Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ask Slashdot: How Do You Protect Data On Android?

timothy posted more than 3 years ago | from the big-ax-and-many-many-guns dept.

Android 238

Gibbs-Duhem writes "It makes me very nervous that my Android phone has access to my email/AIM/G-talk/Facebook, protected only by a presumably fairly easily hacked geometric password protection scheme. Even more because simply attaching the phone to a USB port allows complete access to the internal memory and SD card regardless of whether a password is entered. I have no idea how much of that information ranging from cached emails to passwords stored in plaintext is accessible when mounting the device as a USB drive, and that worries me." For the rest of Gibbs-Duhem's question about issues in Android security, read on below.Gibbs-Duhem continues:"I have a lot of sensitive information in my email, including passwords for websites and confidential business/technical strategy discussions (not to mention personal emails ranging from racy emails from boyfriends to health discussions). My email and messaging client passwords are difficult to type (or even remember), so I would ideally want them saved in the device, although at least having something like a keyring password that needed to be re-entered after a time delay would make me feel better. This leaves me relying on encryption and OS level security to protect me.

I'm okay with this on my real laptop and computers as my hard disks are software encrypted and I make a habit of locking my session whenever I leave my desk. For instance, if I lost my laptop, the odds of the thief getting access to my information is minimal. However, I don't feel that this is at all true for my phone (which is frankly far more likely to be lost).

How is it that the Slashdot security pros handle this issue? Do you just not use email or the many other incredibly convenient capabilities of new Android smartphones due to the risk? Or are there specific ways in which we can guarantee (or at least greatly augment) the existing security practices?"

cancel ×

238 comments

Sorry! There are no comments related to the filter you selected.

How do you protect your mobile phone (1, Insightful)

m2vq (2417438) | more than 3 years ago | (#36914486)

By using a regular phone with no shit like Facebook, Twitter, Google tracking. It's not that hard.

Re:How do you protect your mobile phone (3, Insightful)

The Dawn Of Time (2115350) | more than 3 years ago | (#36914522)

Yes but let's assume we aren't asking the question for the 0.00001% of humanity with no interest in being a part of society.

Re:How do you protect your mobile phone (-1, Troll)

m2vq (2417438) | more than 3 years ago | (#36914556)

If you really want those on your phone, then iPhone or some Windows Phone 7 device would be good for you. They are up-front secured by the both companies. Not that there isn't any security problems (like the iPhone remote exploit "jailbreaking"), but in general they're much more secure than Android.

Re:How do you protect your mobile phone (-1, Troll)

F.Ultra (1673484) | more than 3 years ago | (#36914856)

Where did you get that stupid idea from (that they are more secure)? You do understand that they have to store their passwords in plain-text aswell?

Re:How do you protect your mobile phone (1)

macs4all (973270) | more than 3 years ago | (#36915080)

Where did you get that stupid idea from (that they are more secure)? You do understand that they have to store their passwords in plain-text aswell?

Why couldn't they just store a hash? -Doug

Re:How do you protect your mobile phone (1)

amRadioHed (463061) | more than 3 years ago | (#36915162)

Ok, so if they can store a hash that is capable of logging into your account, how do they protect the hash?

Re:How do you protect your mobile phone (2)

exomondo (1725132) | more than 3 years ago | (#36915310)

Why couldn't they just store a hash?

What would be the point of that?

Re:How do you protect your mobile phone (1)

node 3 (115640) | more than 3 years ago | (#36915814)

Where did you get that stupid idea from (that they are more secure)? You do understand that they have to store their passwords in plain-text aswell?

iOS doesn't. So clearly this isn't required.

Re:How do you protect your mobile phone (1)

ncgnu08 (1307339) | more than 3 years ago | (#36915074)

While I am no where near a professional, I feel fairly confident in my opinions in that they are opinions... I like the comment from m2vq. I actually like some of the features a Windows phone provides, and dare I say WebOS, or PalmOS, or whatever hp is going to call it next? The op didn't mention what security methods he is currently using, and didn't state his proficiency; I think we can agree that will greatly influence the decision. hp is trying to put some decent hardware with their new OS toy.
I think both of those os options at least allow the user to take some proactive steps to secure his/her phone. If you are still worried, would it not be best to be on a cdma network?

Re:How do you protect your mobile phone (0)

Anonymous Coward | more than 3 years ago | (#36914800)

If you think that 99% of people use "smart phones", you're grossly out of touch with reality. "Smart phones" are grossly expensive status symbols. The only people I know who use "smart phones" have them to impress other people. I run a multi-million dollar business just fine with a laptop and a "dumb" cell phone.

Re:How do you protect your mobile phone (2)

RapmasterT (787426) | more than 3 years ago | (#36914854)

If you think that 99% of people use "smart phones", you're grossly out of touch with reality. "Smart phones" are grossly expensive status symbols. The only people I know who use "smart phones" have them to impress other people. I run a multi-million dollar business just fine with a laptop and a "dumb" cell phone.

I think you are grossly out of touch with reality. A smartphone lets me do my business without having to carry the laptop around, like you are apparently doing everywhere you go. I suppose you'd also like the children to stay off your lawn?

Re:How do you protect your mobile phone (0)

h4rr4r (612664) | more than 3 years ago | (#36914888)

This!
Finally I can go out while on call and I don't have to lug around a laptop. I can just vpn in then do work if I get a call or something breaks.

Re:How do you protect your mobile phone (2)

datapharmer (1099455) | more than 3 years ago | (#36915176)

Yeah, tried that.... fail. Maybe your android is better, but vpn support varies wildly from model to model, and forget remote desktop or vnc - It isn't worth the frustration. I got a motorola droid with a hardware keyboard thinking "at least I can use the command line", but the key mapping really isn't appropriate for vi or anything serious in the shell. Sure it is nice to have access to email and the ability to remote in, but I have found many times where it was so frustrating I just said "forget it, I'm wasting my time" and got out the laptop. Anyhow, what I am saying is YMMV.

Re:How do you protect your mobile phone (4, Informative)

godel_56 (1287256) | more than 3 years ago | (#36915034)

If you think that 99% of people use "smart phones", you're grossly out of touch with reality. "Smart phones" are grossly expensive status symbols. The only people I know who use "smart phones" have them to impress other people. I run a multi-million dollar business just fine with a laptop and a "dumb" cell phone.

In Australia in 2010, 43% of phones sales were smart phones. The prediction for 2011 is 70% of sales will be smart phones..

Smart phones are becoming the norm.

Re:How do you protect your mobile phone (2)

exomondo (1725132) | more than 3 years ago | (#36915348)

"Smart phones" are grossly expensive status symbols.

Thems new-fangled smartphones are just for them there kids that want to look "cool" with their myface, their twizzler and their spacebook. I don't want no smarphones on my lawn!

Re:How do you protect your mobile phone (0)

Anonymous Coward | more than 3 years ago | (#36914524)

How do you do this on Android ? The OP was asking about Android, not 3rd world technologies that don't have the issues of which he is concerned.

Re:How do you protect your mobile phone (2, Informative)

NFN_NLN (633283) | more than 3 years ago | (#36914600)

"Even more because simply attaching the phone to a USB port allows complete access to the internal memory and SD card regardless of whether a password is entered."

I have a Nexus S with Android 2.3.4. Whenever I plug in a USB data cable, a pop-up asks me to "Turn on USB storage". This is only accessible after I enter my password. I realize he is bitching in general but with respect to this specific problem... it's a non-issue.

Re:How do you protect your mobile phone (1)

NFN_NLN (633283) | more than 3 years ago | (#36914750)

I have a Nexus S with Android 2.3.4. Whenever I plug in a USB data cable, a pop-up asks me to "Turn on USB storage". This is only accessible after I enter my password. I realize he is bitching in general but with respect to this specific problem... it's a non-issue.

This first appeared in Android 2.2.1

http://books.google.ca/books?id=yTrYZ2t7oPQC&pg=PA60&lpg=PA60&dq=android+%22turn+on+usb+storage%22+android+2.2&source=bl&ots=h4Z4ERUvtP&sig=REGSUTfY4y2VrnRHwUIsdsJh7ew&hl=en&ei=TeQxTpq9Gqnu0gHEn6XiCw&sa=X&oi=book_result&ct=result&resnum=8&ved=0CFgQ6AEwBw#v=onepage&q&f=false [google.ca]

And technically, unauthorized people cannot remove the SD card from a Nexus S :)

Re:How do you protect your mobile phone (2)

whoop (194) | more than 3 years ago | (#36915372)

Yes, but how do you keep your stuff secure after you plug it into a computer, give it to an enemy, give apps permission to view your email/sdcard/facebook/twitter/texts/etc? I mean, with a system like this that just "lets" users give away their data, I don't see how anyone can ever consider using it!

Re:How do you protect your mobile phone (0)

camperdave (969942) | more than 3 years ago | (#36914776)

Just because Android *CAN* connect to these services, there is no power in the 'verse *FORCING* the querent to use the built in utilities. These services all have web interfaces, and presumably one of the web browsers on Android has a "privacy" mode.

Re:How do you protect your mobile phone (4, Insightful)

k31 (98145) | more than 3 years ago | (#36914570)

Yea,

and I secure my car by having a bicycle, instead.

Sure, I get wet when it rains, but I'm a so much safer.

Re:How do you protect your mobile phone (1)

m2vq (2417438) | more than 3 years ago | (#36914622)

Bicycle is a bad example, as it's much as well dangerous as driving car. If you want to travel the safest way, flying is the best option.

As Ben Franklin would say... (3, Funny)

Anonymous Coward | more than 3 years ago | (#36914712)

Those who would gain a little safety by giving up necessary not-being-molested deserve neither and will lose both.

Re:How do you protect your mobile phone (1)

Anonymous Coward | more than 3 years ago | (#36914924)

I do that. The water feels good on my skin. It's cool, refreshing and a great way to stay in shape

Duh... (-1)

Anonymous Coward | more than 3 years ago | (#36914536)

Get an iPhone.

