Friday, July 20, 2012

Thoughs on mobile security

A survey of smartphone use found that almost 70% of users do not encrypt confidential data stored on them. Consider that, how many smartphone users has log in credential to their private emails, social networking account and cloud storage configured with auto-login? Some one who found your phone with weak security can easily read your confidential emails, reset and request new password to your social networking site, transfer money from your PayPal account or post your confidential photograph online. Your company might even get sued for leaking confidential data or email corespondent between you and the client.

How secure is secure?
When ask "How secure?", do you mean: "how secure" for your kid, for your spouse, for an Android guru or for an intelligence agency? The truth is, given enough resource and motivation no security system is 100% guaranteed. Then, it is not to say we should not do anything about it.

My recommendation
Password protect your smartphone, use a unguessable password or pin should be a no brainier. Enable full disk encryption is your device support it (Gingerbread, Honeycomb, ICS). However, a intruder cannot access your smartphone if your phone is password protected even without full disk encryption. Full disk encryption is useful to protect against forensic desoldering, commonly referred to as a "Chip-Off" technique within the industry - this is the last and most intrusive method to get a memory image is to desolder the non-volatile memory chip and connect it to a memory chip reader.

Next, install a remote wipe app so you can remotely wipe a phone if you ever need to do it. One problem is, remote wipe can be easily beaten if the SIM card has been removed from the smartphone. You need the smartphone to be connected in order to receive the remote wipe instruction.

The one most important of all in my opinion for Android devices is to turn off USB debugging mode. If USB debugging mode is turn on, a intruder can connect an Android device to a PC via a USB and pull files from the phone using adb shell even if it's locked or protected with full disk encryption. If the phone is rooted, application databases and configuration files (/data folders) will be freely accessible.

Factory resets
Factory reset will erase your smartphone data and reset it to it's manufacturer configuration. However, factory reset usually do not erase your storage area for your personal files such as photo album or folders you download documents and files. Consider encrypting your sensitive documents and store them in the smartphone internal storage. An external memory card can be retrieve and attack using brute force methods with another computer.

While we protects our corporate network and our home computer, your smartphone can be the weakest link in your computing security. Being mobile also means it is more likely to be misplaced and with all the credential we carried with it, it is not a subject to be taken lightly.

No comments: