Your mobile device lives in an Orwellian world of surveillance, intrigue and promiscuity. While your phone is safely tucked away in your pocket, it lives an alternate existence selling you out, betraying you and offering up your secrets whenever it can. While you're sleeping, driving, buying coffee or checking email, your phone is busy divulging your location, storing your credentials and documenting everything you do. This presentation from the 2014 (ISC)2 Security Congress walks through a day in the life of your mobile device and shows you what it's telling the world about you.

2. A Day in the Life of Your Mobile Phone
(or: how your phone hates you)
Rob Barnes, CISSP®, CSSLP®
Software Security Architect
The College Board
#YourPhoneHatesYou
Strengthening Cybersecurity Defenders #ISC2Congress

3. Reality:
Your phone hates you.
3 #ISC2Congress
How we like to think our
phones protect our privacy:

4. Things you do every day
4 #ISC2Congress
» Check email
» Check weather
» Check stocks
» Use social media
» Take photos
» Post photos
» Buy coffee
» Sync device with phone
» Join Wi-Fi access points
» Send email
» Navigate with map
» Research restaurants
» Place hands-free calls
» Browse websites
» (Plus all the things your kids
do that you don’t know
about)

5. Things your phone does every day
Collects location information
(Divulges location information.)
Collects personal information
(Divulges personal information.)
Collects usage information
(Divulges usage information.)
5 #ISC2Congress

6. 6 #ISC2Congress
Does it matter?
97% of mobile applications access personal
address books, social media pages and
connectivity options like Bluetooth or Wi-Fi.
86% of mobile applications are insecure.
But it doesn’t matter. 100% of what
you do reveals something about you.
http://www8.hp.com/us/en/hp-news/press-release.html?id=1528865#.VA2ntvlr6Cc
http://threatpost.com/insecure-applications-we-are-84-percent-120711/75961

7. Don’t think like an attacker.
7 #ISC2Congress
Think like:
a marketer.
a parent.
a forensic investigator.

8. Location Privacy: Using the device
8 #ISC2Congress

9. Location Privacy: Browsing
This is where I spent my summer, as told by a web service:
9 #ISC2Congress

10. When you (or an app) access a web page or web service,
it sends the following information:
Browser version
(a two-for-one bonus!)
10 #ISC2Congress
Firmware version = iOS
6.1.4
Belongs to Verizon FiOS in Chantilly,
VA
Device make and model
(OLD!)
Location and Device Privacy
108.28.101.205
08/Sep/2014:14:18:45 -0400
Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_4 like Mac OS X)
Version/6.0 Mobile/10B350 Safari/8536.25

11. Location Privacy: Using apps
Are you sure you’re just checking the weather? As a
bonus to you, Weather Channel shares your usage
statistics!
» http://or1.sc.omtrdc.net/b/ss/twciiphonescroll/0 . . .
» Resolution=640x1136
» AppID=iPhone 6.2.1 (420573)
» TimeSinceLaunch=58
XY
» Z
DeviceName=iPhone6,1
» action=weather:data-refresh-requested
» OSVersion=iOS 7.1.2
» CarrierName=Verizon
» actionTracking=weatherdatarefreshrequested
» ts=1408722639 (which translates to 8/22/2014 11:50:39 AM)
XY
Z
11 #ISC2Congress

12. Location Privacy: Using apps
Sure enough, you agreed
to all of this.
12 #ISC2Congress

13. Why should you care?
“Big Data” marketing can infer:
13 #ISC2Congress
When you’re at home
When you’re at work
When you’re driving

14. …and when you’re not
Why should you care?
14 #ISC2Congress
An attacker can infer:
When you’re at home

15. Device Privacy: Using Wi-Fi
Hi! Can I please join your network?
My MAC address is
DC:9B:9C:xx:xx:xx!
Sure!
(Ah…so you’re an Apple
device…)
Thanks! Oh, also, my name is
“Rob Barnes’s iPhone 5”!
OK, thanks. Welcome!
(Welcome, indeed, “Rob Barnes”!)
15 #ISC2Congress

16. Device Privacy: Using Wi-Fi
Hey, it’s “Rob Barnes’s iPhone 5”
again. Sorry to bother you. What is
the IP address for
email.mycompany.com?
It’s 209.48.123.456.
16 #ISC2Congress