You can't have your cake and eat it too (3, Insightful)

Anonymous Coward | more than 3 years ago | (#36914548)

Just suck it up and type your password each time.

Re:You can't have your cake and eat it too (-1)

Anonymous Coward | more than 3 years ago | (#36914574)

Just suck it up and type your password each time.

That wouldn't work. Did you read the summary (of course not)?

Even more because simply attaching the phone to a USB port allows complete access to the internal memory and SD card regardless of whether a password is entered.

The solution to that is easy. Never connect it via USB to a Windows machine and you stand a DAMNED good chance of having no problems here. The only important thing is that nothing running on you rmachine will try to access the phone unless you put it there and instructed it to do so. No Windows means reasonable assurance that there is no malware which means USB access is safe.

Maybe that wasn't "politically correct" enough to include in the summary or something but it's the truth.

LOL, It's The Douche Submitter Trolling As An AC (-1)

Anonymous Coward | more than 3 years ago | (#36914612)

Go away retard. No one is dumb enough to fall for your lame attempt at spreading FUD.

Re:LOL, It's The Douche AC Trolling As An AC (-1)

Anonymous Coward | more than 3 years ago | (#36914724)

Go away retard. No one is dumb enough to fall for your lame attempt at spreading FUD.

Tell you what. Prove (y'know, with evidence) that Linux, OpenBSD, NetBSD, and OSX systems have the same chance, or greater, of succumbing to malware infections as comparable Windows machines. If you can do that, I will gladly admit I was full of shit. Or easier, prove that you have anything to fear from full access via USB when you have complete control of an uncompromised machine. Or prove that not running Windows isn't really the single most effective way to avoid malware.

My offer awaits you. Are you man enough to take me up on it?

*crickets chirping*

We Told You To Get Lost (-1)

Anonymous Coward | more than 3 years ago | (#36914916)

Buh bye retard. Your juvenile attempts at spreading FUD won't be missed.

Re:You can't have your cake and eat it too (2, Informative)

Anonymous Coward | more than 3 years ago | (#36914764)

Actually you can have your cake and fucking eat it too:

Set the default USB connection activity on the phone to "CHARGE" instead of "MOUNT SDCARD LIKE A FUCKING DUMB ASS".

Then enable the lockscreen option and if someone picks your phone up and connects it to a PC, its only going to charge the battery.

Now the thing to really worry about is someone taking your phone and then pulling the SDCARD out and mounting that on their PC, that will give them full access to everything stored on it, including all downloaded emails, dirty picks and movies you've shot in the bathroom to send your partner, etc.

LOL, What A Hilariously Lame Attempt At FUD (0)

VisibleSchlong (2422274) | more than 3 years ago | (#36914554)

Move along...

Re:LOL, What A Hilariously Lame Attempt At FUD (0)

Anonymous Coward | more than 3 years ago | (#36915702)

Not so carefully written to stir Android fanboy rage and subtle specific questions to let the iPhone fanboys deliver their FUD

DONE and DONE

Hey! that worked on 2007 (Replace Android for WinMobile), turfing needs R&D too, you know.

Slashdot astroturfing ring, STAGNATED, too.

usb security (1)

Anonymous Coward | more than 3 years ago | (#36914564)

you don't need to worry about leaking data through usb if you set the usb options to charge only.

Re:usb security (4, Informative)

manekineko2 (1052430) | more than 3 years ago | (#36914802)

Can you even access the pull down the activate USB mass-storage mode when the phone is locked?

I would think it's sufficient just to disable development mode, so that ADB cannot be hooked into USB, which I think does work when the phone is locked.

Re:usb security (1)

blair1q (305137) | more than 3 years ago | (#36915626)

My Android phone frequently does not lock when the screen times out.

And it's not just a matter of forgetting to paint the lock screen. It's unlocked when I hit the power button. Sometimes a day or two after I put it down.

Re:usb security (1)

sjames (1099) | more than 3 years ago | (#36915346)

You still get debugger access on charge only. Also, they can just take the sdcard out of the phone and mount it on something else.

Whispercore (4, Informative)

Baloroth (2370816) | more than 3 years ago | (#36914580)

This [whispersys.com] looks like exactly what you want. It warns that its in beta, though, so I'm not sure how well I would trust it. Seems like better than nothing.Says it does full encryption of the entire system, optionally your SD card, as well as optional firewall for your phone. Wouldn't rely on it without backups, but it should work. Also, you could look at a system that keeps passwords off your actual phone, like LastPass does. Not sure how well it works with Android, but I'd look into it.

Also, Honeycomb supposedly offers device-level encryption link [engadget.com] ), so if you can wait for that on phones, that'd work too.

Re:Whispercore (0)

Anonymous Coward | more than 3 years ago | (#36914728)

the motorola phones (at least my atrix) have an easy to use remote wipe capability.

Re:Whispercore (0)

Anonymous Coward | more than 3 years ago | (#36914804)

Their site says that all their products' source is available for review, but I can't find the source code for WhisperCore anywhere...

