Securing Your Android Device Terry Labach Information Security Services, IST

"To see everything without being seen is, needless to say, the prerogative of the biblical God whose eyes run everywhere, as well as the labor of spies and surveillance agencies, and the fondest desire of the voyeur.“ - Margaret Atwood #watitis2013

Android mobile device operating system market share 43% in Canada, 52% in the US, 80% worldwide 2013 DHS/FBI report stated Android attracted 79 per cent of all malware attacks because of “market share and open source architecture” #watitis2013

Android risks open architecture offers more opportunities for attack many vendor and developer-tweaked versions, harder to patch “rooted” phones can use wider range of features but lose protection no magic bullet to mitigate risks #watitis2013

What's on your phone? social media apps financial/banking apps photos address book usernames, passwords … #watitis2013

What are bad guys looking for? $$$ steal phone for resale banking information texts to premium SMS in-app purchases … #watitis2013

Steps to securing your device Physical security Access security File security App security Network security System security Usage security Software #watitis2013

Physical security Hang on to phone Don't leave it unattended #watitis2013

Access security Screen lock phone with –swipe code –PIN –password #watitis2013

File security Back up files Encrypt files #watitis2013

Encrypt files individually – simplest method but onerous APG - OpenPGP implementation for Android id=org.thialfihar.android.apg #watitis2013

Encrypt SD card Depending on device, select one of –Settings > Security –Settings > Storage Select SD card encryption checkbox Encrypt before adding data! Once set, any non-encrypted SD card placed in phone will be read only. #watitis2013

Pre encryption

Post encryption #watitis2013

Encrypt phone storage protects internal phone memory slows phone operations fully charge phone first, keep plugged in during encryption #watitis2013

Encrypt phone storage Depending on device, select one of –Settings > Security –Settings > Storage select Storage encryption checkbox storage will be encrypted can’t undo encryption, factory reset only way to unencrypt, causing data loss #watitis2013

Network security Turn off WiFi/Bluetooth/NFC when not needed WiFi –avoid joining unknown networks and using public hotspots Don't use unencrypted communications –VPN (AnyConnect) –Web (https) #watitis2013

Near field communication (NFC) NFC tags are chips that will share digital information on some Android devices, NFC is allowed to automatically launch the web browser could download malware villain creates malicious NFC tags and places them near legitimate ones #watitis2013

Controlling network access JuiceDefender id=com.latedroid.juicedefender&hl=en location-aware WiFi Control (e.g. enable WiFi only at home/work, disable it otherwise) #watitis2013

Usage security phishing vishing smishing #watitis2013

QR codes encode URLS as bar code used to disguise malware #watitis2013

App security some apps, even from the Google Play store, have malicious features –keyloggers –contact snooping –data theft –malware downloads more malware –root attacks #watitis2013

Limit the apps you install limit the number don't automatically install apps if website/message/popup tells you to do so don’t install if permissions are suspicious limit app permissions buy your apps instead of installing free cracked versions #watitis2013

App security disable untrusted app stores open one of –Settings>Applications –Settings>Security locate the Unknown sources ensure it is unchecked #watitis2013

Maintain your apps Prevent accidental app purchases Update your apps Remove old apps #watitis2013

System security patch and update Android vendor updates reliable third-party distributions –Cyanogenmod –Replicant #watitis2013

System security disable Google sync of WiFi passwords, settings, etc. #watitis2013

Security software Software suites Avast! Mobile Security –antivirus, firewall, phone tracker, privacy, etc. Lookout Security & Antivirus –antivirus, phone tracker, privacy, etc. 360 Mobile Security –antivirus, privacy, etc. #watitis2013

Security software Kaspersky Internet Security for Android –antivirus, phone tracker, privacy, etc. Norton Security antivirus –antivirus, phone tracker, privacy, etc. #watitis2013

Privacy software Wickr - Top Secret Messenger –self-destructing, encrypted messages Clueful for Android –shows you how installed apps use your personal information #watitis2013

My phone’s been stolen! report to campus police change passwords on accounts used by the device immediately attempt to locate using a software suite mentioned above, or Where's My Droid Android Device Manager #watitis2013

Where's My Droid special text message to phone will cause it to respond in some cases, can install from Play Store after phone is lost or stolen risk of misuse if someone knows you use this app #watitis2013

Android Device Manager nager Remotely locate and factory reset your device #watitis2013

References - Canada Public Safety Canada –Using mobile devices ctvts/mbl-eng.aspx –Using web-enabled devices safely dvcs/index-eng.aspx #watitis2013

References - US United States Computer Emergency Readiness Team – –Technical Information Paper: Cyber Threats to Mobile Devices – pdfhttp:// pdf #watitis2013

References - US CERT (Computer Emergency Response Team) – –Mobile Device Security: Threats, Risks, and Actions to Take – ederick.html #watitis2013

References - technical XDA Developers – XDA Android Developers forum – 20 security and privacy apps for Androids and iPhones – 493 #watitis2013

References - UW University of Waterloo Information Security Services (ISS) team – technology/about/organizational- structure/information-security-services University of Waterloo Security Operations Centre (SOC) #watitis2013

References - UW Terry Labach User education Developer and project consulting Web application scanning #watitis2013

Questions? #watitis2013