When you lose a smartphone, all sorts of personal and proprietary data may become available to the finder/thief. Recently, a friend had a smartphone that I’d given to him stolen, so some of my personal and proprietary data may have been on that device still. Below I’ll attempt to outline what we should have done. This is very much a work in progress, but my quick searches for best practices smartphone loss returned nothing current or useful to an average person.
There was lots of best practice information for corporate devices on the internet. Buy this add-on for policy management, password complexity mandates, whole device encryption. None of this will help a soccer mom or a small business traveler overseas. We’ll try to work through what normal people can do to protect their devices, their data and make a lost or stolen device nearly useless to a thief.
A smartphone today is more powerful than a desktop computer from 10 years ago. This means these are extremely well-connected and valuable devices for you, me and thieves.
Let’s get started. I can’t ensure that any of these features or techniques will be available on your device or in the operating system that you phone runs. I’m only familiar with GSM phones, not what Verizon or Sprint use. Apple devices are a complete mystery to me. Do your own research for your device’s capabilities.
Pre-Loss / Pre-Theft Things
Before you have a loss, and most people will, there are a few steps you can take to make your data and accounts more secure. Some are easy, others are difficult and others will not be possible on all devices. Some will be a big hassle, constantly to leave enabled, so many people will disable them or never try them at all.
Backups aren’t just for recovery and device failures, but to ensure that data isn’t only stored on a small, portable, device that may disappear in a taxi or over a meal. Once your device is lost, not having access to the data is just salt on the wound. Having that data available also provides you a list of all the contacts, passwords, files, proprietary and personal data that has been compromised.
Off device backups are step 1 for any security solution. I know there are solutions claiming to backup the data. I’ve used a few but never found that they really backed up everything on the device. For my sanity, I want something like a system image (Ghost, PartImage, etc), not just a copy of files the backup tool thinks are important. I want everything.
Pin Lock Boot Access – Cell Phone Access
On the smartphones that I’ve seen, it is possible to force a PIN to be entered before the device will boot or any phone calls can be made (except 911). This can buy you time immediately after a loss or theft to change access codes and cancel the phone account with your provider. It is also a big hassle all the times you want to make a call. I’ve never used a PIN lock. I probably should.
Quick Password Locks
There is a setting in Android that controls how quickly the screen locks and requires a password or pattern to be entered to get back into a phone. 2 minutes is a common setting, but I found even that to be annoying. Still, I left it enabled.
Force Use of a Password Manager
On Android, there is a workable Password Manager that reads KeePass v1.x encrypted files. The interface is a little clunky, but it does work. I’ve been using it for about 4 months. The program locks access to the password DB after 30 seconds (configurable) and I found that acceptable on a portable device.
Encrypt the Device, if possible
There are 3 kinds of storage on these devices.
- Internal SD
- External SD
- External USB
Recently, I’ve seen where Android 3.x and later supports device encryption. I’ve heard, never used, that iPhones will encrypt the on-device storage if your access pin is over 6 characters. 4 character pins do not encrypt storage.
GPS “Home” Setting
Never set your real “home” to be the home for the GPS. Use a large intersection nearby instead.
Contacts / Owner Setting
The android phones that I’ve seen have a place to put “owner information”, use that for a phone number or email account. Hopefully, an honest person will find your device and contact you. I was not so lucky. A not-so-nice voicemail was left on the contact phone number for my device. That number is not easily traced to my name or my address. Using a work number is probably a good idea.
Stop Auto-Login and Auto-Connects and Auto-Check-ins
Being able to automatically connect to google, facebook, twitter, IRC, Dropbox, SugarSync, etc … is really handly. It is also fantastic for anyone who gains access to your smartphone. They get access to more personal and possibly company data located on these services.
Disabling the auto connection is a hassle, but it will also provide a little protection for this off-device data.
My phone had a sugarsync connection, some of the data there was sensitive from a corporate standpoint. Fortunately, I only had read-only access to the data from others and never placed my stuff there. On the other hand, I had to let those other people know that there was a breach and the data we shared may have been made public. Not good.
Google really wants us to automatically connect and doesn’t really let us have control over that aspect of the Android platform. If the screen isn’t locked, then whoever holds the device gets access to your google gmail and may get access to your other google services too. Google has been pushing the use of SMS to access Google as another way to protect your accounts with them. What happens after the device that receives the SMS is stolen?
Install Tracking Software
Paid software like “Prey” is available for laptops and smartphones to help with recovery. The $9 cost is pretty small when compared to how it can help you recover your device. I’ve seen reviews for different software of this type. I’ve never used any of these.
The home-page on my device was set to an internal web page on a server that only I know about. Any access that isn’t from me, is from someone else by definition. An IP address is not a person, but it can get pretty close to an address with the help of police and reverse IP lookups. For a time, google had an IP/address lookup feature. I haven’t heard about it in a while. There were privacy concerns, as I recall. For my lost device, there weren’t any logs of access to that webpage, so that means they didn’t blindly open the web browser while connected to a network.