17. Why should you care?
17 #ISC2Congress
Dear Rob Barnes:
Congratulations! Your iPhone 5 is eligible
for a free upgrade! Please click here for
details, or visit your local Atlanta Apple
retail store.
This message was sent to
rbarnes@mycompany.com. Click here to
unsubscribe from future emails.
Sincerely,
The Apple Customer Loyalty Team

18. Device Privacy: Using Wi-Fi
18 #ISC2Congress
belkin.d36
belkin.d36.guests
HoundNet_Guest
xfinitywifi
DUKE
LCPS-OPEN
Residence_GUEST
Marriott_Guest
Kimpton
Marriott_CONFERENCE
Dunn_Bros_337!
Carlton
My stored Wi-Fi networks
(com.apple.wifi.plist)

19. Device Privacy: Using Wi-Fi
19 #ISC2Congress
belkin.d36
belkin.d36.guests
HoundNet_Guest
xfinitywifi
DUKE
LCPS-OPEN
Residence_GUEST
Marriott_Guest
Kimpton
Marriott_CONFERENCE
Dunn_Bros_337!
Carlton
<key>lastAutoJoined</key>
<date>2014-07-13T06:33:08</date>
<key>SSID_STR</key>
<string>Marriott_Guest</string>
<key>Strength</key>
<real>0.9104790687561035</real>
<key>CAPABILITIES</key>
<key>NOISE</key>
<integer>91</integer>
<key>isWPA</key>
<integer>0</integer>
<key>CaptiveNetwork</key>
<boolean>true</boolean>
<key>lastJoined</key>
<date>2014-07-12T16:22:16</date>

20. Device Privacy: MAC
Ever get the feeling that you’re being watched?
This recycling bin is tracking
you.
http://qz.com/112873/this-recycling-bin-is-following-you/
20 #ISC2Congress

21. Device Privacy: MAC
Ever get the feeling that you’re being watched?
Your supermarket is
tracking you.
http://www.moxieretail.com/storage/heat_map2.jpg
21 #ISC2Congress

22. Why should you care?
Loyalty
Card Yo
u
22 #ISC2Congress

23. A picture is worth1,000 words…
http://sophosnews.files.wordpress.com/2012/12/mcafee-exif.jpg?w=640
23 #ISC2Congress

24. …and some EXIF data as well…
Exif Image Size 470 × 353
Make Apple
Camera Model Nam
iPhone 4
e
Orientation Horizontal (normal)
Date/Time Original 2012:12:03 12:26:00
Create Date 2012:12:03 12:26:00
Flash Off, Did not fire
GPS Latitude Ref North
GPS Latitude 15.658167 degrees
GPS Longitude Ref West
GPS Longitude 88.992167 degrees
GPS Altitude Ref Above Sea Level
GPS Altitude 7.152159468 m
Resolution 72 pixels/inch
24 #ISC2Congress

25. …and some geolocation, too.
25 #ISC2Congress

26. Usage Privacy: Using email
26 #ISC2Congress
iOS mail header:
X-Mailer: iPhone Mail (10B350)
[10B350 = iOS 6.1.4]
Android mail header:
X-Mailer: YahooMailAndroidMobile/3.1.3

27. Usage Privacy: Using Bluetooth
http://cnet3.cbsistatic.com/hub/i/r/2013/08/22/2cbcf893-6de6-11e3-913e-14feb5ca9861/resize/620x/e604bfe06973383ec0c3ca6323c35487/142B6607.jpg
27 #ISC2Congress

28. How to Protect Yourself
28 #ISC2Congress
» Location Services
• Turn it off
• Use it selectively
» Browsing
• Use Onion browser (or other Tor equivalent)
• Maintain awareness
» Wi-Fi
• Do not connect to untrusted networks
– (But if you do, assume everything you do is monitored)
– (Also, tell your device to “forget” the network when you’re
done.)

29. How to Protect Yourself
29 #ISC2Congress
» EXIF Data
• iOS
– TrashExif
– Metadata Cut
• Android:
– EXIF Stripper
– Photo Editor

30. How to Protect Yourself
30 #ISC2Congress
» MAC Tracking
• iOS
– Upgrade to iOS 8
• Android
– Pry-Fi (requires rooting the device)
» Bluetooth
• Delete any data from synced devices
– This becomes increasingly applicable with iOS 8’s HealthKit

31. The End.
31 #ISC2Congress
Rob Barnes
rbarnes@collegeboard.org
ww.linkedin.com/in/robertdbarnes
#YourPhoneHatesYou