Today is NOT Data Privacy Day. Data Privacy Day is Jan 28th, this Saturday. However, this year I am breaking up the Data Privacy Day thread into multiple much more manageable chunks. This is Day 2 and will cover a key aspect for the modern world: Smartphones.

Sections:
Day 1: http://www.gamesas.com/topic/1337235-data-privacy-day-day-1/
Day 2: http://www.gamesas.com/topic/1337699-data-privacy-day-day-2/
Day 3: http://www.gamesas.com/topic/1338134-data-privacy-day-day-3/
Day 4: http://www.gamesas.com/topic/1338605-data-privacy-day-day-4/
Day 5: http://www.gamesas.com/topic/1339018-data-privacy-day-day-5/
Day 6: Set up OpenVPN on Windows and Final Remarks

The goal, as always, is to make you more informed about your data and your privacy. I hope you find some of this information useful and put it into action. Security and privacy are constantly evolving items, and what cuts it today may not in the future, but this should be a good springboard to boost your security and privacy for Data Privacy Day and the years to come. As always, the level of security you need will differ from others, so you need to figure out what level is good for your needs. Some things, though, are universally applicable to all, such as a good Password system. Another thing to remember is that even if you follow the best of security practices, it may not be enough to stay safe if a company who has poor security practices gets hacked (and after this summer, I think we are all familiar with that)

Special thanks to MorrowindFan for his help with verifying some of the Windows Phone 7 information

Smartphones

Do note, that while this section is specifically about smartphones, since most popular tablets on the market are based off of smartphones currently on the market, a good chunk of this can be applied to tablets too.

I'd argue that phones and data privacy and security don't even belong in the same playing field. Phones leak information like a sieve, and smartphones are even worse at it. This year saw many scandals related to various smartphones. There was the http://www.wired.com/gadgetlab/2011/04/iphone-tracks/, which lead to general coverage of http://gizmodo.com/5794891/do-apple-google-and-microsoft-know-your-every-step-a-handy-chart, and then it turned out that http://www.winrumors.com/windows-phone-proven-to-record-location-data-without-authorisation/ (Even though Microsoft went on record during the original iPhone scandal saying WP7 didn't do nearly that much), and then we found out about http://www.engadget.com/2011/12/01/carrier-iq-what-it-is-what-it-isnt-and-what-you-need-to/ (except Verizon phones), http://www.pcworld.com/businesscenter/article/239607/diginotar_certificates_are_pulled_but_not_on_smartphones.html and a good many smartphones still have these certs active, http://www.esecurityplanet.com/browser-security/diginotar-when-trust-goes-e-everything-goes.html. This year was also a big year for malware on smartphones. http://www.schneier.com/blog/archives/2011/11/android_malware.html got lots of coverage (though it's not as bad as the coverage made it out to be), and even the http://www.engadget.com/2011/11/07/charlie-millers-latest-ios-hack-gets-into-the-app-store-gets-h/. Of course why bother with malware when you can just completely http://news.cnet.com/8301-27080_3-10299378-245.html? Throw in some http://www.youtube.com/watch?v=TzR7R6fBr00, maybe http://www.youtube.com/watch?v=lsIriAdbttc, and why not even some http://seclists.org/fulldisclosure/2011/Aug/76 just for kicks.

Ok... I think you get the picture, the sad thing is that the above is not even close to covering all of what has happened in the last year or so when it comes to smartphone (and phones in general) insecurity. Smartphones may be wonderful tools, but they definitely aren't secure. There are some things you can do about this, but the best is probably just turning the phone off when you don't need it . Really though, there's no way many of you can imagine going back to your life without a smartphone, so at least do your best to bolt down what you can, which is mostly physical security.

Locking your phone

Android: Android 2.2 enabled PIN and password locking, prior to that you could only do a swipe pattern*. http://www.tech-recipes.com/rx/5901/android-2-2-froyo-use-pattern-pin-or-password-for-screen-unlock-security/
*Note: If using a swipe pattern, make sure to have at least one part of the pattern trace over itself. If you do not, someone can tell your pattern by looking at your smudge marks.