Also, it only supports Nexus & Nexus S right now. Without being a community-developed project, I don't know if they'll be able to port to many phones

You can't. (2)

Threni (635302) | more than 3 years ago | (#36914596)

Phones suck for that sort of thing. They also assume one user, so you can't hand your phone to your friend/daughter/colleague without wondering if they're going to phone/text/ install non-free apps etc. It would be nice if they were more like regular computers so they could log on as a guest and have largely read only access, limited access to the above etc. It would also be great if the filesystem was encrypted so if your phone was stolen it wouldn't give up its secrets quite so easily. All solved on a linux desktop... so near but so far on the phone.

Re:You can't. (2)

DemonGenius (2247652) | more than 3 years ago | (#36914680)

With the exception of multiple users (which is a good idea for phones BTW), this has already been solved with the N900. I can store a backup of all my important data secured on the phone's internal memory with a numeric password that is several characters long (should probably be alphanumeric, but this is still a phone we're talking about, not quite a computer). There is no way someone can get my data unless I store it on a micro SD. They can take the phone, but the internal memory would have to be wiped before being able to access it. Thanks to the N900, I have peace of mind that I have a secured backup of all my important data with me at all times. Hopefully when Meego is finally released to a device, this kind of security is retained from Maemo.

Re:You can't. (1)

Mia'cova (691309) | more than 3 years ago | (#36914722)

There are plenty of phones which do a great job with security. Blackberry being the primary example. Even the iphone now supports full-disk encryption and remote wipe. Just because most android devices are horrible doesn't mean all phones are.. To counter your desktop point, I doubt most linux desktops are put together with full drive encryption by default..

Re:You can't. (1)

Threni (635302) | more than 3 years ago | (#36914900)

Yeah, I kind of don't care about most, just one has to work. I use Ubuntu, which does it, so I can't say I'm greatly fussed about Suse, Centos etc

Re:You can't. (0)

Anonymous Coward | more than 3 years ago | (#36915276)

Yep, I think BlackBerry with all the security features enabled is probably the safest bet if someone really is serious about security. As far as I know, its the only solution to receive a Defense Department certification.

Re:You can't. (0)

Anonymous Coward | more than 3 years ago | (#36915850)

Trollish statement would have held more validity sans trolling.

Re:You can't. (0)

Anonymous Coward | more than 3 years ago | (#36915958)

Google iphone full disk encryption. [google.com]

Most results contain the word "useless".

Re:You can't. (0)

Anonymous Coward | more than 3 years ago | (#36914774)

Blackberry doesn't (generally) suck. They took security seriously and the phones are protected as such.

Contrast with Google and their complete lack of thought about security. Actually it's the shit company Android, Inc that originally developed Android. I don't know what kind of moron would develop a modern device like that these days without first creating a solid security policy. Encryption, locking, etc. They do have app separation but that's it, no useful encryption at all.

Of course I guess it's not that much of a surprise considering anyone tying themselves to Java is showing some weapons grade stupidity right there.

Fix your passwords. (0)

Kenja (541830) | more than 3 years ago | (#36914608)

If you are saving your password in the client software you may as well just use simpler passwords. Having them stored on the device defies most of the point in having complex passwords.

complex passwords vs. saving (3, Insightful)

manekineko2 (1052430) | more than 3 years ago | (#36914786)

Not necessarily I think, as these two things protect against different style attacks.

Complex passwords:
+protects against brute force attacks
Manual entry of passwords every time (as opposed to saving them in client):
+protects against loss of control of your device

Depending on the situation, it's completely plausible that a complex saved password may be the right call.

Moreover, manual entry of passwords has a big negative: weak against shoulder surfing and entry loggers, which is enhanced by the fact that this is a mobile phone and you never know who might be watching.

How Do You Protect Data On Android? (1)

camperdave (969942) | more than 3 years ago | (#36914616)

Re:How Do You Protect Data On Android? (0)

Anonymous Coward | more than 3 years ago | (#36914644)

I like how the enterprise displays the code in plain text while it's being inputted. Very secure.

Re:How Do You Protect Data On Android? (1)

DarwinSurvivor (1752106) | more than 3 years ago | (#36914880)

You seem to be assuming it's a reusable code. Since ALL codes seem to be given verbally, it stands to reason that would be on-time use only.

Re:How Do You Protect Data On Android? (0)

Anonymous Coward | more than 3 years ago | (#36914730)

And how do you secure the electronic device that generated the code in the first place?

Re:How Do You Protect Data On Android? (1)

Shillo (64681) | more than 3 years ago | (#36914890)

And how do you secure the electronic device that generated the code in the first place?

You give it a phaser and combat training.

Re:How Do You Protect Data On Android? (1)

DarwinSurvivor (1752106) | more than 3 years ago | (#36914930)

Judging by the the amount of 7's and 3's (common in human generated "random" numbers), it was most likely generated by a human (possibly on the fly during filming)

Re:How Do You Protect Data On Android? (1)

macs4all (973270) | more than 3 years ago | (#36915218)

Judging by the the amount of 7's and 3's (common in human generated "random" numbers), it was most likely generated by a human (possibly on the fly during filming)

I think they just told Brent to generate it on the spot, and then generated the "display" during Post, based on what he rattled-off.

