SafeCase and beyond; safeguarding smartphone data.
Last month, we released our second-generation product, the Privoro SafeCase, which is compatible with the iPhone 7 and 8. While SafeCase can be used by organizations for a variety of use cases, smartphone counter-surveillance protection is a core functionality. The case blocks the host smartphone’s cameras and actively masks each of the microphones with randomized noise. At Privoro, we believe that only physical, verifiable protections can overcome the threat of hijacked smartphone sensors targeting national security agencies, publicly traded companies and high-profile individuals.
While SafeCase protects iPhone users from a particular type of mobile threat, our customers have asked for additional ways to protect their data and their devices. Because this mobile security blog was developed as a supplemental resource for our existing SafeCase customers, it is geared for consumers of the iPhone 7 and 8, and avoids some of the technical advances specific to the newer iPhone X. As we expand our product portfolio, we will cover additional phone types and tablets.
In organizing this post, I framed the protections around states of data to make the distinction of where smartphone vulnerabilities exist. The states of data are: data at rest, data in use, data in transit and data in vicinity. But, before jumping in, keep in mind that security is far from a one-size-fits all proposition. The fact remains that people have different risk profiles and it is incumbent on each individual to carefully develop a personal security strategy based on their tolerance for risk and lifestyle. Ultimately, it is up to you to take action where you feel it is most important.
DATA AT REST – information stored on your device
A key differentiator for Apple products is that they encrypt the hard drives of their devices (iPhones, iPads and computers). While this encryption is good to have, a seasoned and determined hacker could likely access it. There are additional protective measures users can take to further protect themselves.
Back up the data on your iPhone
Apple provides a cloud option (iCloud) where you can back up your devices. While this is a good method, if you happen to have a lot of data on your iPhone, you will likely need to pay for additional storage each month. An alternative is to use iTunes and back up your device data to your computer. I personally use this method and take it a step further by backing up my computer to an external drive. This method also limits the amount of personal information I have stored in the cloud. Both methods work, and it is critical to choose one and use it. That way, if something happens to your device or if you get a new device, you can simply revert back to your latest backup (with all of your data and even your apps intact). Reverting back to a previous install can also be useful if you think your phone has been compromised.
Keep your iOS software up to date
You may have heard to keep your iOS version up to date and I would like to re-enforce the message. When hackers uncover a previously unknown software vulnerability – known as a “zero-day” exploit – they can use that backdoor until the exploit has been discovered. When Apple learns of these vulnerabilities, they develop patches and send them out in the form of iOS updates. The longer you wait to deploy these version updates (or patches), the longer your personal data will be subject to this vulnerability. Follow this link to learn more about the latest version of iOS (12) prior to updating your phone.
Disable AutoFill & Keychain functionality
Apple is always looking to provide users with shortcuts, so for storing passwords Safari utilizes an auto-fill feature. Upon a successful login, users are prompted to save their login IDs and passwords to Apple’s Keychain. This allows users to avoid re-entering the same information the next time you need access. The Keychain also stores credit card information.
While these features make life a little easier, if a hacker gains access to your iPhone, they will also have access to all the online accounts for which login information is stored on your iPhone. Go to Settings > Safari > AutoFill and deselect each option.
Physically protect your iPhone: use Find My iPhone and dispose of it properly
We use our smartphones so much that they have become extensions of ourselves. Because we rely on them so much, we tend to notice pretty quickly when we lose track of them. Utilizing the Find My iPhone feature is another way you can protect your iPhone from hackers. By logging into the service, either via another iOS device or a web connection, you can locate a lost or stolen device or perform a remote wipe to delete the data. That way, even if a hacker were to obtain physical access of your phone, they would be unable to access the information on it. To remotely wipe your iPhone, log in to the Find My iPhone app (or iCloud website), select your iPhone, select “Erase iPhone” and confirm. If your phone is on and connected, it will occur immediately. Otherwise, it will happen the next time the phone connects to the internet.
When any of your electronic devices are at the end of their life, it is necessary to remove the data from the device (including saved login credentials) prior to responsibly disposing of it. There are several ways to get rid of old equipment and the specifics can be found here.
