Tuesday, November 12, 2013

Preparing for the Loss of Your iOS Device

Imagine you lost your wallet, or even worse, you are pretty sure it has been stolen. Are you able to remember which credit cards were in it and how to revoke them? Other credentials? Your AAA card, drivers license, ... Maybe an access card for work, etc.? Probably you can scrape those bits and pieces together. Now try the same thought experiment for your smartphone.

Imagine somebody stole your smartphone or tablet. Which apps are on your it that are linked to online services you are signed up for, and that you should really reset your password for now? iCloud, Dropbox, eBay, Facebook, Google, Skype, Twitter, your bank accounts, your airline accounts, ... I counted over 150 apps on my phone the other day, linked to 69 unique accounts.

Sure, you hopefully had a PIN or passcode (or fingerprint ;-)) set to protect access to the apps and data on your phone. And it only took you an hour to realize that it was stolen and to attempt using Apple's remote wipe functionality. But depending on the thieves' determination, those things won't stop them. There are forensic tools out there to circumvent them, or maybe your PIN is easy to guess. The iPhone 5S's fingerprint usability feature was "broken" days after the phone hit the market.

My point is that I personally wouldn't want to rely on just the access protection that my phone offers. If I lost my phone, I would probably want to go ahead and change passwords for my most important accounts, or even all of them. And I'd rather have a list handy of what those accounts are, rather than trying to piece them all together from memory. And what about data that is stored on your phone? Do you have a backup for it? Might be worth thinking about that ahead of time.

Your mileage may vary, obviously. Everybody's risk profile and appetite is different (see Threat Modeling at the end of this blog entry). But if you feel like spending an evening geeking out on preparing for that eventuality, read on...

Threat Modeling
So what threats are we preparing ourselves for by going through this exercise?
  1. An attacker obtains your smart device with an interest that goes beyond just reselling it on the black market or eBay. The bad guy is somehow able to circumvent the access protection that is provided by the device, and then:
    1. Uses your social media apps to post damaging statements on your behalf; or maybe, to collect your or your friends' personal information in order to facilitate sophisticated social engineering attacks or identity theft. Or maybe just use the data in your calendar...
    2. Uses passwords (or credit card numbers!) found in the cache of poorly written apps to log into your bank or whatever accounts and wreak havoc (or go shopping ;-)).
    3. Uses second factor authentication credentials generated by your Google Authenticator (or similar) app on the phone to access accounts that the attacker already obtained the password for through other means. Maybe you accessed your email on an Internet cafe computer that had a key logger installed?
    4. Use the VPN credentials on your phone to remotely connect into your employer's network and access corporate data.
  2. Your device is lost/broken/stolen. It has data stored on it that you need. You thought for sure it was backed up somehow, but it wasn't.
How likely any of this is to happen and how big the consequences of it would be for you is for you to determine. (Let me just say that none of this is impossible or unheard of.) As a result, you might decide to take some of the precautions we discuss above, or decide that you don't have anything to worry about. ;-)

Making an App Inventory
I suggest creating an inventory of the apps that are on your device, what kind of data they store, which online service they are linked to, etc. You could just jot something down on a piece of paper. Or you could use this handy spreadsheet template I made for you [Excel Template | CSV].