If you have to ask... (0)

Anonymous Coward | more than 3 years ago | (#36914634)

you shouldn't be trusting it.

Droid X (0)

Anonymous Coward | more than 3 years ago | (#36914636)

My DX has the option to encrypt the contents of the phone & SD, respectively. Haven't checked to see if it's reliable or not, but th option is there in the OS.

Re:Droid X (0)

Anonymous Coward | more than 3 years ago | (#36916224)

My Droid X appears to only encrypt the data saved to the phone AFTER enabling encryption... and then will NOT decrypt the data when transferring it from the DX to a PC via USB. So, I end up with a mix of unencrypted data on the phone, that is easily and readily transferred to and usable on a computer... and encrypted data that is easily and readily transferred to, but completely unusable on a computer. Of course, I could always try to email the individual files to myself and see if they arrive decrypted and usable on my PC.

Get an iPhone (-1, Troll)

jmcbain (1233044) | more than 3 years ago | (#36914652)

Step 1. Buy an iPhone instead of a fragmented Android phone.
Step 2. Profit, because time is money*, and you don't have to deal with extreme Android fragmentation.

* This assumes that you have a job and aren't a ponytailed neckbeard freak living in a basement.

Re:Get an iPhone (1)

The Yuckinator (898499) | more than 3 years ago | (#36914832)

Your phone may be fragmented, but my phone only has a bit of a dead spot in the upper left corner of the screen because I dropped it about 45 minutes ago. Nothing's fallen off it yet though.

But seriously, you're either grossly uninformed, a rabid fanboy parroting talking points, have never used an Android device for more than a few minutes, or just a weak troll. Fragmentation is largely irrelevant when you have a developer community like the folks at XDA [xda-developers.com] working on pretty much any android device they can get their hands on. I count 94 devices being actively supported in that forum, many with tens of thousands of posts.

Even if you can come up with a dozen real-world, legitimate reasons that "fragmentation" ought to matter to me (I've heard exactly zero so far), I'd still choose it over your iPhone's walled garden any day.

Re:Get an iPhone (0)

Anonymous Coward | more than 3 years ago | (#36914908)

Doesn't the iPhone suffer from pretty much the same problems as well? Moving to iPhone as the troll suggests solves nothing, and may even make the problem worse.

Re:Get an iPhone (1)

macs4all (973270) | more than 3 years ago | (#36915290)

Doesn't the iPhone suffer from pretty much the same problems as well? Moving to iPhone as the troll suggests solves nothing, and may even make the problem worse.

Nope. Encryption + Remote Wipe + Local Wipe on too many failed password attempts (see "Safe and Secure by Design" and "Ready for Business" on this page [apple.com] ). Not even in the same universe as far as security goes...

Re:Get an iPhone (1)

Trilkin (2042026) | more than 3 years ago | (#36915856)

Yeah, about that [wired.com] ...

Granted, it'll stop John Q. Idiot from getting your data, but if you actually care about data encryption/safety in the first place, John Q. Idiot probably isn't the person you're afraid of. In the real world, there are very few people who need truly secure phones considering that the majority of the data on them is their calendar reminding them to pick up their daughter from school, their contacts list and Angry Birds. A good number of people who claim they want that security generally think what they have on their phone is more important than it really is (or they don't want their wives/girlfriends to find out about the affair they're having.) Only a slim number of people actually need that much security on their phones... and they, wisely, use Blackberries.

It's not exactly hard to just change your passwords in the event your phone gets stolen and they have access to saved banking information (WHY DO YOU HAVE THAT SAVED ON A PHONE?!), Paypal information (more plausible) or Apple Store/Android Market information.

Re:Get an iPhone (2)

PCM2 (4486) | more than 3 years ago | (#36915964)

Nope. Encryption + Remote Wipe + Local Wipe on too many failed password attempts (see "Safe and Secure by Design" and "Ready for Business" on this page [apple.com]). Not even in the same universe as far as security goes...

See, I don't get all the people in this thread saying Android devices are "horrible" and "not even in the same universe as far as security." I have an Android phone from Motorola. It's billed by T-Mobile as one of their lower-end, entry-level smartphones, as opposed to a "teh awesomeness" phone. Nonetheless, my phone can encrypt the data on the device and the SD card, and it comes bundled with a (free) service from Motorola that not only lets you remote wipe your data, but will tell you where your phone is via GPS. It doesn't do the wipe on failed password attempts, but I wouldn't enable that anyway -- I'd hate to be fumbling with my phone trying to unlock it when I'm drunk and accidentally wipe all the data. So what security universe is my cheapie Android phone in?

You Use a Google Technology (1, Insightful)

Philip K Dickhead (906971) | more than 3 years ago | (#36914662)

Relax. Privacy cannot be effectively acheived when it is contrary to the design and purpose of Android.