DATA IN USE – information you are accessing while using your device
Carefully consider links or attachments sent to you (watch out for phishing attempts)
This one is fairly self-explanatory – if you receive a suspicious text, email or link from an unknown sender, avoid clicking on anything associated with it and the message. Oftentimes these malicious links are cleverly designed to look like legitimate websites so take your time and examine them. If you are unable to understand the reason you are receiving it, avoid assuming and err on the side of caution. The general rule is that if you don't trust the look of the email/message then avoid opening it. The same goes for email attachments.
Manage your apps and the permissions you allow
It is important to only install apps on your iPhone that you have downloaded from trusted sources – Apple’s App Store or perhaps a dedicated corporate app store. While Apple does a good job policing the apps in their App Store, the opportunity for malicious behavior from app developers still exists. When installing a new app, rather than quickly allowing access to everything the app asks for, think about how you plan to use the app and whether those permissions are necessary. As a matter of fact, I recommend going through all the apps on your phone to review the permissions you currently allow. While this can be time-consuming because you need to go into each app individually, I recently did this and found I could restrict permissions for a number of apps without sacrificing functionality.
Disable AirDrop
AirDrop is a feature Apple came up with to quickly share information (like pictures or other files) directly with other Apple users or devices nearby. Many people unknowingly leave this setting open, allowing either “Everyone” or “Contacts Only” to send you files. Try to avoid using this feature, and if you need to use it, turn “Receiving Off” after you are done.
Disable Siri
While Siri is a useful feature, for those who are truly concerned about their security and privacy, it needs to be avoided, particularly from one’s locked screen. Head to Settings > Touch ID & Passcode and deselect options in the “Allow Access When Locked" section.
DATA IN TRANSIT – information sent from your device as well as received by your device
Utilize encryption for your calls and texts
If your phone has been compromised, someone can listen in on your phone conversations or intercept your text messages. A solid, free-to-use option is the encrypted call/text service Signal. Signal was developed by a well-respected security professional and, in many ways, it functions similar to the way you place a call or send a text currently on your phone. The differences are – your communications all go through the Signal app and the person you are communicating with must also be using Signal. It is easy to set up and has become the go-to method for secure communications. If you are concerned someone might be listening to your conversations, I strongly suggest utilizing Signal.
Avoid using public/free WiFi connections
Utilizing public WiFi connections, while convenient, is increasingly risky. I mentioned this point in a previous blog post of mine and feel it is important to emphasize again. It is easy for a malicious actor to set up a router next to a popular free WiFi hotspot such as Starbucks and rename the router “Starbucks Free WiFi.” Unsuspecting users looking to connect to the internet could have their data compromised or worse, their device owned. Unfortunately, we lack a policing agency to look out for nefarious actors doing such things. It’s a “user-beware” environment, so BE AWARE. If you absolutely need to use a public WiFi connection, utilize a VPN service. Avoid the free ones as they are known to sell your data.
DATA IN VICINITY – information created in the vicinity of your phone
The term “data in vicinity” is used to describe any data that can be collected in the presence of a digital device. It is an often-overlooked state of data that is particularly vulnerable for collection. It is even more shocking that this information can be collected using your own device, if it has been compromised. To see a demonstration of this in action, watch this video where the Privoro technical team obtained readily available smartphone surveillance software from the internet and intentionally infected the smartphone of a Privoro employee. It serves as a shocking reminder of how vulnerable we all are as users of smartphones.
Avoid sensitive conversations around your smartphone
As I touched on in the introduction, we carry around devices on a near-constant basis that can be easily turned into eavesdropping devices. Obviously, the most convenient solution to this problem is to use a SafeCase. For those unable to purchase a SafeCase, I urge you to be mindful of the sensitive conversations you have in the presence of your smartphone. If you engage in sensitive, company-critical or even potentially embarrassing activity, I recommend you make sure your devices (phone, tablets, etc.) are in another room.
Conclusion
Smartphones are one of the most powerful and impactful products of our lifetimes. They allow us to access and store incredible amounts of information through a rich user experience. The designers of these devices did a wonderful job making them intuitive, easy to use and simple to connect to networks and to other devices, making them extremely popular. These features, built for consumer ease of use, also have a dark side – they make the devices vulnerable from a security perspective. Consider the amount of tolerable risk you are comfortable with as it relates to your iPhone, choose the appropriate steps from the ones I have provided and put those actions into place. By selecting those that make the most sense for you, you will be securing yourself, your data and your device. Ultimately, you will also sleep a bit better at night.