For Apps there are two tools: Android Protector and Tasker:

http://www.android-password.com/ - free up to 10 locked apps, $0.99 for unlimited locks.

http://tasker.dinglisch.net/ - $5-7 (out of market version is cheaper and recommended for file encryption). http://tasker.wikidot.com/applock

Why lock an app? Let's say you are letting a friend borrow your phone, but don't want them "accidentally" reading your emails or posting something from your Facebook account. Now you can lend them your phone without watching over their every move like a hawk.

iOS: with iOS4, full password support came to the iPhone. http://www.macobserver.com/tmo/article/ios_4_setting_secure_passcodes/ -- iPhones not using iOS4 or later: http://www.youtube.com/watch?v=8SW9mL-f5Ww

Unfortunately I can't find any tools in the market to lock apps. For jailbroken iPhones it looks like there are two (I couldn't test them since none of my family members would let me jailbreak their iPhones), both available on Cydia: mAdvLock (also has file encryption, but costs $15) and Lockdown (has a free version, pro version is $2 and works on iOS4).

Windows Phone 7: Blech, http://www.microsoft.com/windowsphone/en-us/howto/wp7/basics/lock-screens-faq.aspx (at least it allows PINs longer than 4 numbers, which I highly recommend). Thankfully the lockout period is always in effect (though it could do with some beefing up IMO). Hopefully the next major update will allow longer passwords or at least pattern lock. I mean, Microsoft created that great picture password for Windows 8, can't they port it over?

Password Managment on your Smart Phone

USE ONE! KeePass-compatible, LastPass Premium, or something else, just use one! I already listed them all out in the password section, so just pick one out. Here, I'll make it easy for you: https://market.android.com/details?id=com.android.keepass&hl=en for Android, http://7pass.wordpress.com/ for Windows Phone 7, and either http://itunes.apple.com/app/id451661808 (free) or http://itunes.apple.com/us/app/mykeepass/id353354895?mt=8 ($0.99) on iOS. For LastPass users, $12/yr isn't much and then you can use their https://lastpass.com/misc_download.php?fromwebsite=1. I can't begin to tell you how many times I've seen someone open their smartphone's unsecured notes to find a password. Stop it! Please. Your phone is insecure enough as it is without you storing your passwords in plaintext.

Remote Locating/locking/wiping

Your smartphone contains all sorts of juicy information on you. You need to be able to remotely wipe it if you ever lose it.

Android:

http://www.f-secure.com/en/web/home_us/protection/anti-theft-for-mobile/overview - Free for all. Remote Locate, Lock, and Wipe

https://www.mylookout.com/ - Free or Premium version for $30/yr. Not only does it offer remote finding through the website, but also has an antivirus program (the usefulness of an Antivirus program on Android is highly debatable right now, but the location/wipe feature is undeniably good). The Premium features include the ability to lock your phone until you find it or wipe it clean, as well as even more goodies.

https://market.android.com/details?id=com.symantec.mobilesecurity - Free for basic protection (arguably useful antivirus, definitely useful remote lock), $30/yr for remote locate and wipe features (among others)

https://www.wavesecure.com/products/android.aspx - $19.90/yr. You can track your phone, lock it, and back up/wipe the data.

http://wheresmydroid.com/ - Free for basic features (basic locate, basic remote control, basic lock), $4 for full features (remote wipe)

iOS:

http://www.apple.com/icloud/features/find-my.html -- Free for all thanks to iCloud. You can even have it http://support.apple.com/kb/HT4175.

Windows Phone 7:

Built-in feature through connected Windows live accounts using http://devices.live.com/ -- http://windowsphone.windows7kami.com/remotely-managing-your-lost-windows-phone/

Encrypting Files on your Phone

As already mentioned, your device leaks data like a sieve. Using encryption can help secure your device some (either full-disk encryption or folder encryption)

http://www.engadget.com/2011/02/02/android-3-0-honeycomb-can-encrypt-all-your-data-needs-a-full/

For file encryption, you can use http://tasker.dinglisch.net/. The Android Market version used to not have encyption, but I don't know if this changed or not. To be safe just buy the version on the website and manually install the apk. http://tasker.dinglisch.net/userguide/en/encryption.html.

iOS: The phones have default built-in hardware encryption, but to make it useful you need to http://support.apple.com/kb/HT4175. No further options exist on stock devices, however for file-level encryption, mAdvLock can be used.

