Mobile Phone Tidbits

OUR MOBILE DEVICES CONTAIN A SIZABLE CHUNK OF OUR LIFES NOW, AND THEY LEAK LIKE A SIEVE. It’s your phone, your email reader, your connection to Facebook and Twitter, your camera, and so much more. The average smartphone user uses 25-30 apps, and has many more than that installed. Do you know what they all do, or who they share data with? And what happens if someone else gets your phone?

Yesterday, I had to break a bunch of lockouts on someone’s phone (which I had completely legitimately and was doing with permission), and it struck me how amazingly easy it was to bypass so many protections. Many people don’t even think about the security of their mobile device, and if they do it’s usually only to set a PIN to prevent the kids from buying every app available. We need to do a little more than that because that device has a ton of of our information on it.

Note that this post is going to be slanted towards iPhones and iOS, because that’s what I’m using right now. If someone would like to contribute similar things for Android, I would be happy to add the information in. Otherwise, it’s going to have to wait until I get a new phone to mess around with. Also, this is by no means exhaustive – it’s just a few basics to make sure you’ve taken care of.

Let’s start with a passcode. You need one on your device, and not just for the kids. This is just like having a password on your accounts, or a combination on the safe where you store all your personal documents. This needs to be something secure, and we’re not talking 4 digits. If you use a 4 digit number as your passcode, there are exactly 10,000 combinations and there are inexpensive devices that can test these in a short period of time. Apple has introduced fixes recently for some of the problems around this, but there’s always a new hack.

The other thing we need to make sure of is that your phone locks as soon as it shuts off. This means that whenever it’s out of your possession, it’s locked. It also means that if you’re pulled over by a law enforcement officer, you can quickly lock your phone. You cannot be compelled to give out the passcode for your phone, under the Fifth Amendment. Confusingly, it appears that you can be compelled to unlock your phone with your fingerprint, however, so it may be a good idea to just power down your phone to disable Touch ID in that situation.

So, let’s set a secure passcode on your iPhone:

1. Open the Settings app
2. Select the item that says “Passcode” or “Touch ID & Passcode”. If you have a passcode set, enter it
3. If you do not already have a passcode:
   1. Scroll past the Touch ID part, and select “Turn Passcode On”
   2. Don’t enter a code yet. Select “Passcode Options” and select a type of code. The preference is “Custom Alphanumeric Code” where you can use the full keyboard. At least select “6-Digit Numeric Code”.
   3. Enter a passcode to use, select “Next”, and enter it again to confirm
4. If you already have a passcode, and it’s 4 digits:
   1. Select “Change Passcode”
   2. Enter your current passcode and select “Next”
   3. Follow the 2 steps above to set the passcode type and select a passcode
5. Make sure that “Require Passcode” is set to “Immediately”
6. Make sure “Erase Data” is enabled. This will erase your phone if someone enters the wrong code 10 times in a row.
7. Think carefully if you want to leave access to “Today”, “Notifications View” and “Siri” enabled without a passcode. I suggest disabling all of them

OK, we have a passcode, so we’re moving on to location services. Your phone tracks your location multiple ways, and we can’t block all of them. We can reduce the number of applications that have access to this information, however, and when they can get it. We’ll get to that in a minute, but there’s a big way that your location information leaks out that you’re probably not aware of that we need to cover first, and that’s the camera.

Image files can store a lot of information (we call it EXIF metadata) that is buried inside the file and not immediately visible. This includes all kinds of details about your camera or your phone, when the picture was taken, and by default it includes GPS information about where the picture was taken. When you post that cute picture of your dog, you’re also posting the location where you took that picture. Some services filter this when you post, but don’t count on it. It’s absolutely critical that you disable location services for the camera app entirely to avoid this leakage. If you want to remove this metadata from older image files you have, there are apps you can get to remove it (like ImageOptim for Mac).

In addition to the Camera, we need to evaluate Location Services for all our other apps:

There are other things you can review under the “Privacy” heading, including what apps have access to things like contact information. Review these and make sure they’re appropriate, or remove them. At the bottom, under “Diagnostics & Usage”, make sure to select “Don’t Send” (Apple gets plenty of info from us even without this). Under “Advertising”, make sure to enable the “Limit Ad Tracking” option.

You should also take stock of the apps that you have installed on your phone, and remove any that you don’t use. You can always download them again later if you change your mind, and every app you remove gets rid of another way that your information can leak out. Plus it just clutters up your phone and makes it hard to find the things you’re looking for.

One last thing I want to talk about is using email accounts for a backup when you forget your password, since it’s what prompted this post in the first place. I was able to remove the activation lock on this particular phone because I figured out the 4 digit passcode, and the phone was still receiving email on a Yahoo account. I needed the iTunes password, which I didn’t have, and recovering that password sent a recovery link to an AOL webmail account. Recovering the password on the AOL webmail account sent a recovery link to the Yahoo account, which I could then view on the phone. I was then able to reset the password on the AOL account and the iTunes account easily, and remove the activation lock on the iPhone.

The guidance I offer here is first, for you to make sure that everything that you can access your email on is secured. Second, know where your backup email accounts for password recovery go, and know that they form a chain. Often the way an attacker will get access to your accounts is to compromise one key account, like an email account, and then work outwards from there. This is why it is critical that you use secure passwords, and you make it very difficult to use password recovery mechanisms, even for you. They’re a last resort, so if you have to go open up the vault to find the piece of paper that you wrote the information on to use them, it’s worth the added security.

Up Next: Using the Tor Browser