30DISC – Day 16 – Smartphone Security I

Time to get moving!

Today’s challenge – Smartphone Security I – Direct Link to Guide Page

For once it’s really nice to see technology actually solving problems instead of creating them. When the original 30-Day Information Security Challenge was created way back in the mists of time (March 2016), most smartphones did not ship with encrypted storage. That meant that someone like me whose job it is to extract data from mobile phones had a pretty easy time of it, even if I didn’t know your PIN for the device. Since “The Fappening” (don’t Google it, NSFW), Apple started to take their users privacy seriously (to a degree that doesn’t impinge on their revenue). Samsung followed suite and Google eventually caught up (to a point). What this means is that the second half of today’s challenge is redundant for you, if you have a reasonably new Apple iPhone, specifically one running Apple iOS8.

For Android users, things are slightly more complex (isn’t it always). If your phone is on Android 6 (Marshmallow) or above, your internal storage is encrypted by default, but if you’ve inserted a memory card (microSD card) into the device, you’ll need to encrypt that one manually.

The first part of the Challenge is relevant for everyone: change your access PIN and make it longer. Who’d have thought that was coming. At least 6-digits in your PIN, but preferably a alphanumeric passcode instead of just a PIN. Also, make sure you have the phone set to automatically wipe if a certain number of false entries have been input. You’ll need to check the instructions for how to do this for your phone, given the variety of operating systems and versions out there.

If you want to be really secure, you should also turn off TouchID /Fingerprint sensors. Whilst this is very inconvenient, you need to be aware that a usable fingerprint for TouchID to work is likely sitting just above the button on the screen. I haven’t done this myself, but I know of people who have successfully compromised a phone using a fingerprint lifted off the screen. Caveat emptor!

Geoffrey: I’ve only recently purchased a new phone running Android 7 (Nougat) so internal storage is encrypted out of the box. The microSD card was a different story so I had to manually encrypt that. I had to come up with a new alphanumeric passcode for the phone, and I’ve made the decision to keep the fingerprint access on, but making sure to clean my screen more frequently.

Juan & Priscilla: Both have 3-month-old company-issued Android devices with no expandable storage so again this was pretty straightforward. Juan had only set a four digit PIN so we strengthened that, Priscilla had an eight digital PIN so we changed that and all set to go. Remote wiping of the device is controlled by the company IT people in a situation where the phone is stolen or lost.

Diana: As part of her gear-up for this Challenge Diana got herself a new iPhone so again, not much to do here. What was interesting though was the look on her face when I told her that someone could break into her phone by taking a fingerprint off the screen. She really wrestled with whether to leave TouchID on, but the convenience won out (at least for the moment).

Previous Days Here:
Day 0 – Introduction to the Team
Day 1 – Installing Operating System and Application Updates
Day 2 – Set Up A Standard User Account
Day 3 – Review Privacy Settings
Day 4 – Setup Private & Secure Email
Days 5&6 – Weekend Project #1
Day 7 – Install a Password Manager
Day 8 – Change Your Passwords
Day 9 – Browser Security
Day 10 – Firefox Security Add-ons
Day 11 – NoScript Security Suite
Days 12&13 – WiFi Security Checkup
Day 14 – Virtual Private Network
Day 15 – Two Factor Authentication