Mobile Device Security

and Privacy

Information Security and Privacy Office

January 2012

Agenda

• Protecting mobile devices and your

privacy

Protecting Mobile Devices and

Your Privacy

Before We Start…

The City of Phoenix

does not endorse,

recommend, or vilify

any specific vendors,

products, apps, or

services.

Goal: Convince You To…

1. Keep your device with you – don’t

leave it unattended

2. Protect your device with a strong

password

3. Use anti-malware software

4. Read those (often boring) privacy

policies

5. Don’t download or keep apps that

request more permissions than

needed

Do You Have a Smartphone?

Pop Quiz

• How many smartphone users are there in

the U.S.?

– As of September 2011

• 87.4 million

• 33.7 million

• 946,800 thousand

Pop Quiz

• How many smartphone users are there in

the U.S.?

– As of 9/2011

• 87.4 million

• 33.7 million

• 946,800 thousand

Pop Quiz

• In the U.S. 113 mobile phones are lost

every …

• Day

• Hour

• Minute

Pop Quiz

• In the U.S. 113 mobile phones are lost

every …

• Day

• Hour

• Minute

Top 10 U.S. Cities for Cell

Phone Loss or Theft

Do You Access or Do Banking?

Using Your Smartphone

• 44% use a browser to access the Internet

– 32.5 million Americans accessed banking

• Vendors, retailers, merchants, content providers,

mobile operators, and banks are all actively

establishing new payment services

– The value of mobile payment transactions is projected

to reach almost $630 billion by 2014, up from $170

billion in 2010

Password-Protect Your Device

• 24% store computer or banking passwords on

their mobile devices

• More than half of smartphone users do not use

any password protection to prevent

unauthorized access to their device

• What’s the risk?

No Password

What’s the Harm? • Access personal email and work email

• Access your financial accounts,

like banks, Mint.com, or PayPal

• Access your data in Google

Docs, Evernote, or Dropbox

• Post embarrassing updates to

Facebook and Twitter

• So use a strong password

– Require the password after minimum period of

inactivity

When Purchasing a

Mobile Device • Ask about security features and functions

– Can you add a strong password, how are patches deployed…

– What apps are pre-loaded, are apps vetted

• Pre-loaded apps generally have more permissions than ones you

install

– What software protections can you can install after purchasing

• Do you really need all the bells and whistles

• Research the device

– What maintenance is needed, is it a hacker target or thief

magnet, how do you secure it

– Read reviews – are most consumers satisfied

Smartphone Malware

What’s the Harm? • Force the infected phone call a given phone number

– Remember 900 numbers?

• Send premium rate text

messages

• Automatically visit websites

that the malware directs it to

– Earns money for malware writer

• Steal personal information

• Be alert for unusual behaviors on

your phone, which could be a sign that it is infected

– Unusual text messages, strange charges to the phone bill, and

suddenly decreased battery life

What’s the Best

Anti-Malware Software? • Read app reviews

• Check reliable consumer

publications

• Check industry publications

• Look for names you trust

• The City of Phoenix does not endorse, recommend, or vilify any specific

vendors, products, apps, or services.

Keep a Clean Machine

• Keep your mobile security software current

• Automate software updates

– Many software programs will

automatically connect and update

to defend against known risks

– Example: Sync regularly with

iTunes – don’t just charge the

battery

Prepare for the Unthinkable

• Consider using a “find my device” to locate your

device if lost or stolen

• Enable remote wipe capability

Mobile Device Privacy

Do You Read App Privacy

Policies / Permissions?

Using Your Smartphone

• 26% of smartphone owners say they always

read the privacy policy when downloading apps

– I’m not sure I believe that

• 31% say they never read the policy

Example – Game

• New! 4 ½ Stars! Reputable Developer!

Example – Game

Why Do Apps Need “Read Phone State

and Identity” Permission?