Some of these tools will enable GPS tracking too – which can lead you and/or the police directly to your lost device. It is probably a good idea to not do this alone and only in a very public place with security easily available.
Install Remote Photo Snapshot Software
Having the photo of the person using your lost device will go a long way to recovering the device. It may provide information on the location – a coffee shop, home interior, etc.
Install Remote Wipe Software
This is more for the corporate users, but I suspect remote wipe software is available for home users too.
Post-Loss / Post-Theft Things
Ok, so your smartphone is gone, after get over the loss, you need to take some actions – quickly.
File a Police Report
This opens the door for all sorts of help from different providers. Sure, it is a hassle, but if someone doesn’t contact you quickly about your “lost” phone, it is now stolen. In a different country, it can also be a priceless _experience_for your travel logs.
Contact Cell Company, Disable the SIM (or phone number)
Contact your cell provider and be very clear that the phone and/or SIM were lost or stolen. Be careful that they may try to disable all your devices (spouse and/or kids phones) too. Don’t let them. I heard of someone reporting a stolen phone, but they’d removed the SIM from the device prior to leaving their country, so only the device was gone. The cell phone number was not at risk in any way. The cell company disabled all his accounts immediately because the customer service rep didn’t understand that the SIM and device were 2 different things.
Contact Your Provider and have them black list the phone’s IMEI
The IMEI is a unique identifier for every GSM phone in the world. It is hardware-based. There is a central database that is shared by cell phone operators world-wide to make stealing cell phones useless. In theory, a stolen phone cannot be used anywhere in the world, though this is probably wishful thinking. The Central Equipment Identity Register Your cell service provider will need to make the entries into the DB. I
Change All Passwords
Make a list of all the passwords used by the device. All of them. Don’t completely trust encrypted data. If you have a recent backup, you can start with that list. As a starting point, change these passwords ASAP:
- Secondary and tertiary email accounts
- amazon and other online stores
- Netflix, Hulu, ….
- banks, brokerages, retirement
- voice mail
- web site logins – forums, blogs, services
- dropbox, sugarsync
- VoIP accounts
- and remote access accounts – RDP, VNC, ssh
- VPN keys – let the admin running the VPN know
You will have others, perhaps many others.
Notify Everyone of the Breach
Whatever data you had on the device must be assumed to be in other people’s hands.
- Cached websites
- Cached emails
- sent emails
- SMS messages
- files, music, videos, photos
Hopefully, you encrypted all the storage on the device. After the fact is too late. Now you need to let everyone know that any private or proprietary data you had on the device is out there.
Your Device is Gone.
Get over it. Learn from the experience. Get on with your life, travel, work. I’ve seen a person behave almost neurotic over the loss of a smartphone.
I was in a foreign country with an Android smartphone given to me by a friend. It was setup with GPS and maps with POI and lots of planning data for the many different cities and places to be visited. There was no SIM in the device, since I didn’t want any undesired phone charges while traveling, that was pulled and sat in a hotel safe. WiFi access was it. All the data was stored on an external 16G Class 10 SDHC card. Nothing was encrypted and only a gmail account was connected to the device. No important email accounts were on it, no twitter, no facebook, no other social networking. Since I was overseas, I was on a little higher alert and tried to ensure no sensitive data was stored on the device. I don’t know how good my attempts were, just that I tried. My KeePass DB was on the device.
I copied all the internal data to the external SDHC card, the day before the device was stolen. I’d pulled the external SDHC card out and removed my gmail profile from it. Then I looked through the internal SD storage for data to be removed and manually deleted it. Since I was returning the phone to a friend, I wasn’t too worried about some of the data remaining on it; like the GPS favorites and maps for the countries we’d visit. I may have left my skype account on it with an automatic login enabled. I don’t recall, but there haven’t been any skype calls made with that account. Then I did a device wipe using the built-in tool. It was an unlocked phone and rooted Android OS. Formerly, it was on the AT&T network, but I’d been using it on T-mobile with a pay-as-you-go SIM the last few weeks. The cellular data was disabled.
I suspect the device was wiped of my data well enough to not be an issue, very little if any of my stuff was leaked, but it definitely has my contact information, along with 500+ other people from my friend’s contact import. Wiping a smartphone doesn’t really wipe everything.
After looking through all these steps, I’m pretty certain that whole device encryption would have been less of a hassle and would have protected my data better. I’m torn on whether to encrypt the external SDHC card(s) – that could be a major hassle when moving data in and out of the device using other equipment. I routinely pull the SDHC card out and put it into a PC for faster copies. The USB connection is 20x slower, at least. A little testing will be needed before a decision is made.
When on vacation, a smartphone should be a convenience and shouldn’t get in the way of enjoying your time away from home and work. Don’t forget to make some memories with your family and friends too.
I’m fairly certain something easy and important is missing. Let everyone know in the comments.