Simple... (1)

TWX (665546) | more than 3 years ago | (#36914668)

...don't lose your phone.

Yes, I know, there are some people who lose things all of the time, things like keys, wallets, pagers, phones...

So far in the roughly sixteen years that this could be a problem for me, I have never lost a wallet, a set of keys, a pager, or a phone. I have locked keys in the car twice, but that was within my first two or three years of driving. I lost a Gerber Model 600 multitool once, but I think someone grabbed it and it wasn't simply lost.

If I was the kind of person who lost stuff often, I would either not have a smartphone or I would find a way to tether it to my person. There are all kinds of retractable tethers, from the old-school cable kind that custodial keyrings use, to fancy whiz-bang kinds like photographers use for rangefinders and light meters.

If you do lose your phone, I'd think that contacting the phone company and getting the service turned off would be first priority, which should sever links between the phone and the account anyway.

Re:Simple... (1)

daenris (892027) | more than 3 years ago | (#36914788)

Losing the phone isn't always in the person's control. You might set it down for a moment and someone just grabs it. I once had my phone sitting on a shelf in my apartment, and a friend of a friend of a friend swiped it while helping my friend move furniture. Luckily it wasn't a smart phone, so no real information breach, so canceling service was all I had to do.

Keeping the phone tethered to you at all times is unrealistic. For example, I work with MRI scanners. I'm not allowed to bring my phone into the scanner room at all because of the magnetic field. How would you suggest I keep my phone on hand at all times then?

And with regards to canceling service immediately, that does nothing at all to prevent access to data. The poster is asking how to secure the data that is on his phone locally. Things like saved passwords that could be retrieved from the phone whether it has an active service provider or not.

droidwall (0)

Anonymous Coward | more than 3 years ago | (#36914682)

Here's a small start:
root the phone and install droid wall.
In security, we create rings of secure areas... on a cell phone, the first thing to do is to limit the app's ability to phone home unless it is absolutely necessary for the app to function.

Password Manager - KeePass (1)

Anonymous Coward | more than 3 years ago | (#36914718)

Keeping passwords in email is dumb - even if you run the email server. If you do not run the email server, you are being negligent.

Start using a password manager. The DB is encrypted with AES or some other known, strong, industry standard method. KeePass is available on Android - it sorta sucks when compared to Linux and Windows versions which support auto-type, but it is still better than email. Why don't you just store all your passwords in a passwords.txt text file on your desktop. That would be better than in email. At least then you could encrypt it with a really, really long passphrase for a ZIP file.

If you want the DB to be cross platform, you probably need to stay with the v1.x line of KeePass. There are "portable apps" versions for lots of platforms too.

Use a password manager already, but be certain to mirror your password DB file to lots of places - even drop it into your email. It is encrypted after all.

I'll tell you the safe way... (1)

Anonymous Coward | more than 3 years ago | (#36914736)

Take your phone, run it over with a truck. Then set it (the phone, not the truck) on fire. Then throw the ashes in a glass block. Then launch the glass block into the sun.

Re:I'll tell you the safe way... (0)

Anonymous Coward | more than 3 years ago | (#36915272)

you forgot "stick it in an MRI machine for a few days"

Re:I'll tell you the safe way... (2)

macs4all (973270) | more than 3 years ago | (#36915306)

Take your phone, run it over with a truck. Then set it (the phone, not the truck) on fire. Then throw the ashes in a glass block. Then launch the glass block into the sun.

And so you think that isn't susceptible to an extraterrestrial-in-the-middle attack?

How worrying is it? (0)

Anonymous Coward | more than 3 years ago | (#36914790)

As a way of hijacking accounts for spam, stealing or happening upon mobiles isn't probably much of a good business. The average thief probably wants to just sell it on or wipe it. The average person who finds it probably isn't that sophisticated or dishonest, probably has little to gain by short term impersonation of you etc. - Who else are you worried about would lift your phone and go to the bother of trying to extract your email etc.?

That's not to say taking security measures isn't a good idea, but it's got to be in proportion to the perceived threat.

I'd also read the comments in response to the original article, who point out what a nonsense it largely was. Protocols like POP3 which require your password to be sent in plaintext require some access in that form and these can be relatively easily be sniffed by someone who physically had access to your phone anyway... The encrypted iPhone with physical access can be decrypted without too much difficulty, network traffic sniffed etc.

I am also curious. (1)

MyFirstNameIsPaul (1552283) | more than 3 years ago | (#36914850)

I'm not a pro, so I use a BlackBerry because I haven't read about BlackBerry phones having all these various issues.

Re:I am also curious. (1)

Lehk228 (705449) | more than 3 years ago | (#36916006)

BB password manager is very secure, if you turn on encryption for the phone you also get that level of security for the entire device

I don't... (2)

TemporalBeing (803363) | more than 3 years ago | (#36914870)

...keep that kind of data on my Android phone to start with. That's how.