App Inventory Spreadsheet
Here are instructions for the individual columns in the spreadsheet. I also pre-populated the template with some common apps as examples:
  • App: The name of the app, obviously. How to best get a complete list of the apps on your device? For iOS, the best approach I could figure out is to either access the device information in iTunes (the Apps tab lists all apps installed on the device), or to use iExplorer and explore the apps folder on the device.*
  • Critical Data: Make a note here if the app stores data that might either a) be sensitive, in the sense of an attacker being able to exploit it and cause damage with it (credit card numbers? bank statements? your company's trade secrets?), or b) cause you distress in case you loose it and won't be able to recover it.
  • Password / Associated Service?: If the app uses a password or passphrase, write down the name of the service the password is associated with. (Don't write down the password itself. I am assuming here -- and you can use the spreadsheet as an aid to double-check -- that some sort of password manager is used to keep track of the passwords, for example LastPass. The primary purpose for this entry is to help us identify the online services that we will want to change our passwords for if we loose the device.)
    • There will be some dupes in this column: For example, Google Drive and Google Mail both use your Google password.
    • There may be apps that are authenticated to more than one service. For example, you may have authorized your favorite News app to post on your behalf to Facebook and Twitter. List both.
    • In rare cases in today's connected world, there might also be an app that does not connect to any online service and still requires a password for access to its data on the device. Maybe your password manager?
    • Application-specific passwords: If you happen to remember that you didn't just enter user name and password for whatever service into an app, but instead used an application-specific password or a service's authorization mechanism to authorize the app, then make a note on that. It's not too important, but if you manage to read through the rest of this blog post, you will understand why it helps.
  • Crypto Keys?: There may be some apps that use cryptographic keys for authentication rather than (or in addition to) passwords. If the device gets compromised, we will want to change those keys, and thus list them here. Examples are "certificates" (and their associated private keys) for VPN connections, or apps that connect to Amazon cloud storage using an AWS Access Key. If you don't know, then leave it blank, maybe?
  • 2nd Factor (Type)?: Some services offer two-factor authentication these days, which you have hopefully enabled if they do. If so, list the type of second factor being used, or rather the service that provides the second factor. A popular example is Google Authenticator, or RSA hardware tokens. Apple also offers two-factor authentication for your Apple ID (enable it here), which is associated with the Find My iPhone service...
  • Credential Priority?: How important is it to change the password / revoke the crypto material if your device gets compromised? For example, I'd want to focus on changing passwords for services like Google and my bank accounts first, before dealing with photo sharing or fitness tracking websites. I suggest sticking to two categories, maybe "high" and "low"?
  • Data Backup?: This entry helps you think about whether you have a backup for any of the critical data you don't want to loose. Turns out that in my case, there were only a handful of things that weren't automatically synchronized with some sort of online service. And most of those that weren't I don't care too much about. But one or two I was glad I caught.
  • 2nd Factor Backup?: This is an interesting one. It is supposed to help you think about whether you've got a backup for when you loose your soft or hard token for two-factor authentication. I discuss this in detail further down in this post. Maybe fill this column out last. ;-) 
  • Notes: Any notes you want to keep. :)
*There are a few apps that you won't catch by doing this, namely the ones that are included with iOS, rather than installed through the App Store. This includes Contacts, Messages, Mail, etc. Most of these use your Apple ID for authentication. But there are some exceptions: iOS integrates several social networking accounts into its core without a separate app having to be present. Namely, as of iOS 7.0.3, those are Facebook, Flickr, Twitter, and Vimeo. (Those can be found in the iOS Settings, scroll down a few pages. If you don't use the service-proprietary, say, Facebook app, but are logged into Facebook through iOS, then capture this somehow in the spreadsheet to remind you to change your Facebook password if the device gets lost.)

You may want to update this spreadsheet occasionally with new apps that you installed. One way to keep track of that might be to access the purchase history for your Apple ID in iTunes. If anybody has a better way of doing this, please post a comment!

Other Things To Take Into Account
Now that we know which passwords we will want to change if we loose our device, and we have thought about whether our data is backed up somewhere off-device, let's consider a couple additional things:

Credit Card Numbers
Some apps store your credit card number on your device. They shouldn't, it's bad architecture for almost any use case. But if they do, they might be coded sloppily enough as well to not encrypt it in any sensible fashion, either. If our device thief manages to access the device's file system, he or she might find those numbers.

I am personally not to worried about credit card numbers, in particular if it's not a business card (which are not covered by consumer protection laws in the US). But if you are, and this thought sounds concerning to you, then having a separate card for use with your device might be a good idea. That way, you just have to monitor/cancel that one card if you suspect that your device might have been compromised.

Password Managers
These days, the security community has widely accepted that dealing with the industry headache that is password-based authentication in a way that allows us to use passwords that are hard to crack, and use different passwords for different services, exceeds the capabilities of a human's memory by far. Paper doesn't seem to be a great solution. So we use password managers. All of our passwords in one and the same database. Scary.

There are different architectures for password managers. Some store just local copies of your passwords. Maybe on the device you are about to loose? Others can sync between mobile devices and PCs. Yet others, like LastPass, store an encrypted master database with your passwords on their servers, and allow you to access it and decrypt it from various devices.

Whatever type you use, make sure the only copy of your password manager's database isn't located on a device that you might loose. Keep backups. Use a very strong passphrase and pray that its encryption is implemented properly. If you use a password that can be guessed (there are sophisticated tools to automate this), it might have disastrous consequences.

Keychain'ed Data
Similar to those password managers above, iOS implements a data store for sensitive data. One thing that our inventory above does not take into account is the data stored in the keychain. When Safari, for example, asks you whether it should remember the password for a website you are visiting, or the credit card number you entered on a web page, then this ends up in the keychain.

It depends on your paranoia whether you want to rely on the protections for the keychain that Apple has implemented, or not. If your keychain is not synchronized with another device, it might be time to think about how to inventory its content as well, so that you can make sure you have a backup of those passwords somewhere. (How to do this for Safari auto-fill information is described here. For content that other apps store in the iOS keychain, I'm not aware of a user-friendly way to do this -- not all apps support keychain syncing with OS X, where Apple supplies an app to browse keychain content.)

Two-Factor Authentication
Of the dozen-or-so apps on my phone that support two-factor authentication (see the 2nd Factor spreadsheet entry above), all but one either use an app on my phone (like Google Authenticator) or my phone number (by sending text messages) to communicate that second factor to me. If I don't have access to my phone, I won't be able to derive that second factor from it. 

Pretty much all of those services, though, offer a backup for that case. Often, that involves printing out some backup or recovery codes that can only be used once, and storing them someplace that you will be able to find (and access) them at when you need them years later. This can take some time to figure out, but may save you some headaches if you ever end up in that situation.

What To Do When You Loose Your iDevice?
Well, let's assume you are sure it's lost or stolen. When, exactly, you pull the trigger on assuming that it might have fallen into the hands of a bad guy rather than just sitting underneath a pillow on your couch depends, again, on your personal risk management. But hopefully all that preparation we went through above won't let you hesitate just because you don't have a plan on how to recover from the loss of your device.

Attempt to locate (and potentially remotely wipe) the device.
This may or may not work. The device obviously needs to be online for this, and still be associated with your Apple ID. Go to the iCloud web interface to give it a shot. All this assumes that you have set up FindMyiPhone in the first place.

Notify your employer.
If you use your personal device to access your organization's data, for example the corporate calendar and mail, or other resources through a VPN connection, let them know. Don't wait with this. Any organization that is serious about their security management will appreciate you letting them go through the effort of revoking your remote access and activating whatever other procedures they may have rather sooner than later, also if it turns out later that it was a false alarm.

Notify your network operator.
Report your phone stolen and ask them to deactivate the SIM card in the phone, so that no further two-factor authentication credentials can be sent to that phone by text message. (Be aware that at that point in time, the phone will also loose any cellular data connection, which might hinder any remote tracking attempts a la Apple's Find My iPhone. Maybe just remove text messaging from your plan, instead?)

Change high-priority passwords.
Luckily, you have a list of those.

There are some additional considerations to be taken into account, though: You may be well familiar with various apps asking for authorization to post on your Facebook, Google+, LinkedIn, Twitter, etc. accounts. These authorizations are not necessarily tied to the password you use for the respective service -- each app may have been issued its own authentication credential to use with the service. In other words: That PDF reader app on your device might still be authorized to access your Dropbox account, even though you changed your Dropbox password. (If you use Dropbox, check out the "My apps" menu under Settings to see which apps are authorized to access your account.)

For various reasons, this is usually a good thing. But what this means is that for those cloud services with a more sophisticated authentication architecture, you may need to look through the list of authorized apps for your account and revoke authorizations for the apps that reside on your lost device.

Other things
Now it may be time to:
  • Review the list of critical data stored by apps on your device, and decide whether there is any other action you oughta take. Notify somebody that the confidential data they shared with you might have been compromised, for example.
  • Change lower priority passwords. See the note above for high-priority passwords.
  • Cancel your credit card(s), if that worries you. (See above.)
Things You Won't Be Able To Do
Data that's on your lost device is, well, lost. At least the particular copy of that data that was on the device. This also means that if you have reason to believe that somebody might undertake the effort to access this data on the device, you need to accept that they might succeed. As mentioned above, all you can do is to review the type of data that might be compromised, and try to be pro-active in remediating the potential effects of that compromise.

...if anybody actually ends up using this, post a comment or drop me a note. I'd be curious to know how many people bother. ;-)

Thanks to Auston Holt (@c3llardoor) for feedback!