English Cloud And Smartphone Data Security

You probably heard some sermons about how putting your data in the clouds isn’t such a great idea?  Well, imagine a cloud of clouds, where all your accounts are linked and the accesses are granted : your smartphone.

What happens if you lose your cellphone?  Oh right, it’s locked and secure, you can even remote wipe it!  Ummm don’t be so sure - let’s just remove the SIM card, you can’t remote wipe it.  Oh yep, don’t connect it to internet right now.  As for the unlock, iPhone had their share of exploits to circumvent the “lock security”.  Pattern passwords can be cracked, or even worse, reset with adb.  Can’t count on that, unless some n00b finds your phone and just resets it.

But...what happens if it isn’t a n00b?  With what I just said, it isn’t too hard to get to the data.  I tried with my own cellphone, an older one, did ask a friend to set his cloud accounts, Facebook, corporate email accounts (Exchange with ActiveSync), Google accounts synced to drive, and some apps.  Then I asked him to set a password that he’s not going to tell me.

In less than 90 minutes, I could :

  • Dump his cellphone backup with ClockWorkMod on his Google Drive

  • Download a complete backup of his Facebook account

  • Access a picture of his passport

  • Grab some passwords from his workplace, VPN, DMZ, OWA and Intranet accesses

  • Access critical information about his personal business, bank accounts and client information

  • Read the code of his closed-source projects

  • Access his home LAN

  • Manage his Dropbox account even if it has 2-factor auth

  • Make bank transfers with his account and his Paypal

  • Learn plenty of daily habits from his calendars/todo lists

With informations contained within his passport and some social engineering, it wouldn’t be too hard to steal his ID without dumpster diving...or worse, destroy his personal and professional life.

How to avoid this?  There isn’t a single solution, but a combination of solutions, depending how far we’re willing to go :

  • Use self-hosted service on self-cloud (like arkOS)

  • Setup 2-factor/step auth on DIFFERENT devices

  • Do NOT note passwords anywhere unless it is some keyring not authenticating automatically

  • Set the cloud accounts without password, if possible

  • Avoid storing confidential data on the linked accounts or on the device

  • If you lose a device, be sure to change ALL your passwords ASAP - the problem there is to remember everything that has been linked.

  • You do need to try a remote wipe/locator, but do not count on that, unless you get a complete confirmation

  • Fingerprint authentication - not always possible and still not perfect

  • Try not to lose that damn phone :)