Re:I don't... (0)

Anonymous Coward | more than 3 years ago | (#36914980)

Do you not use the Market? If you do use the market, your account is tied to the phone, so someone only needs to install the Gmail app to get to your email.

Don't worry... (1)

WillyWanker (1502057) | more than 3 years ago | (#36914872)

Be happy. Seriously. No one is interested in your Facebook page or your emails unless you've done something very, very bad.

Complete access to the internal memory? (5, Informative)

shutdown -p now (807394) | more than 3 years ago | (#36914884)

Even more because simply attaching the phone to a USB port allows complete access to the internal memory and SD card regardless of whether a password is entered.

No, it doesn't. You get access to /sdcard (whether it corresponds to a physical SD card or not), but that's it. You don't get access (even read access) to sandboxed application and system data storage, unless your phone is rooted.

So the obvious answer is that, if you want security, don't root your phone. It should be kinda obvious that if you can do what you want with the phone via USB, so can any application running on your PC.

Re:Complete access to the internal memory? (0)

Anonymous Coward | more than 3 years ago | (#36914978)

Even more because simply attaching the phone to a USB port allows complete access to the internal memory and SD card regardless of whether a password is entered.

No, it doesn't. You get access to /sdcard (whether it corresponds to a physical SD card or not), but that's it. You don't get access (even read access) to sandboxed application and system data storage, unless your phone is rooted.

So the obvious answer is that, if you want security, don't root your phone. It should be kinda obvious that if you can do what you want with the phone via USB, so can any application running on your PC.

Even if the phone was rooted, if USB Debugging isn't on then ADB can't access the phone. So your data is safe as long as they can't get past your screen lock to enable debugging.

Re:Complete access to the internal memory? (1)

machxor (1226486) | more than 3 years ago | (#36915130)

Even more because simply attaching the phone to a USB port allows complete access to the internal memory and SD card regardless of whether a password is entered.

No, it doesn't. You get access to /sdcard (whether it corresponds to a physical SD card or not), but that's it. You don't get access (even read access) to sandboxed application and system data storage, unless your phone is rooted.

So the obvious answer is that, if you want security, don't root your phone. It should be kinda obvious that if you can do what you want with the phone via USB, so can any application running on your PC.

Even if you're not kernel-rooted chances are (depending on the phone) all the hacker has to do is bypass your lock screen to enable usb debugging and root the phone himself.

Re:Complete access to the internal memory? (1)

shutdown -p now (807394) | more than 3 years ago | (#36915204)

Note the quoted part. It says "regardless of whether a password is entered".

If the hacker bypasses the lock screen, he can already have fun with your mail/FB/whatnot by using the apps directly, without even bothering to extract the password. Obviously, the first thing you should do if you're concerned that someone may steal your phone and get access to valuable info within, is to ensure that it is locked with a reasonably strong password, not a simple PIN.

Or are you saying that there is some known vulnerability that lets one bypass the lock screen in Android?

Re:Complete access to the internal memory? (0)

Anonymous Coward | more than 3 years ago | (#36915150)

Let's say the phone was lost or stolen. It'd be pretty trivial to root would it not? As far as I'm aware, it is. So really, "not rooting" doesn't give you any more security at all.

Re:Complete access to the internal memory? (2)

shutdown -p now (807394) | more than 3 years ago | (#36915216)

Let's say the phone was lost or stolen. It'd be pretty trivial to root would it not?

All root guides that I've seen for Android phones (admittedly, just a few, for those which I either owned or considered owning) require the phone to be put into USB debugging mode first. That is not on by default, and is tucked away pretty far, so it's not like you're going to enable it by default. If your phone is PIN or password-protected - which TFA seems to assume it is (makes sense if you're concerned about valuable data on it!) - I don't know of any way to enable USB debugging without getting past the lock screen somehow.

Should be semi-doable (1)

quantaman (517394) | more than 3 years ago | (#36914934)

First you encrypt the sensitive bits on the android (ie passwords) with a master key.

Then you store the master key on an external server.

When you check your email the phone automatically sends the encrypted password to the server, gets back a decrypted password, and uses that to check your email. So there's no loss in convenience.

But if you lose your phone you can de-authorize it at the server level so the phone can no longer access the passwords and other encrypted data that was stored on it. This also means you'll be able to see which passwords were compromised (ie, accessed after you lost the phone, and before you de-authorized it).

It's not a perfect system but I think it would give decent security, no idea if anyone has done it of course.

Nice idea. (1)

Vario (120611) | more than 3 years ago | (#36915552)

This sounds like a pretty nice and simple idea to me.

The extra amount of traffic does not matter, just a few bytes for the passwords and the delay does not really matter. Additionally that helps you if someone stole your phone as you could easily add some information about the current location.

One loophole is that you have to disable access/decryption instantly after your phone is missing, otherwise interception of the traffic would give the attacker the unencrypted password.

Just by hooking up a USB? (1)

stinkytoe (955163) | more than 3 years ago | (#36915002)

On my G1, with either the stock firmware or cyanogen mod, I have to turn on mobile storage before the sd card and such are mountable through the USB. So, at least in my case, the pattern lock is effective for blocking USB access also (at least as effective as is it at locking anything else). Is this different for other firmware/models?