• Phone State

– Lets the app tell whether you’re on a call or if the phone’s ringing

– Allows games, media players, podcasts to pause while you’re on

a call

• Phone Identity

– Developer may need a way to assign a unique ID to you for

registration/activation purposes

– Many ad publishers use this permission to get the Phone ID for

tracking purposes

• App may not know who you are exactly, but tracking your usage over time

allows a company to build a profile of your individual activity

True or False

• A basic Android application has no

permissions associated with it

– This means the app cannot do anything that

would adversely impact the user experience

or any data on the device

True!

• App developer must specifically state the

permissions he wants the app to have

Flashlight App

Compare – Flashlight App

• Free! 5 Stars! Lots of installs!

Example – Flashlight App

Example – Flashlight App

True or False

• Most free app developers rely on

advertising to fund their businesses

True!

• Most free app developers rely on advertising to

fund their businesses

Why the App’s Free

• Free and cheap apps are usually supported by ads

– Marketers want to know user demographics to better target ads

• The advertising company pays the app developer and

supplies a library (of code/programs) that the developer

links to within the application

– The app developer might not really even be aware of what the

ad libraries do

• The ad library “piggybacks” on the app’s permissions

• So, for example, if the app can read your contact list, the

advertiser (through the library) can read your contact list

“Read Phone State and Identity”

Trade-off • Some advertising systems, like AdMob, require

developers to use this permission so the advertiser can

collect statistics

• This means:

• Both the advertiser and the app publisher can track your

usage of the app, and your usage across multiple apps if

they collect all that data centrally (which advertisers

definitely do)

I Know You

• Sign up for something and give your email address or

Facebook login

– Ties all of the profile information to a real individual

• I know where you live, work, and shop

– Because of your GPS info

• I know what you like

– Because of Facebook and your shopping

profile

• I know your friends and family

– Because of Facebook and device contacts and messaging

Before Downloading that App

• Be especially wary of typically-suspicious apps

(like ringtone apps) that use unneeded

permissions

• Only install apps with

potentially harmful

permissions from

developers you trust

• Check the app’s marketplace rating to determine

safety

– Not a perfect indicator (like with Flashlight)

Look For Apps That Tell You

How It’s Using Permissions

Does the App Want

Passwords? • Think twice before giving an app

passwords

– Example: Some apps ask for passwords to

popular services, like GoogleDocs and

Dropbox to upload and store things

App Stores

• Apple reviews all apps in its store and tries to

verify…

– Does the app do what it says it does? Does it function

reliably? And does it respect the limitations that Apple

has put on developers?

– This process does weed out some security threats,

like apps that carry malware

– Does not eliminate all risks to your privacy

• Android apps are not vetted

– Android market is considered the “wild, wild west”

Example: Movie Trivia Game

Uses internet connection to see

what the rest of the world has

answered to current question

Example: Whole Foods App

iOS Location Services

• Tell if an iOS app is using location services

• Look for the arrow next to the battery

indicator

eBook Reader Privacy

• Electronic Frontier Foundation researched

and published a guide to eReader privacy

– https://www.eff.org/deeplinks/2010/12/2010-e-

book-buyers-guide-e-book-privacy

Quiz:

Would you use this IM service? From an instant messaging site

Are You Convinced To…

1. Keep your device with you – don’t

leave it unattended

2. Protect your device with a strong

password

3. Use anti-malware software

4. Read those (often boring) privacy

policies

5. Don’t download or keep apps that

request more permissions than

needed

Questions? Contact

ispo@phoenix.gov

More Cowbell

(Supplemental Info)

What’s Wrong With This

Picture?

QR Codes

• Quick Response codes are popping up

everywhere

– Magazine ads, newsletters, real estate signs,

newspaper ads, trade show booths

• A QR code is basically a 2D barcode that can be

read by smart phone users

– An easy way to direct a user to a website – just scan

the QR code

• Could be a link to a malicious website

Malicious QR Codes are

Coming • QR codes will come in email messages

• QR codes will be physically distributed around

– Flyers in a parking lot

– Malicious stickers pasted over different legitimate ads

• Only use QR code reader software that allows

you to confirm the action to be taken, such as

visit a website link

• If you do not know and trust the link, cancel the

action