1. Smartphones Security
IT-Sicherheit
Hochschule für Technik, Wirtschaft und
Kultur Leipzig

2. Why is Smartphones Security
Important?
Our smartphones are more than our wallets,
because they can store:
● credit cards number
● contacts
● email accounts
● websites passwords
● et cetera

3. Too Many Features
Which features can be dangerous?
and
Which features can help users to increase their
security and privacy?

4. Bluetooth
Vulnerable to:
● BlueBug, bug with which is possible: make a copy of
contacts; listen calls; send and read SMS
messages and force connection to Internet
● BlueSmack, denial of service attack
● Eavesdropping
● Man in the middle
● ...

5. How Use Bluetooth Safely
For improve our security using Bluetooth we can:
● choose PIN codes that are long and not trivial,
● avoid pairing between Bluetooth devices in
crowded places,
● disable it or use in hidden mode to increase
the time of a possible attack.

6. Near Field Communication
● Set of standards for radio communication
between close devices
● No protection against eavesdropping
● Vulnerable to data modifications
Applications that use NFC should encrypt the
comunications!

7. Services for Remote Control
Some services for remote control that we can
find in our devices are:
– Secure Shell
– File Transert Protocol
– Package Manager
All these services are possible points of access
to our devices.
How can the average user disable them?

8. Summarizing we can say that we
should use an approach of
"Principle of Least Privilege"
enabling a feature only when needed

9. Which Features Users Should Use
● Screen Lock
● Data Encryption
● Remote Wipe Service
● Antivirus
● Two-factor
Authentication

10. Install an Antivirus
Mobile malware attacks are on the rise, this because smartphones
offer easy and fast ways for make profits:
● mobile payments
● directly charging on the phone bill of the device's owner
A 40% of modern smartphones don't have antivirus because users
think that they don't need one.
Some antivirus also offer tracking and remote wipe services, thus
providing three important functions with a single application.

11. Use the Two-factor Authentication
Two-factor authentication (TFA) is an authentication
which requires the presentation of two of the three
authentication factors: “something the user knows”,
“something the user has” and “something the user is”.
Something the user has: its smartphone
The user receives an SMS with an extra code or the
code is generated by a dedicated application.

12. How keep smartphones and privacy
more safe?
● Remember that it's not “Just a Phone”
● Say yes to updates
● Understand allowed permissions
● Don't download Apps from untrusted sources
● Keep strong password and don't be lazy
● Be careful free Wi-Fi

13. Be careful with free Wi-Fi
In free Wi-Fi networks lots of plain text is
exchanged and a big part of most popular
websites do not offer an encrypted connection
Published Date: January 14, 2013 on www.trustworthyinternet.org

14. Be careful with free Wi-Fi
Some websites use an encrypted connection
only for login
They are vulnerable to "Session
Hijacking"

16. Solutions for free Wi-Fi
● Use secure channels:
– HTTPS for surfing web sites;
– SSL when using applications that access the
Internet such as a mail client.
● Use a Virtual Private Network or a tunnel SSH
● Do not use free Wi-Fi

17. Which Measures Smartphones
Manufacturers and Software
Developers Should Take?
We will see solutions from the project phase of
hardware and software to the phase after the
sale of the device.

18. Opportunity to Create Different User
Profiles
Create a profile
just for children
Separate and secure work and
personal informations

19. Provide Long Term Support
● Provide long term support with updates is
extremely important for keep devices safe.
● Is possible find devices for sale with a version
of the OS no more supported.
● Most users don't know how to upgrade the OS
● Manufacturers want that users buy another
phone as soon as possible.

20. Android' situation
More than 60% have a version
released before the October 2011

21. Improve security on App Stores
● Check authors' identity
● Run a new application, checking for malicious and
hidden behaviors
● Use restricted policies against spam and fake apps
● Deny applications that download others applications
● Offer a payment system for purchases that
guarantees users and sellers

22. Separate Running Programs

23. Separate Running Programs
This prevents that any compromised app will
have access to not allowed lower system levels,
including:
● reading or writing the user's private data (like
contacts or emails)
● reading or writing another application's files
● performing network access
● et cetera

24. Implement Protocols Correctly.
Developers should make attention when use
third party libraries such as OpenSSL or JSSE.
Some implementations perform the SSL
certificate validation incorrectly or not at all.
Insecure against man in the middle

25. Chain of trust
A chain of trust is made by validating each
component of hardware and software from the
bottom up.
Only signed
software can be
booted.

26. Conclusion
Like for computers, smartphones security is a
process that involves manufactures, developers
and users.
This is why, is not enought that devices and
softwares are safe and poka-yoke (“idiot
proofing”) but we also have to hope that in a
future users will be aware.