By roughly 2013, there will be more smart phones in people's hands than personal computers at home, a testament to their ever-increasing utility in today's fast-paced, always-connected world. Each of the popular smartphone platforms—iPhone, Android, and BlackBerry—offers a unique software repository whereby users can download and install applications to make greater use of the phone's capabilities. When coupled with advanced hardware components, smartphones enable their owners to do nearly everything they can on a full-sized computer, including video conferencing, instant messaging, sending emails and making phone calls, all in a small, portable package.
Most people wouldn't dream of going anywhere without their smart phone & it's become nearly as important as house keys. The cultural impact can be seen on the streets of New York; walk down Broadway and you'll be hard pressed to find anyone without one. And at the rate smart phones are evolving, with their multitude of apps and finger-friendly interfaces, you might not even need a full-sized computer in a few years. But, just as you wouldn't leave your house keys in your front door, you shouldn't leave your smart phone vulnerable to attackers. The increasing importance and presence of smart phones in our digital lives highlight the need to protect them and the information you access, store, and distribute using them. A few of the security vulnerabilities smart phone owners should be aware of are described below, along with some steps that can be taken to help protect your device.
What "jailbreaking" highlights about mobile insecurity
There is a community of code developers that hacks iPhones and Androids in an effort to remove certain operating system restrictions imposed by the device manufacturer or cellphone carrier. That community creates tools that allow owners to "jailbreak" (or "root") smart phones, granting owners nearly unfettered control over what programs can be installed and how the device can be used. However, jailbreaking a smart phone often involves exploiting significant security vulnerabilities.
As a case in point, in July of last year the hacker community exploited a yet-undiscovered vulnerability in Apple's iOS that allowed users to install unauthorized, "homegrown" software. In this instance, the intent was not malicious, but the exploit itself revealed a serious security hole that affected every iPhone, iPod Touch, and iPad running the iOS operating system from version 2.0 through 4.0. If the exploit had been discovered first by a malicious group of attackers, the security impact to the iOS platform could have been much more serious. Attackers could have taken control of iOS devices by tricking smart phone owners into clicking a specially crafted URL or by emailing the victim a malicious PDF. Due to the severity of the threat, Apple quickly released a security patch that prevented the built-in PDF reader from being exploited. Regardless of Apple's response to that particular exploit, this incident reinforces the fact that mobile security is still in its infancy and that there are many more vulnerabilities that have yet to be discovered.
Beware of the "free" app
This past August, a Kapersky Labs analyst discovered the first SMS Trojan on the Android platform, which, when installed, allowed an attacker to send hidden SMS messages to a premium phone number at a rate of $5 per message. Disguised as a media player, victims were often unaware of the attack because the app ran as expected. The attack was discovered only after users received their staggeringly large cellphone statements.
Unlike devices using the iOS platform, Android devices have fewer application restrictions, allowing owners to install apps from the loosely curated Android Marketplace as well as arbitrary websites. In the Trojan attack described above, the hacker capitalized on the Android platform's lax software installation restrictions and created websites that purported to offer free media players for download. Before completing installation, the "media player" requested access to the smart phone's memory card as well as its built-in SMS application, which it then used to send out the costly secret text messages.
This default installation prompt, built into every Android device, is key in mitigating attacks; if victims had refused to allow access to the SMS app, the Trojan would have failed to execute. Unfortunately, much as is the case with traditional computer users, smart phone owners often grant apps access to many of the phone's resources and neglect to question why, for instance, a media player would need to access the SMS app in order to play a song. To help protect your device, it pays to be cautious about the source and reputation of the apps you install, and to think twice about what information you allow those apps to access.