Windows Phone 7: I cannot find any information on current Windows Phone 7 supporting on-device encryption (though Microsoft does say it is planned), nor can I find any apps for file-level encryption.

Android Specific: Rooting and ROMs (and a bit on jailbreaking for iOS)

To root or not to root is very much so the question. There are pros and cons to both. Rooting itself isn't much of a desired thing, though if you are careful with your superuser privileges, it's certainly not a bad thing, just make sure that you secure your new vulnerabilites you may have gained, such as an ssh server. This also applies to when you install new ROMs: http://wiki.cyanogenmod.com/wiki/Howto:_Connect_to_Device_with_SSH! Same for iOS users: If you jailbreak your device, you now have SSH access that has a default and well-known username and password, http://www.redmondpie.com/how-to-secure-your-jailbroken-iphone-from-ssh-hack-9140084/. There's been scattered incidents of jailbroken and rooted phones being hacked due to unchanged SSH credentials.

On to ROMs specifically, I suggest everyone using Android looks into them, especially after your 1 or 2-year warranty is up. The reason? Security patches. Many phones get abandoned and never receive critical android security patches. By running your own ROM you no longer have to wait for slow companies to patch your devices, but rather generally speedy groups of people who want to ship the latest Android in their ROM.

Smartphones: The remaining stuff

Be careful what you install. Here is a list of some of the worst offenders of apps that invade your privacy: http://blogs.wsj.com/wtk-mobile/. On Android, always pay attention to what permissions an app asks for on install and make sure it makes sense.

Disable Bluetooth when not using it.

Watch your picture uploads, especially if paranoid. By default the metadata in the picture will include geolocation information that you may not want out there. It's relatively simple to disable by just changing http://icanstalku.com/how.php#disable.

It's disgusting some of the permissions certain apps want on install... but I install them anyways.

Now I'm off to go encrypt my tablet.

CyanogenMod (introduced in CM 7.1 RC) and a few other ROMs have the ability to disable specific permissions for apps: http://www.youtube.com/watch?feature=player_embedded&v=71UL9LIicTU

I didn't include this in the guide because it's quite advanced. You have to do debugging and be prepared for apps to break, become completely unresponsive, and all sorts of other glitches. You have to really do your research on whether an app needs a certain permission or not (and even then, some apps will not function with unneeded permissions disabled). Once CyanogenMod gets updated to Ice Cream Sandwich, it may be something that interests you for your tablet.

There used to be another app called Permissions Denied... technically it still exists, however the developer when evil and made the free version pretty much non-functional, display tons of ads, and reports of spyware are going around about it. They then released a paid version ($5) to do what the free version used to do. However, after what the developer did with the free version (through an app update without any warning, might I add), there was no way I was going to trust that developer and risk installing their "Pro" version on a phone to see if it actually works (the app also required root privileges to work and didn't work on all phones).

Google I think really could do better on this front by explaining the permissions requested better, as the descriptions for what the app requests are quite vague, and sometimes when an app requests something, when it seems like it has no need to, there actually is a reason. Being more explicit about why an app requires some permission would really help out the problem, I think (developers then wouldn't be able to make bogus demands for permissions, as everyone would know it doesn't really need those permissions and not install the app).

EDIT:

Your post has made me re-look into this and have found two solutions:

1. http://forum.xda-developers.com/showthread.php?p=19570091 -- Doesn't require root to run (but does to install, the difference being the app itself doesn't need superuser privileges), but is quite an involved setup process and only very specific ROMs are supported.

2. https://market.android.com/details?id=com.lbe.security.lite -- Requires root and is basically an improved version of what Permissions Denied was before the developer went evil. Unfortunately, it's very heavy on the CPU (and therefore battery) and the latest version apparently has issues remembering blocked privileges past a reboot.

I would suggest these in the following order:

1. PDroid (it seems to be the best and most stable)

2. CyanogenMod (I trust them)

3. LBE Privacy Guard (it doesn't seem quite as good as CyanogenMod in terms of actual blocking, and it in-par with it in terms of stability, but it also drains the batter really fast due to high CPU usage)

As it happens, I got my first smartphone today. So this should definitely come in handy. Thanks DEFRON!

Pfft. String telephones have no such problems. Sure range is limited but if you have privacy you must have sacrifice.

Glad I could be of assistance.