Mobile SecurityFor the modern tech mogul
Andrew Schwabe, Founder
Background• WCU Computer Science Alumni • Entrepreneur• Mobile, Social, Cloud Developer• Founder of Point.IO
A Whole New World• Smartphones, Tablets
and Phablets• Mobile will overtake
desktop in 2015• BYOD trend
… Same Sandbox• You leave a “digital footprint”
everywhere you go• Most smartphones have
services enabled that you don’t know about
• 50% of enterprises have had a mobile data security breach
Being a safe netizen
Becoming a safe netizen• Mobility is awesome
Becoming a safe netizen• Mobility is awesome• ignorant < you < paranoid• Be informed and you don’t
have to fear• Mobile power requires
responsibility
Not all devices are equal• Each OS has different security goals• Apps have different screening
processes• Apple i-devices• Android• Blackberry• Windows Mobile• Symbian/Palm/Others?
• Which is better?
Safety goals: • Not losing your device, duh• Prevent identify theft• Prevent loss of passwords and dignity• Prevent family and friends from suffering
the same fate…• On their own accord, or…• Because you gave it to them
Apps and Tweets and Phreaks, oh my!
• Lots of things can get’cha, but…• That’s no different than swimming in
the ocean. You just need to know places to avoid sharks and other baddies.
• Use common sense.
Three categories of “bad stuff:”
•Email and communication threats•Malware•Phishing
Email: • Viruses can be spread through email
• Usually Attachments• Usually only affect desktops
(this will change over time)• You don’t want the virus (or to spread it)• Best course of action:
• Don’t open email from unknown/weird addresses
• Don’t open email attachments you were not expecting
SMS and MMC: • Generally pretty harmless• Sometimes contain links to websites that look
weird. E.g. hax0r.me/pinkbunnies• The age of spam and sms attacks
will come• Thumb and others are ok• Best course of action:
• Don’t click links from unknown/weird addresses• Don’t click links you were not expecting
WiFi Vulnerability: • Do you hotspot? Do you know if your phone
CAN hotspot?• Some smartphones let you configure a
hotspot with no password. • Best course of action:
• Know if your phone supports it• Disable it if you aren’t using it• Disable wifi when you are not home
Bluetooth Vulnerability: • Unconfigured services are sometimes active
by default• A skilled hacker can connect to
open bluetooth services and take control of your smartphone
• Best course of action:• Disable bluetooth if you aren’t
using it• Learn how to disable services you are not
using
Malware: • “My friend Mike’s Android phone had been
acting strangely for awhile. In the middle of the night, the phone would come alive. It would meander down various menu paths, send texts that were gibberish and start playing poker. Was it bug in the operating system? Or had Mike been hacked?”
- Forbes (link at end)
Malware: • “how come my phone|tablet|uber device is
going so slow all of a sudden?”• Not all mobile apps are by quality (ahem…
‘moral’) developers• Some apps can install “spyware” which reads
your personal info, runs keystroke loggers, or create popups.
Malware (cont…): • Beware of apps that request your personal
information, or that install new services • Read reviews and ratings before just
downloading apps• Android more
susceptible than iOS
Phishing: • They are the ‘fishermen’ and you are the ‘fish’• Smart scammers who want to trick you into
giving up personal information like:• Bank account info• Usernames/passwords
to websites
Phishing (cont…): • Obviousness• If its too good to be true,
it probably is.• You do not have a rich distant
uncle in Botswana that left you $20M
• If you did, why would you have to pay a fee to get it?
Phishing (cont…): • Social Media
• Emails meant to look like Facebook or twitter asking for yourpassword
• Services usually won’t send you an email asking for this information
• “Change your password” emails should only be trusted if YOU requested them
Phishing (cont…): • Sp00f websites and DNS poisoning
• Alternate websites meant to look like your bank.
• When you try to log in, they capture your username and password, but return a “account not available right now” or similar message
ALWAYS and NEVER list: • Mama always said to never use ‘always’ and
‘never’ in a sentence…• … Mama didn’t carry
no Android Phablet…
ALWAYS and NEVER list: • NEVER open email links and
attachments from suspicious or unknown people
• Includes unusual attachments from people you know, but you were not expecting
• “crazycool_giraffe_parasailing.mov.pif”
ALWAYS and NEVER list: • NEVER open links from emails that are asking
you for usernames and passwords.• Almost always a scam (real sites know
better than to send emails like that)• If your spam filter caught it, best to leave it
alone• If it’s a bank email, try calling your local
branch. If they never heard of it… danger!• If in doubt, throw it out
ALWAYS and NEVER list: • NEVER post anything on any site unless:
• You are ok with the whole world knowing it• Family picnic and birthday pics = ok• Skinny dipping pics = never ok• Ever read the EULA for facebook and
others? They OWN your content…
ALWAYS and NEVER list: • NEVER email or post personal and sensitive
information if at all possible:• Credit card numbers• Bank info• Maybe home address, vacation info• Never know who will see it• Easy to exploit your weaknesses
ALWAYS and NEVER list: • ALWAYS use basic security
lock on your mobile devices:• PIN codes on Apple
devices• Password/pattern locks
for Android
ALWAYS and NEVER list: • ALWAYS use apps that YOU installed:
• Verify that they are from a trusted author• Read ratings/comments• Use a bank’s APP instead of website if
possible
ALWAYS and NEVER list: • ALWAYS disable services you don’t need:
• Disable wifi/bluetooth if/when you don’t need them
• NFC, ssh, jailbreak and root apps• BONUS! Fewer running things = less battery
Symptoms of a hacked phone:• Unusual restarts• Slow response time• Web browser redirects to
inappropriate sites• Phone sends text messages
on its own• Online credit card charges start
showing up• Plane tickets to Amsterdam
What to do if you are hacked:• Log out from your app or website• Switch to a different device• Change your password• Call your credit card company• Request a credit alert with
credit bureau• Erase/restore your mobile device
Tips for being safe:• Incognito mode in some web browsers• Read the manual that came with your device
• Learn all the the stuff you don’t know • Google ‘security tweaks for Samsung galaxy
note 2’ (or your device)• Use a lost and found service
• Apple has several app and gps based choices• 3rd party labels – foundkarma.com
More reading:• Cloud storage (Box, Dropbox, others)• Google and Facebook’s new privacy rules• Read ‘technology’ channel using Flipboard
Reference and Stories: • Your Phone Has Been Hacked• Signs and Symptoms of a hacked smartphone
Thank You! • Blog: www.PainInTheApps.com• Personal Email: [email protected]• Twitter: @aschwabe
• This presentation will be posted on my blog and my twitter
Special Thanks to:• http://www.theoatmeal.com for cartoon
awesomeness used in this presentation• Kim Slattery and West Chester University for
the opportunity to share• All the attendees who participated in our
session!