Chapter 38. Troubleshooting Mobile Operating Systems
This chapter covers the following A+ 220-1002 exam objectives:
• 3.4 – Given a scenario, troubleshoot mobile OS and application issues.
• 3.5 – Given a scenario, troubleshoot mobile OS and application security issues.
Okay, here’s the last chapter on troubleshooting. Mobile devices in the workplace have been steadily growing for a long time now, and with more devices, comes more problems that will need your attention. There is a bit of overlap between this chapter and Chapter 3, “Smartphones, Tablets, and Other Mobile Devices, Part 1,” and Chapter 4, “Smartphones, Tablets, and Other Mobile Devices, Part 2.” That’s because the hardware and the software of a mobile device are so closely linked; a problem that occurs could be due to software, hardware, or both! So, you might want to refer back to those chapters to get a little refresher on mobile device hardware and communications. Let’s get troubleshooting!
Note
For this chapter we will cover the two objectives together, because they are so heavily intertwined.
ExamAlert
Objective 3.4 focuses on the following common symptoms: dim display, intermittent wireless, no wireless connectivity, no Bluetooth connectivity, cannot broadcast to external monitor, touchscreen non-responsive, apps not loading, slow performance, unable to decrypt e-mail, extremely short battery life, overheating, frozen system, no sound from speakers, inaccurate touch screen response, system lockout, and app log errors.
ExamAlert
Objective 3.5 concentrates on the following common symptoms: signal drop/weak signal, power drain, slow data speeds, unintended Wi-Fi connection, unintended Bluetooth pairing, leaked personal files/data, data transmission over limit, unauthorized account access, unauthorized location tracking, unauthorized camera/microphone activation, high resource utilization.
Wi-Fi Troubleshooting
When troubleshooting mobile device wireless connections, always make sure of the following basic wireless troubleshooting techniques:
• The device is within range.
• The correct SSID was entered (if manually connecting).
• The device supports the encryption protocol of the wireless network.
• That the device is not in airplane mode.
• That the user didn’t inadvertently connect to an unintended Wi-Fi network. It happens more often than you might think with the amount of today’s open Wi-Fi networks available.
• Tethering and mobile hotspots are not conflicting with the wireless connection.
• The cellular connection is not conflicting with the wireless connection.
If you still have trouble, here are a few more methods that can help to connect or reconnect to a wireless network:
• Power cycle the mobile device.
• Power cycle Wi-Fi.
• Remove or “forget” the particular wireless network and then attempt to connect to it again.
• Consider using a Wi-Fi analyzer app to locate the wireless network in question. Sometimes these analysis apps can give you more information that can help to solve the connectivity problem. They’re also a great security tool to check your own WAP. Just be careful because some can use up a good deal of system resources and possibly cause the battery to run hot.
• Access the advanced settings and check whether there is a Wi-Fi sleep policy, whether Wi-Fi scanning has been turned off, whether there is a proxy configuration, or whether a static IP is used. Also, Wi-Fi Direct and WPS might need to be configured properly, or disabled. Any of these could possibly cause a conflict. You might also try renewing the lease of an IP address, if the device is obtaining one from a DHCP server (which it most likely will be.) Some devices also have an option for Best Wi-Fi Performance, which uses more power but might help when connecting to distant WAPs. Another possibility is that the mobile device needs to have an encryption certificate installed, which is usually done from here as well. The advanced settings will vary from device to device, an example is shown in Figure 38.1. Note the IP address and MAC address at the bottom of the figure; if you ever need to know either of those addresses, this is a good place to go.
Figure 38.1 Advanced wireless settings
One of these methods usually works when troubleshooting a wireless connection, but if all else fails, a hard reset can bring the device back to factory settings. (Always back up all data and settings before performing a hard reset). And if the mobile device still can’t connect to any of several known good wireless networks, consider accessing the Developer options and the super advanced wireless settings (more on Developer options later), or take the device to an authorized service center.
You might also encounter issues where the device can connect to Wi-Fi but has a slow connection. In that case, check the signal strength, as well as the distance to the nearest AP, whether or not the device is connecting to the correct AP (in the case there is more than one option), and if there are any obstructions.
ExamAlert
Know your Wi-Fi troubleshooting techniques!
Bluetooth Troubleshooting
If you have trouble pairing a Bluetooth device and connecting or reconnecting to Bluetooth devices or personal area networks (PANs), try some of the following methods:
• Make sure the phone or other mobile device is Bluetooth-capable.
