Cyber intrusions or 'just a volunteer databreach'.

The scope of this article is mobile dataprotection, not merely dataprivacy, allthough it is two sides of the coin. Do your best to take control of the use of your mobile device.

A user with little privacy awareness would have a phone with the following apps, see picture, which is pretty much the norm. You would then have everything from weather apps, Google map, all the apps that likes a big share of your privacy.

It also means, that if you have a work phone, then all these apps would like to have permission to your contacts and calender etc.

What is abnormal app activity, and how do you define that?

1. Unwillingly sharing data
2. Too much access to the content on the mobile device

‘Security of processing'

Most people give their data to Samsung, Google, Apple and all the commercial apps everyday using privacy intruding apps, for example: Gmail, Yahoo mail, Messenger, Google Maps, Facebook, Instagram, Twitter, Linkedin, WhatsApp, YouTube, iCloud apps.

To have a certain level of data protection on a mobile device there are many default settings that we have to be in control of even before, we take the mobile device or an app in use. Check the app permissions- do not give permission if not necessary.

Protection and risk mitigation on the mobile phone

We can do our best to make sure the data protection is maximised, for example

• Limit access to Camera and Microphone, GPS, Contacts
• Be aware of threats like phishing mails, malicious links and files via all messages whether email or messaging apps

Another important basic self-defence tactic is

• A chosen Anti virus/ Anti malware app
• The best browser (with privacy settings and add-on's)
• A Password manager

All this should be basic procedures for all of us, whether it is a mobile phone for work or private use. An organised phone where privacy and data protection is prioritised will look approximately like this:

Control & Permissions & device care

1. Update your phone and all necessary apps every week
2. Organise your files and photos (delete photos/videos in Recycle Bin)
3. Move files to external harddisk for security
4. Delete unnecessary stuff
5. Limit apps to the most important ones (disable the rest if you cannot delete them) and before you download an app, check which permissions it is asking.
6. Beware of Bixby (Voice, Vision, Home) for Samsung, and Adtracking, Analytics and Siri etc. for iPhone
7. Google Settings for the Android phone (Check all Account Services: Apps connected, Contact Sync, Google Fit, Google Play Instant, Google Pay, Location).
8. Delete or de-activate apps you are not using.
9. Limit permissions in general: Check all the app permissions, open one by one on a regular basis, check each and one of them:

If you don't know where to start, start in Settings - Apps - go through all of them, but make sure to deal with

1. Google permissions
2. Apps (app permissions)

• Find app permissions in the upper right corner for Samsung

Remember to deny access for Bixby apps (Android) and Siri (IOS) if you want some privacy!

• Take Control of which apps has permission to use storage

• Control which apps has access to the microphone

Control which apps has access to the camera

Control which apps has access to your exact location

Okey, you get the picture... so you spend a few hours once in a while doing that as the settings might suddenly change with an update of apps. Find professional guidelines in links below.

Now you have done most things right to protect yourself, and trust that the anti-malware app is helping you with necessary web protection.

Are you safe now?

Example of abnormal activity

By default settings as, ACCESS to all kind of activities does not privide either privacy or information security.

For every update we need to check all standard settings and system apps to be on the safe side.

The latest example is this Android update where new permissions has been granted without my consent or knowledge.

Samsung Bixby Voice cannot be denied ot stopped!

Facebook Services? Allthough I have denied access to Facebook app, new system apps has been installed, see image.

Wallpaper services?

I was contacted by a colleague an evening. The message came on the app Wire.com where we do most communication in writing. There was panic…. My colleague is aware of the most common data protection measures, and is going through her phone settings on a regular basis, its called data hygiene and device care.

HELP! ?????? I was going through my phone, checking the Settings and found this on my Samsung7

This F...... Chinese marketing and personalization company somehow got 59 system Apps installed on my mobile last update... I just de-activated all of them, but I cannot DELETE them?

-Have you seen / heard anything similar? -I was on their website https://www.ipengtai.com/html/en_m/about.html ..It's crazy what they do about personal data… -I don’t know how it got on my mobile phone, do you think I got hacked? -Should I call Center for Cyber security?...

-I define this pattern a data breach on a mobile device.

I will spare you most details of the next 2 hours of this conversation back and forth.

I suggested that she downloaded Norton mobile security or Bitdefender to scan the device. Did so, with NO result. All OK?

I then suggested she downloaded the app Lookout Mobile Security as I had a premium code she could use. Did so, scanning in total 424 apps with NO result. All OK?

We discussed whether this was downloaded through the home wifi...

And in the end we simply couldn't get to more solutions as to get rid of these 59 system apps. The only option we could find was to reset. It was the 25th of December, so not many chances to get help. She could also just have shut it off completely.

Choices

• Hard Restart/Reboot – this will shut your phone off and start it back up (power off, power on)
• Hard Reset – also called Factory data reset, this will delete everything on your phone

It will delete everything on your phone. You won’t be able to recover anything unless you backup your data in advance!

Make sure you ONLY do this if you are 100% completely sure you want to delete everything and have important files, photos, or information backed up to other storage.

Cyber Intrusions or 'just a volunteer Databreach'

You might ask if it is harmful, thing is we don't know. But we do believe that these 59 system apps came from a download via - can you guess it?

Yes, Wallpaper and themes...

Even if you read the Terms and Conditions, there is not a word about this company.

Be careful what you download from Samsung Galaxy Store, and especially, be careful what your Kids downloads.

Made for Samsung by

You can instead use your private images as wallpaper as I do.

Read articles for your awareness on mobile apps

Tips, tools and awareness: How to avoid becoming a cybercriminal's Christmas gift? https://www.dhirubhai.net/pulse/how-avoid-becoming-cybercriminals-christmas-gift-pia-tesdorf/

...

iOS app permissions - are your apps asking too much? https://www.wandera.com/ios-app-permissions/

Apple’s Empty Grandstanding About Privacy, The company enables the surveillance that supposedly offends its values. January 31, 2019. Ian Bogosthttps://www.theatlantic.com/technology/archive/2019/01/apples-hypocritical-defense-data-privacy/581680/

Security Configuration Guide - Apple iOS 12 Devices https://www.cyber.gov.au/publications/security-configuration-guide-apple-ios-12-devices

Apple’s security and privacy is good, but could be even better, The company should double down on its privacy stand https://www.macworld.com/article/3513379/apples-security-and-privacy-is-good-but-could-be-even-better.html

...

Security Configuration Guide - Samsung Galaxy S9 and S9+ Devices https://www.cyber.gov.au/publications/security-configuration-guide-samsung-galaxy-s9-and-s9-devices

NIST National Institute of Standards and Technology Vetting the Security of Mobile Applications (2019) https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-163r1.pdf

GDPR Principles Article 5 Principles relating to processing of personal data 1. Personal data shall be: (a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’); (b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’); (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’); (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’). e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’); (f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’). 2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).

Article 6 Lawfulness of processing 1. Processing shall be lawful only if and to the extent that at least one of the following applies: (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (c) processing is necessary for compliance with a legal obligation to which the controller is subject; (d) processing is necessary in order to protect the vital interests of the data subject or of another natural person; (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Article 25 Data protection by design and by default 1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects. 2. The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons. 3. An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article.

Article 32 Security of processing 1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data; 4.5.2016 L 119/51 Official Journal of the European Union EN (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. 2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. 3. Adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of this Article. 4. The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.

Source: General Data Protection Regulation, April 2016 https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN

#GDPR #Article5 #Article6 #Article 25 #Article32 #Dataprotection #InfoSec