On the other hand, If I had the physical access, I could just yank the battery and plug the SD card into my laptop. So for that reason, I wouldn't rely on the pattern lock to secure anything sensitive anyways, regardless of how strong/weak it is. It's really only good for keeping somewhat honest people from digging through your text message history and such.

Protect data on my Androids? (1)

BriggsBU (1138021) | more than 3 years ago | (#36915018)

I usually equip them with laser weaponry or rocket launchers. If someone manages to disable them enough to render them unable to defend themselves, the data is usually pretty slagged too.

encrypted block level loopback device? (0)

Anonymous Coward | more than 3 years ago | (#36915078)

I've been considering buying an Android phone too an have a similar question. On Linux, one can mount partition through an encrypted loopback device to encrypt the data at the block level, not the application level. Can Android do this, with auto-unmount after some period of inactivity? That's the only way I'm going to trust carrying any sensitive data around with me in this manner. The phone unlock codes are completely useless as a security mechanism.

Given that so many people do appear to carry sensitive data around on their phones, there must be some solution like this, no?

Re:encrypted block level loopback device? (1)

datapharmer (1099455) | more than 3 years ago | (#36915308)

Do you do that on your laptop? Most people freak out about their phones but are perfectly okay not encrypting data on their other devices. people are weak and make mistakes. Unless you want to play James Bond for a living get a life and move along.

Droid 3/Android 2.3.4 (3, Interesting)

Anonymous Coward | more than 3 years ago | (#36915096)

FWIW, the Droid 3 has full device encryption (Android 2.3.4). You can encrypt the whole phone, or just the internal memory card & SD card. It also has a time-lock password/pin/pattern that kicks in after 1-20 minutes (configurable). I was very surprised after upgrading from a Droid 1, which has basically no device protection what so ever...

It's Linux (0)

Anonymous Coward | more than 3 years ago | (#36915158)

Build a new kernel and compile eCryptfs... then store whatever critical data you have inside an encrypted folder on your SD card.

Worry about QUALCOMM AMSS on your phone! (1)

gd23ka (324741) | more than 3 years ago | (#36915248)

There is a megabyte worth of firmware on your phone on a chip that has access to your camera, the mikes, the flash, virtually everything
on a device such as an "Sprint EVO 4g".

This device has two cores on a SOC, the general application ARM11 core you know about that runs a linux kernel and then there is another ARM9 core that
runs Qualcomm's AMSS software which is a CDMA2000 stack. This radio core has the same access like the general application core
to the camera and the mikes, in fact there is support for the camera in AMSS (aka "multimedia extensions").

The radio is my main worry right now. I've already gotten rid of the smithmicro device management software and all the other HTC agents in the
android environment but I'm seeing that the kernel(!) is maintaining http connections to sprintpcs.net servers. These I address with iptables right
now. The cameras both the front facing (!) camera and the camera in back are taped over by the way I suggest you do the same.

My impression is this thing is a turd of a mobile tracking bug and I'm thoroughly disgusted with it and the scum that is pushing it.

FYI on Qualcomm AMSS (Advanced Mobile Subscriber Software): http://avs234.net/docs/cpu/qualcomm/80-VH700-1_B_AMSS_Overview.pdf [avs234.net]

Facebook? Secure? (1)

damn_registrars (1103043) | more than 3 years ago | (#36915344)

Surely, you jest. You should know better than to ever expect anything you post on facebook to be secure, ever.

You do not (2)

gweihir (88907) | more than 3 years ago | (#36915640)

Put data on a modern "smartphone" of any kind and you can expect everybody halfway competent to get all data on it. That includes thiefs, the police, customs etc.. Believing anything else is just foolish.

Snuko (0)

Anonymous Coward | more than 3 years ago | (#36916088)

I use this software called Snuko, if I ever lose my laptop or phone it will encrypt and wipe my data off of the device so I am not too concerned. I tried out the laptop version and it was pretty slick, it left me with absolutely nothing, I mean no start menu items no nothing!

But can you trust any Android App anyway? (0)

Anonymous Coward | more than 3 years ago | (#36916200)

What about the other apps you have on your phone, like those games that get access to the SD card and access to the network? Any such application can easily take information from your SD card and send it to whomever via the network.

So how well do you know wand trust the individual that wrote that new game you love, or that new firewall and encryption application you loaded on your phone to protect it. Or what about that application that you let connect to your Facebook account so it could use your photos as your wallpaper?

how do I protect my data? (2)

roc97007 (608802) | more than 3 years ago | (#36916208)

I keep my phone with me. I never get drunk enough that I'm likely to leave my phone in a bar. I do a belt check whenever I leave a hotel room. My phone charger is on my desk in full view so I'm not likely to forget it in the charger.

Keeping your phone near you is at least 80% of security. No tool will absolutely guarantee you won't lose your data if you lose your phone. So first and foremost, don't lose your phone.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?