mobile device talk

Smartphone Security and Privacy for the General Public

Matt (mattrix) HoyDavid (davo) Khudaverdyan

About Matt (mattrix) Hoy

• @mattrix_ on twitter• Has fancy security alphabet certs• Prefers scotch from Scotland

About David (davo) Khudaverdyan

• Twitters: @deltaflyerzero• Drinks whisky from Japan (scotch can come

too)• Has Cat pics:


• Why?– It’s the title, duh!– This is what the GENERAL PUBLIC can do about

mobile security and privacy• What this covers:– Do you trust your device?• TAO on iOS/Android

– iOS vs. Android Privacy Granularity


• What this covers (cont.)– What cloud are you on?– What carrier are you on?– What apps should you use?– Recent advances in mobile security– Recent fails in mobile security– It’s all the user’s fault!

Do you trust your device?

• Shrink Wrapped Compromise• SIM Card Security• The Fappening

iOS Privacy Granularity

• iOS has built-in granular privacy controls for:– Location Services– Contacts– Calendar– Reminders– Photos– Bluetooth Sharing

– Microphone– Camera– “Health”– “HomeKit”– Motion & Fitness– “Social Media”

• Facebook• Twitter• etc


• When does it ask you?– When the app needs access to that feature

• What if you don’t want to give the app access– The app just has to deal (Thanks Apple!)

• What if I changed my mind?– Settings -> Privacy -> App Name, flip the switch

next to the app. Easy.


• What about options?– For Location Privacy:• Never: It never happens• While Using the App: Only when the app is ON THE

SCREEN• Always: Even if the app is running in the background

– Everything else:• Keep it simple, the app has access or it doesn't.


• Siri and iCloud Spies on you– How They do it• Location History – Apple Maps, Frequent Locations• Siri – “Siri, when do you track me?”• Safari History

– How to disable• Turn off iCloud• Limit Location use

– Turn off Frequent Locations!• Change your advertising ID / Limit Ad tracking

Android Privacy Granularity (or not)

• No unless you root– If you root you’re not secure!

• Rebuild Manifest using Android SDK– Who has time for this?– Also this talk is for people that are not doing

infosec/IT for a living

Android Privacy Granularity (or not)

• Google Spies on you– How they do it

• Voice and Audio Activity – Google Now• Search History – Web Searches• You Tube History– Anything you watched on You Tube• Location History

– Applications Drawer• Account History > Web and App Activity > Manage History• Tap the Settings Button (looks like a gear) and delete

everything

Google Spies on you

To Illustrate

What cloud are you on?

• Google– Makes money from Targeted Advertising

• iCloud– Takes your money but who has access?

• Microsoft– Microsoft has a cloud?

• Box– Pretty good actually…

What carrier are you on?

• Supercookie anyone?– AT&T: Unknown– T-mobile: Unknown– Sprint: Unknown– Verizon: Now allows opt out

What carrier are you on?

• No longer using carriers internet– VPN• Need L2TP IPSEC VPN with Secret or Certs

– Mattrix’s choices – so fuckin 1337 I need two» AceVPN » Private Internet Access

– Davo’s choice – fast and simple» VyprVPN (Golden Frog)

What Apps should you use?

• For Enhanced Privacy– Signal– Peerio– STRIP– Burner– iMessage

Advances in Smartphone Security

• iOS – Encryption (Hardware Based) with iOS 7 • iOS – Full Device Encryption (Hardware Based) with iOS

8• Android – Full Device Encryption (Included SD Card) -

Jelly Bean• Android – Full Device Encryption (What’s an SD Card?)

– Lollipop• It must be good since there was a recent Senate

Hearing on why we should not have encryption on any Smartphone

Fails in Smartphone Security

• Android Lollipop – Encryption not enabled out of the box

• iOS – Encryption but a 4 digit pin out of the box• Samsung Galaxy S5-6 – Fingerprints not encrypted

and accessible by rogue apps• Android App Store – 1228 Vulnerable to FREAK• iOS 8 – Wifi Denial of Service• Gemalto – Entire SIM Card Plant compromised by

stolen encryption keys

This is YOUR fault!

• <rant>• You LET them do this!• You, the consumer.• You thought it would be more convenient.• Now we all use smartphones that SUCK on security• How could you let this happen?• Why didn’t you stop it when you had the chance?• </rant>

The Compromised Solution

• Verizon DBIR suggests that no breaches occurred by compromised mobile devices yet

The Paranoid Conclusion

• Don’t Piss off a Nation State• Don’t use a smartphone• Learn what each app is capable of doing– If you are on iOS 8.x you can limit your exposure– If you are using Blackberry you can limit your

exposure ( but there really are no apps on BB)

Questions

• There’s no such thing as a silly question…

mobile device talk

Documents