Things to Keep in MindIf an attacker gains physical access phone canand will be completely compromised.Also, you should assume that your phone willbe compromised at some point.Generally, you will be safest if you just take theattitude that YOU SHOULD NOT TRUST YOURPHONE
Security is a Journey Not a DestinationThe more hurdles that you put up, the harder youmake it for an attacker.Time to compromise > Determination of attackerDont get demoralized! There are many things youcan do to improve your security.
Threat Model●Random attacks●Malicious apps●Stolen / Lost phone●Targeted attacker●Law Enforcement●Corporate Espionage●Personal Enemies●Signal Interception●Your Phone Company
Burner Phones●No encryption●Trivial for Forensic Investigators●Closed Source●Usually no Screen Lock
iPhoneThe Bad●Closed source●Very little in the way of security apps●Default screen lock is a four digit number●Privacy tools that arent free or open sourceThe Good●There is a stronger screen lock that can be enabled●A couple of decent privacy apps●Less Malware
BlackBerry● BEST USED IN COMBINATION WITH BES● Otherwise about as good as any other smartphone● BBM and Pin to Pin messaging NOT SECURE– Not encrypted, just scrambled– RIM can read all of your messages if a govt demands● Your data is only as secure as the company is trustworthy● RIM admitted to providing backdoors to govt. in India andhas helped UK and middle east govts.● Less Malware● Without BES, Security on Blackberry is not so good.
Android●IMO The best phone for security●Open source●Lots of security tools●Lots of encryption tools●Full Disk Encryption●Good security options●Guardian Project●Your data is in the hands of google●How much do you trust google?
Law Enforcement Investigators are Lookingfor:●Subscriber & Equipment Identifiers●Contacts●Appointment Calendar●SMS, Text Messages, Instant Messages, Email●Call Logs●Photos, Audio and Video●Documents●Location Data
Solutions●Have a strong screen lock and a short timeout●Dont tell them your password●Encryption (Text Secure, LUKS, Device encryption)
Signal InterceptionThreats●Fake Cellular Towers / Drones●USRP/GNU Radio●Snooping as a Service●Cellular companies will provide wiretaps without evena warrant●Insecure apps like BBM and whatsappSolutions●Encrypted Calls (PrivateGSM, Redphone,SilentCircle )●Encrypted Text on Android (Textsecure)●Talk in Person (This is the Most Secure)
Lost and Stolen Phones●Phone Finding and Remote Wipe●Android: Lookout, Prey●BlackBerry Protect●Find My Iphone●Strong Screen lock●Will not stop a sophisticated attacker●Report to The Provider?●They probably dont give a damn.
MalwareVendor and Espionage malware●This stuff is extremely sophisticated●FinFisher●CarrierIQ●Voodo carrierIQStandard, untargeted malware●Personal Data Theft●Premium SMS●The usual suspects (spyware, trojans, phishing)●Facebook, Angry Birds?
Malware Solutions● Be careful what you install!● Dont install apps from untrusted sources● Dont run updates when on insecure networks● Anti Virus wont save you!● Dont assume that because you have an iPhone orBlackberry that you are immune to malware● Use the same precautions as you would on anycomputer.
Other Attacks● NFC● QR Phishing● Baseband Attacks
Disk Encryption●Exists on Android●Exists on Blackberry if you have BES●Does not exist on iPhone●Vulnerable to many different attacks●You should NOT rely solely on disk encryption.
To Root or Not to Root(AKA Jailbreaking)Rooting your phone is the process of gaining superadministrator control over your phone.This means you can doANYTHING YOU WANTTo your phone.Including mess it up in fantastic ways!
To Root or Not to RootThe Good● Custom Firmware● Better Security Tools● Remove Spyware● More Cool Apps● PerformanceImprovements● Tinkering is Fun!The Bad● Can significantlydecrease security● You can permanentlybreak your phone● Will Void YourWarranty
In Conclusion...●Its healthy to be paranoid about your phone●Dont loose your phone!●Trust what you install (Open Source)●Root and install custom firmware●Use a stronger screen lock●Audit your phone●Encrypt Everything!