mobile device talk
TRANSCRIPT
Smartphone Security and Privacy for the General Public
Matt (mattrix) HoyDavid (davo) Khudaverdyan
About Matt (mattrix) Hoy
• @mattrix_ on twitter• Has fancy security alphabet certs• Prefers scotch from Scotland
About David (davo) Khudaverdyan
• Twitters: @deltaflyerzero• Drinks whisky from Japan (scotch can come
too)• Has Cat pics:
Smartphone Security and Privacy for the General Public
• Why?– It’s the title, duh!– This is what the GENERAL PUBLIC can do about
mobile security and privacy• What this covers:– Do you trust your device?• TAO on iOS/Android
– iOS vs. Android Privacy Granularity
Smartphone Security and Privacy for the General Public
• What this covers (cont.)– What cloud are you on?– What carrier are you on?– What apps should you use?– Recent advances in mobile security– Recent fails in mobile security– It’s all the user’s fault!
Do you trust your device?
• Shrink Wrapped Compromise• SIM Card Security• The Fappening
iOS Privacy Granularity
• iOS has built-in granular privacy controls for:– Location Services– Contacts– Calendar– Reminders– Photos– Bluetooth Sharing
– Microphone– Camera– “Health”– “HomeKit”– Motion & Fitness– “Social Media”
• Facebook• Twitter• etc
iOS Privacy Granularity
• When does it ask you?– When the app needs access to that feature
• What if you don’t want to give the app access– The app just has to deal (Thanks Apple!)
• What if I changed my mind?– Settings -> Privacy -> App Name, flip the switch
next to the app. Easy.
iOS Privacy Granularity
• What about options?– For Location Privacy:• Never: It never happens• While Using the App: Only when the app is ON THE
SCREEN• Always: Even if the app is running in the background
– Everything else:• Keep it simple, the app has access or it doesn't.
iOS Privacy Granularity
• Siri and iCloud Spies on you– How They do it• Location History – Apple Maps, Frequent Locations• Siri – “Siri, when do you track me?”• Safari History
– How to disable• Turn off iCloud• Limit Location use
– Turn off Frequent Locations!• Change your advertising ID / Limit Ad tracking
Android Privacy Granularity (or not)
• No unless you root– If you root you’re not secure!
• Rebuild Manifest using Android SDK– Who has time for this?– Also this talk is for people that are not doing
infosec/IT for a living
Android Privacy Granularity (or not)
• Google Spies on you– How they do it
• Voice and Audio Activity – Google Now• Search History – Web Searches• You Tube History– Anything you watched on You Tube• Location History
– Applications Drawer• Account History > Web and App Activity > Manage History• Tap the Settings Button (looks like a gear) and delete
everything
Google Spies on you
Google Spies on you
Google Spies on you
Google Spies on you
To Illustrate
To Illustrate
What cloud are you on?
• Google– Makes money from Targeted Advertising
• iCloud– Takes your money but who has access?
• Microsoft– Microsoft has a cloud?
• Box– Pretty good actually…
What carrier are you on?
• Supercookie anyone?– AT&T: Unknown– T-mobile: Unknown– Sprint: Unknown– Verizon: Now allows opt out
What carrier are you on?
• No longer using carriers internet– VPN• Need L2TP IPSEC VPN with Secret or Certs
– Mattrix’s choices – so fuckin 1337 I need two» AceVPN » Private Internet Access
– Davo’s choice – fast and simple» VyprVPN (Golden Frog)
What Apps should you use?
• For Enhanced Privacy– Signal– Peerio– STRIP– Burner– iMessage
Advances in Smartphone Security
• iOS – Encryption (Hardware Based) with iOS 7 • iOS – Full Device Encryption (Hardware Based) with iOS
8• Android – Full Device Encryption (Included SD Card) -
Jelly Bean• Android – Full Device Encryption (What’s an SD Card?)
– Lollipop• It must be good since there was a recent Senate
Hearing on why we should not have encryption on any Smartphone
Fails in Smartphone Security
• Android Lollipop – Encryption not enabled out of the box
• iOS – Encryption but a 4 digit pin out of the box• Samsung Galaxy S5-6 – Fingerprints not encrypted
and accessible by rogue apps• Android App Store – 1228 Vulnerable to FREAK• iOS 8 – Wifi Denial of Service• Gemalto – Entire SIM Card Plant compromised by
stolen encryption keys
This is YOUR fault!
• <rant>• You LET them do this!• You, the consumer.• You thought it would be more convenient.• Now we all use smartphones that SUCK on security• How could you let this happen?• Why didn’t you stop it when you had the chance?• </rant>
The Compromised Solution
• Verizon DBIR suggests that no breaches occurred by compromised mobile devices yet
The Paranoid Conclusion
• Don’t Piss off a Nation State• Don’t use a smartphone• Learn what each app is capable of doing– If you are on iOS 8.x you can limit your exposure– If you are using Blackberry you can limit your
exposure ( but there really are no apps on BB)
Questions
• There’s no such thing as a silly question…