Smartphone: Difference between revisions

From IDESG Wiki
Jump to navigation Jump to search
No edit summary
 
(3 intermediate revisions by the same user not shown)
Line 9: Line 9:
*Phones can be lost or stolen.
*Phones can be lost or stolen.
*Phone numbers can be reused or stolen.
*Phone numbers can be reused or stolen.
* [https://www.pewresearch.org/internet/2019/11/15/how-americans-think-about-privacy-and-the-vulnerability-of-their-personal-data/pi_2019-11-14_privacy_1-04/  Majorities of Americans think their personal information is less secure today than in the past]
* While an [https://www.pewresearch.org/internet/2019/11/15/how-americans-think-about-privacy-and-the-vulnerability-of-their-personal-data/#seven-in-ten-americans-say-they-feel-as-if-their-data-is-less-secure-today-than-it-was-five-years-ago increasing number of users feel as if their dta is less secure today that it was five years ago,] they are unwilling to spend much personal effort to protect their data.
* While an [https://www.pewresearch.org/internet/2019/11/15/how-americans-think-about-privacy-and-the-vulnerability-of-their-personal-data/#seven-in-ten-americans-say-they-feel-as-if-their-data-is-less-secure-today-than-it-was-five-years-ago increasing number of users feel as if their dta is less secure today that it was five years ago,] they are unwilling to spend much personal effort to protect their data.


==Solutions==
==Solutions==
===Proposal for Assurance===
===Proposal for Assurance===
Following the pattern created by NIST SP 800-63-3 it is proposed to create levels of assurance for Smartphones and software running on those phones with a [[Software Statement]].
Following the pattern created by NIST SP 800-63-3 it is proposed to create levels of assurance for Smartphones and software running on those phones with a [https://tcwiki.azurewebsites.net/index.php?title=Software_Statement Software Statement].
# Simplest level the app makes an assurance of its own identity, provenance and policies as well as the security configuration of the device it is running on.
# Simplest level the app makes an assurance of its own identity, provenance and policies as well as the security configuration of the device it is running on.
#  The assertion includes a description of the authentication requirements placed on the user and can accommodate, as installed on the smartphone, at least AAL2 level of assurance to to the relying party. The app will not run phones without support for key protection.
#  The assertion includes a description of the authentication requirements placed on the user and can accommodate, as installed on the smartphone, at least AAL2 level of assurance to to the relying party. The app will not run phones without support for key protection.
# The assertion is signed by an accredited testing body as meeting the highest level of assurance by a recognized accrediting body.
# The assertion is signed by an accredited testing body as meeting the highest level of assurance by a recognized accrediting body.
===Security===
===Security===
* All modern smartphone have the ability to limit access by the use of some authentication factor any any purpose except emergency access for calling or emergency contact information. The user has the option to direct some notices to the lock screen if they wish. Apple and some Android phones come with the lock screen enabled by default, but all allow it to be disabled.
* All modern smartphone have the ability to limit access by the use of some authentication factor any any purpose except emergency access for calling or emergency contact information. The user has the option to direct some notices to the lock screen if they wish. Apple and some Android phones come with the lock screen enabled by default, but all allow it to be disabled.

Latest revision as of 19:24, 4 May 2020

Full Title or Meme

A Smartphone is a mobile device that can download Apps for contacting Web Sites as well as traditional mobile services like calling and messaging.

Context

The computing power of a Smart Phone today is beyond that of any computer of 25 years ago. The connectivity of a Smart Phone is beyond that of any computer of 25 years ago. Now anyone of modest means can carry one with them nearly anywhere they want to go. Clearly society will feel the impact of this leap of technology. And its impact for personal Identity can only be guessed at.

Problems

Solutions

Proposal for Assurance

Following the pattern created by NIST SP 800-63-3 it is proposed to create levels of assurance for Smartphones and software running on those phones with a Software Statement.

  1. Simplest level the app makes an assurance of its own identity, provenance and policies as well as the security configuration of the device it is running on.
  2. The assertion includes a description of the authentication requirements placed on the user and can accommodate, as installed on the smartphone, at least AAL2 level of assurance to to the relying party. The app will not run phones without support for key protection.
  3. The assertion is signed by an accredited testing body as meeting the highest level of assurance by a recognized accrediting body.

Security

  • All modern smartphone have the ability to limit access by the use of some authentication factor any any purpose except emergency access for calling or emergency contact information. The user has the option to direct some notices to the lock screen if they wish. Apple and some Android phones come with the lock screen enabled by default, but all allow it to be disabled.
  • On 2017-03-15 28% of smartphone users have no lock screen on their phones. 26% had a PIN code and 23% used a thumbprint scanner.
  • On 2020-04-24 Half of of Americans have decide not to use a product or service because of privacy concerns.

Recommendations

  1. Ensure that users understand the need for privacy and make it little extra effort to enable it.
  2. Ensure transparency of the use of data is maintained.
  3. Give users some functionality with little privacy, but make significant data available only if the user has enabled smart phone access.

References