Thieves are "checking in" at your home
Smart phones present new opportunities for attackers to exploit key smart phone features such as geolocation to render certain kinds of attacks more effective. Imagine a hypothetical situation in which you step out of your house to run an errand, only to return to find your place was burglarized. Panic-stricken, you wonder, "How could the burglars have known when I left my house?" Following the police investigation, you learn that the thieves tracked your movements by way of your smart phone. They were able to monitor your GPS coordinates because you use a social networking application on your smart phone (such as Facebook Social, Foursquare, or Twitter) to "check in" at various locations—telling not only your friends but also thieves where you are. They also pinpointed your location by inspecting the geolocation metadata that gets automatically embedded in the smart phone camera images you posted to your Twitpic or Facebook account.
Although this scenario may sound Orwellian, the reality is that it's already happening today, with attackers using real-time data from poorly configured smartphones to victimize their owners. Disabling geo-location when not in use or avoiding the "check-in" scene altogether can greatly mitigate these types of attacks. Taking additional steps to help secure your device, as described below, can also provide some protection against these and wider varieties of attacks.
Steps to a safer smart phone
Most smart phones, despite all their wonderful features, lack key security controls that are currently found on personal computers. However, there are some actions you can take to help protect your device and your personal data. (Specific instructions depend on the type of smart phone you have; see your device's instruction manual for details).
- Enable password protection. Passwords should be at least 4 characters long, but choosing longer passwords, if the option is available, will provide a higher level of protection against attacks.
- Update your device regularly. Just like computer operating system updates, smart phone operating system updates often contain important security patches. iPhones and older BlackBerrys must be connected to a personal computer via USB cable in order to download and install updates. Newer BlackBerrys and Android phones can update OTA (over-the-air), but the latter platform suffers from "software update fragmentation." Depending on the model, the carrier, the phone manufacturer, and the version of the operating system in use, it may be weeks or months before Android security patches are pushed to every device.
- Activate the lock-out screen. Make sure that idle timeout is reasonably short (one minute or so) and that a password is required to unlock the screen. This helps prevent someone from accessing your device if it were to be lost or stolen.
- Enable encryption where possible. Encryption renders data unreadable unless a key or password is presented to decrypt the data. When a password is enabled on iPhone 3GS/4G, all email and attachments are encrypted. Data stored in applications are not encrypted unless the developer has coded the software accordingly. BlackBerry encrypts data in transit (instant messenging clients, email, etc.) but default settings leave local data in pure plain text, so users must manually enable "content protection." Note that enabling this feature will improve security, but will significantly slow down the device. Currently, Android has no built-in encryption features.
- Never store sensitive data on smart phones. Whether your smart phone is password protected or not, these devices should not be trusted to store any sensitive data (e.g., passwords, financial information, social security numbers). Moreover, you should never email sensitive data to anyone, because it is both an insecure method for transmitting that data and because it may be accessed if you were to lose your smart phone.
- Data sanitize your device before redistributing it. Whether you're disposing of your old smart phone or giving it to a friend, it's important to securely erase all data on the device. iPhones and BlackBerry's have built-in features in their settings panel that allow users to securely destroy all of the data on the device. As of this writing, there is no user-accessible feature in Android phones that allows for securely erasing local data. Android's "format SD Card" and "Factory Reset" options do not securely delete locally stored data. Note that on some older devices, the secure erase function may take several hours to complete before the smart phone can be used again.
- Take precautions to avoid theft and recover from loss. Smart phones are small and easily misplaced. Beyond the monetary costs associated with replacing them, the data that they store could be misused if it were to fall in the wrong hands. Back up your device's data regularly and report lost or stolen phones to the proper authorities, such as local law enforcement and your supervisor. Missing or stolen NYU-issued smart phones should be reported to firstname.lastname@example.org.
Keep current on smart phone security & best practices
The expanding role of smart phones in everyday life is ushering in a new age of security risks. Although current smart phone security features are fairly limited when compared to those found on a personal computer, it still pays to keep up to date with the latest best practices to protect your device and data. For more information on smart phone security and additional steps you can take to help protect your smart phone, visit www.nyu.edu/its/mobile/security.
ABOUT THE AUTHOR
Chris Penido is a Network Security Analyst within ITS' Technology Security Services.