Least Privilege"enabling a feature only when needed

Page 9: Smartphones' Security

Which Features Users Should Use

● Screen Lock● Data Encryption● Remote Wipe Service● Antivirus● Two-factor

Authentication

Page 10: Smartphones' Security

Install an Antivirus

Mobile malware attacks are on the rise, this because smartphones offer easy and fast ways for make profits:● mobile payments● directly charging on the phone bill of the device's owner

A 40% of modern smartphones don't have antivirus because users think that they don't need one.

Some antivirus also offer tracking and remote wipe services, thus providing three important functions with a single application.

Page 11: Smartphones' Security

Use the Two-factor Authentication

Two-factor authentication (TFA) is an authentication which requires the presentation of two of the three authentication factors: “something the user knows”, “something the user has” and “something the user is”.

Something the user has: its smartphone

The user receives an SMS with an extra code or the code is generated by a dedicated application.

Page 12: Smartphones' Security

How keep smartphones and privacy more safe?

● Remember that it's not “Just a Phone”● Say yes to updates● Understand allowed permissions● Don't download Apps from untrusted sources● Keep strong password and don't be lazy● Be careful free Wi-Fi

Page 13: Smartphones' Security

Be careful with free Wi-Fi

In free Wi-Fi networks lots of plain text is exchanged and a big part of most popular

websites do not offer an encrypted connection

Published Date: January 14, 2013 on www.trustworthyinternet.org

Page 14: Smartphones' Security

Be careful with free Wi-Fi

Some websites use an encrypted connection only for login

They are vulnerable to "Session Hijacking"

Page 15: Smartphones' Security
Page 16: Smartphones' Security

Solutions for free Wi-Fi

● Use secure channels:– HTTPS for surfing web sites;

– SSL when using applications that access the Internet such as a mail client.

● Use a Virtual Private Network or a tunnel SSH● Do not use free Wi-Fi

Page 17: Smartphones' Security

Which Measures SmartphonesManufacturers and Software

Developers Should Take?

We will see solutions from the project phase of hardware and software to the phase after the

sale of the device.

Page 18: Smartphones' Security

Opportunity to Create Different User Profiles

Create a profilejust for children

Separate and secure work and personal informations

Page 19: Smartphones' Security

Provide Long Term Support

● Provide long term support with updates is extremely important for keep devices safe.

● Is possible find devices for sale with a version of the OS no more supported.

● Most users don't know how to upgrade the OS● Manufacturers want that users buy another

phone as soon as possible.

Page 20: Smartphones' Security

Android' situation

More than 60% have a version released before the October 2011

Page 21: Smartphones' Security

Improve security on App Stores

● Check authors' identity● Run a new application, checking for malicious and

hidden behaviors● Use restricted policies against spam and fake apps● Deny applications that download others applications● Offer a payment system for purchases that

guarantees users and sellers

Page 22: Smartphones' Security

Separate Running Programs

Page 23: Smartphones' Security

Separate Running Programs

This prevents that any compromised app will have access to not allowed lower system levels, including:● reading or writing the user's private data (like

contacts or emails)● reading or writing another application's files● performing network access ● et cetera

Page 24: Smartphones' Security

Implement Protocols Correctly.

Developers should make attention when use third party libraries such as OpenSSL or JSSE.

Some implementations perform the SSL certificate validation incorrectly or not at all.

Insecure against man in the middle

Page 25: Smartphones' Security

Chain of trust

A chain of trust is made by validating each component of hardware and software from the bottom up.

Only signedsoftware can be booted.

Page 26: Smartphones' Security

Conclusion

Like for computers, smartphones security is a process that involves manufactures, developers and users.

This is why, is not enought that devices and softwares are safe and poka-yoke (“idiot proofing”) but we also have to hope that in a future users will be aware.