In this week’s Whiteboard Wednesday, Deral Heiland, Research Lead for IoT Technologies, identifies the main causes behind security gaps in application development and provides best practices for how end users can make sure that critical data on their mobile devices is properly secured.
Welcome to this week's Whiteboard Wednesday. My name is Deral Heiland, and I'm the Research Lead for IoT Technology here at Rapid7. This week's topic is actually insecure storage of data on mobile phones.Show more Show less
As a research lead for IoT, I'm often testing IoT technology and one of the key pieces of IoT technology is the mobile applications that are associated with it. One of the most common problems that I encounter probably more than 90% of the time when I'm looking at these IoT devices and the mobile applications associated with it, is the insecure storage of critical data.
Critical data such as usernames, passwords, WiFi passcodes. The issue here is if you lose your phone, somebody could potentially gain access to this critical data, giving them the ability to control your IoT technology remotely without your permission, or gain access to your home WiFi network using the data that's actually stored on the phone. So, why is this taking place?
There's two main reasons why this is taking place. One of them is inexperience. The programmers or developers that are writing the applications lack secure coding practices. The lack of experience, which leads them to not properly write the code to support encrypting this critical data. The other thing is shortcuts. A programmer doesn't want to go through the effort to actually put the work into doing this, so he just avoids doing it. So, how do we fix this?
Well, typically the way to fix this is on Android there's a thing called Keystore. Keystore gives you the ability to properly encrypt and store data as necessary. Things such as usernames, passwords, WiFi passcodes, maybe even credit card data that may get stored there, a number of things. These need to be actually encrypted. Android gives you the ability to do this with the Keystore API functionality.
On Apple iOS devices, the Keychain service is available. Similar to the Keystore, it gives you the ability to properly encrypt the data that you're actually storing on the device, making it possible obviously if you lose the phone, that the data will not be compromised.
Now the third item, this is something that you can do as an end user. Ultimately if you can actually set a passcode on your device, a pin code on your device, so that when you lose your phone, the person can't easily gain access to what's on the device because they do not have your passcode.
Now that doesn't mean somebody that really has a effort to do so can break past that. That is possible, but often if somebody gets your phone, they want it for the phone service. So they can enter your pin code wrong a number of times and actually wipe the device, which is exactly what you want them to do if they lose your device versus easily get access to it.
Although not perfect, I would recommend everyone set a passcode on their device to prevent easy access to this.
Based on this, if we start programming and utilize Keystore, Keychain services, get away from the shortcuts, that does none of us any good, and focus on properly encrypting this data in storage, we could remove this very common problem that I encounter over and over and over again.
That's it for this week's Whiteboard Wednesday. We'll talk to you next week.