SANS Penetration Testing

Mobile Device Security Checklist

By Lee Neely & Joshua Wright

We often get asked for things we can do to help users keep their mobile devices secure. Here's a quick list of some simple things you can do to ensure that your mobile devices are running with at least some security. All of these steps are free and raise the bar on both unauthorized use of your device and the integrity of the applications you're running on them. Our goal here is not to make your device impenetrable to attack, but instead to raise the bar.

image2 (1)

Security Tips For Android Devices

  • Turn on disk encryption (not explicitly tied to PIN/screen lock).
  • Use biometrics for unlocking normally with a longer passcode (instead of a simpler 4-character PIN).
  • Disable developer access (off by default).
  • Disable third-party app store access (off by default, but very common)
  • Evaluate and uninstall apps with excessive permissions using Android Permission Apps or other tools.
  • Install Android platform updates when they become available
  • Compare your Android version to recent releases. Is your phone getting updates? If not, it's time for a new phone. (This is hard, because most users will find that Android phones are poorly supported and require more frequent replacements, which end up being more costly than iOS devices over time).
  • Do your research before you buy a new phone. Nexus has the best record for security update delivery and support, followed by Samsung, and then by LG. Everyone else is the pits for security updates.
  • Turn on "Android Device Manager" for remote location services for lost devices or a third-party "Find my Android" tool if your Android device doesn't support this feature.
  • Periodically erase your network settings to forget about old, insecure WiFi networks you don't use anymore.
  • When plugging in USB, don't say yes to "Trust this PC" when prompted, unless it is a personally owned system.
  • Set a strong Google password, better still, enable two-factor authentication.
  • Complain to your cell phone carrier about unwanted applications on device and loss of control. There's no challenge currently, so the carriers do what they want.

 

Security Tips for iOS Devices

  • Make sure you update iOS when new updates come out.
  • Periodically erase your network settings to forget about old, insecure WiFi networks you don't use anymore.
  • Make sure "Find my iPhone" is turned on for locating or wiping lost devices.
  • Use TouchID with a longer passcode in lieu of a 4-digit PIN.
  • When plugging in USB, don't say yes to "Trust this Computer" when prompted, unless it is a personally owned system.
  • Turn off iCloud backup unless you are comfortable with your pictures being stored in the cloud.
  • Use iTunes to make a backup with a password to both encrypt and to capture all your settings.
  • Set a strong Apple iTunes password.
  • Review the Settings | Privacy settings, revoking permissions from apps that are unnecessarily greedy with permissions.

Security Tips for For Both iOS and Android Devices

  • Disable wireless and leave it off unless you're actively using it.
  • Install a VPN (proXPN, Private Internet Access, etc.) for when you need to use Wi-Fi, and always use the VPN when connecting to Wi-Fi.
  • Only use known Wi-Fi connections, beware of free public Wi-Fi.
  • Don't leave your device unattended, treat it like your wallet.
  • Use caution lending your device to others, they can quickly make unauthorized changes.
  • Disable premium rate messages via your cell carrier! If you manage cell phones for the organization, turn it off for all.
  • Uninstall unused apps.
  • Factory reset phones before returning for service.

Want to learn more about this topic? You really should check out SEC575: Mobile Device Security and Ethical Hacking. It's an amazing course covering mobile device security attacks and much more!

-Lee Neely
@lelandneely

 

Upcoming Training Opportunity:

Learn more about the latest attacks and techniques used against organizations at the SANS Pen Test HackFest Training & Summit. This year's HackFest Summit features two days of leading talks from top experts and then six days of hands-on, immersion-style pen test training in one of our seven courses to choose from! Learn and develop your offensive techniques as you strive to better defend your environment. Whether you are a penetration tester, red team member, a forensics specialist, or cyber defender, the techniques covered at HackFest represent the latest and most powerful attacks every organization needs to thwart. You NEED to be there! http://www.sans.org/u/kqa

Post a Comment






Captcha


* Indicates a required field.