Throw It in the River? Towards Real Live Actual Smartphone Security

Presented at DerbyCon 1.0 (2011), Oct. 1, 2011, 9 a.m. (50 minutes).

Smartphones are hot, like a server from 1995, public ip address (phone number) and sending all it’s data over telnet (unencrypted). Add in apps with your passwords and credit card and, you’ve got a way for a bunch of kids to get famous. This presentation is all about plausible mitigations that smartphone and app providers could adopt to mitigate attacks we’ve seen at conferences and in the wild. Can I completly fix smartphone security in 50 minutes or less? No, but in this talk I address specific risks that have been exploited either in the wild or in previous papers and talks, and discuss ways they can be mitigated given what the smartphones already have going for them. For example did you know most of the data you send over the cell provider network is encoded not encrypted? Yet the base smartphone OS has openssl installed. So here’s some code that provides end to end encrpytion for your text messages without even breaking the telecom SMS specficiations. As for the smartphone that acts like a credit card so you buy your Starbucks, if you want it to be secure, I still say throw it in the river.


Presenters:

  • Georgia Weidman
    Georgia Weidman is a member of the GRM n00bs, a group providing training and media for information security beginners. She is a survivor of the collegiate cyber defense competition and a security master’s program. Now she specializes in whatever security work she can get, collects certifications, makes videos, takes photographs at inopportune times, and sometimes podcasts.

Similar Presentations: