How *not* to secure your mobile phone.

The following events are based on actual facts and actual events. Names have been changed to protect the oblivious.

I would like to start off by stating that I take no pity on the individual this story is about. I refer to them as oblivious because to do what they did simply can’t be categorized in any other way.

Let’s back up a week. I’ve been in need of another Android device to do some tinkering with, have a backup for my daily driver, and to have something that my son can play with and not fear total destruction (again of the daily driver). After checking with friends and co-workers if they had any spares – they didn’t – I resorted to Ebay. Long story short, I found an LG Optimus S – a rather sturdy little phone for its age for $7 plus $4 shipping. The description said that it did not boot. Being the hacker that I am, I generally don’t let simple statements like that deter me.

A few days later I had the phone in my mailbox. It even included the battery, which I wasn’t expecting. I attempt to boot it up, and as described – it doesn’t boot. I plug it in to ensure it has a charge. It won’t charge. I pull out the voltmeter and quickly determine the battery is junk. Fast-forward two more days after a visit to Amazon (Prime). A new battery is awaiting me in my mailbox. Plug it in, viola, Android magic!

Immediately after boot up I notice the first notification is a voice mail. Seems the user never did reset the device. Being nosey, I check the notification. Something about John borrowing the truck for an extra day. I hope Sam¹ didn’t miss that voice mail. I check the contacts, and once again, it is full of names and addresses of people I’ve never heard of. Popping into the app drawer, I notice that not only does all the user data remain, but so do the apps. At this point I’m ready to simply go ahead and do a hard reset as I have zero interest in any of the previous owner’s old apps or information. But then this catches my eye:

That’s right, the Chase Banking app. Immediately, my heart sinks. I already start to dread what I presume I’m going to find. I open the app, click the login button, and literally face-palm. Username jxxxxx, Password ********. The user’s login details were saved in the application. I’m now one click away from being in someone else’s bank account. At this point I’m feeling extremely paranoid, and my white-hat mindset kicks in. I pull the battery, put it back in, and proceed to hold the home key, volume down key, and power it into the recovery screen. A couple more volume clicks later, and the device is completely formatted and returned to its factory settings. The old data is wiped.

As I mentioned, I was already fairly certain as to what I was going to find before ever even entering into that Chase app. Why? Most people do not understand the consequences of their actions, especially when it comes to security. Nor do they even consider it when dealing with the majority of technical things they do on a day-to-day basis.

So for those of you wondering, let’s review some of the steps that Sam¹ should have taken.

1. Upon boot up, the device went straight to the launcher. No pin, password, or swipe gesture was required. You should always protect your devices with some sort of locking feature. This is especially true if you have sensitive data stored on your device. If you use your device to access your company email or remotely connect to your company network, this should definitely be part of the company policy. It’s easy to configure within Exchange as well.
2. The user stored sensitive credentials within apps. Storing your password for something like your gaming account is one thing. Even allowing Android to automatically log into your email is a little risky, but saving the username AND password to your banking application? That’s just asking for trouble. NEVER store credentials in any application that you wouldn’t want someone else having access to! End of story.
3. The user sold a device (knowingly) without performing a reset or wiping the data. This policy holds true for more than just cell phones. But let’s face it; we are all even more connected to our phones today than ever before. I’d go as far as to say some even use them more than their actual computers (for personal tasks). If/when you sell electronic devices, you should always perform a format, or wipe of all stored data, whether this is a factory reset of a phone, a format and reinstall of a laptop OS, or even a full DoD multiple pass wipe. Always destroy your data before releasing your devices to the public.
4. The fact that Sam¹ even had his banking app on his phone can be viewed as a flaw – but I’ll let that one slide. I personally choose not to keep anything on my devices that can associate me to what my banking information may be. I go even as far as to ensure that any emails I get from my banks are sent to an email address that isn’t associated with my default Android account. Paranoid, perhaps. Secure, you bet!

I will take a slight bit of leniency on Sam¹ based solely on the fact that he thought the device was toast. But this is even more reason why you should take the steps necessary to ensure the device is wiped clean before getting rid of it. And for the average Joe (Sam) it’s not always obvious how to do these tasks. I had to look it up myself for this specific device (Android tends to vary the button combination per device). But in this case because the phone wouldn’t boot with the dead battery, Sam wouldn’t have even been able to perform the reset without some other form of digital magic.

Moral of the story: Wipe your devices, lock your devices, and don’t store credentials to sensitive information!

¹ Sam is a made up name, unless his name really was Sam, in which case it is purely coincidental.