• Verify whether Bluetooth is enabled on the mobile device. Also, if applicable, verify whether it is enabled on the target device (for example, an automobile sound system).
• Verify whether your devices are fully charged, especially Bluetooth headsets.
• Check whether you are within range. For example, Class 2 Bluetooth devices have a range of 10 meters.
• Restart the mobile device and attempt to reconnect.
• Check for conflicting Wi-Fi frequencies. Consider changing the channel used by the Wi-Fi network (if it is on 2.4 GHz).
• Use a known good Bluetooth device with the mobile device to make sure that the mobile device’s Bluetooth is functional.
• Remove or “forget” the particular Bluetooth device, turn off Bluetooth in general, restart the mobile device, and then attempt to reconnect.
• Check that the user didn’t make an unintended Bluetooth connection. If a Bluetooth device doesn’t have a passcode or other security methods implemented, it can easily be connected to another mobile device, and vice-versa.
ExamAlert
Know your Bluetooth troubleshooting techniques!
Troubleshooting E-mail Connections
If you have trouble connecting an e-mail account, try some of the following methods:
• Make sure the mobile device has Internet access. If connecting through the cellular network, make sure there is a decent reception.
• Verify that the username, password, and server names are typed correctly. Remember that the username is often the e-mail address itself.
• Check the port numbers. See Chapter 5, “Ports, Protocols, and Network Devices,” for a list of ports. Be aware, however, that network administrators might decide to use non-default port numbers!
• Remember that secure e-mail ports are preferred most of the time. Double-check whether security is required in the form of Secure Sockets Layer (SSL) or Transport Layer Security (TLS). For non-standard port numbers and security configurations, check with your network administrator.
ExamAlert
When troubleshooting e-mail connections on mobile devices, double-check all settings such as username, password, server name, and port number.
You might also encounter issues where a user cannot decrypt e-mail communications. Encryption issues can happen on several levels including; at the server, during the e-mail session, the individual e-mails themselves, and attachments. Today, e-mail sessions are based on SSL or TLS. The user’s e-mail account needs to log in to a secure server making use of the correct protocol and port. We discuss that more in Chapter 5; however, if individual e-mails (or attachments) cannot be decrypted, then it is probably a certificate issue. If the problem only affects one user, then the certificate should be checked at the mobile device, a new one will potentially have to be imported. In Figure 38.1 you saw an option in Android for installing certificates from storage. It can also be done from Encryption & credentials as shown in Figure 38.2.
Figure 38.2 Encryption & credentials screen in Android
From this screen you can clear and install certificates, and check trusted credentials. So, you could check if a certificate has expired or has been revoked and import the new one as need be. Note that attachments might use a separate certificate from the main e-mail certificate. With some MDM solutions, certificates can be exported directly to the mobile device, just make sure to use an encrypted session between the MDM and the device to prevent the certificate from being compromised!
ExamAlert
If individual e-mails (or attachments) cannot be decrypted, then it is probably a certificate issue.
Troubleshooting and Stopping Applications
Applications that are opened on a mobile device will continue to run in the background unless they are specifically turned off within the app or within the OS, or the device is restarted.
To turn off apps (or services) that are running on a typical Android-based system, go to App info, or the Application Manager (or similar name). That displays all the currently running applications and services, though the services portion might be within a different tab of that screen. As with PCs, mobile device apps use RAM. The more RAM that is used by the mobile device, the worse it will perform; it will slow it down and eat up battery power. So, to close an app, you would simply locate it on the list, tap it, and on the next screen tap Force stop. Figure 38.3 (left) shows an example of an app info screen with the Force stop option. You can also stop services or processes in this manner. If you are not absolutely sure what the service is, do not initiate a Stop because it can possibly cause system instability. In the past, due to that instability, force stops were reserved only for services; they are now an option on many devices for applications as well. Just remember that force stops can cause the OS to behave erratically. You can also clear the storage data and cache by tapping Storage. This is shown in Figure 38.3 (right). By clearing the data and cache, you can fix a lot of issues with applications.
Figure 38.3 The Force Stop option in Android
To force quit an app on iOS-based devices there are a couple of options depending on the version of the device.
1. On an iPhone X or later or an iPad with iOS 12, from the Home screen, swipe up from the bottom of the screen and pause slightly in the middle of the screen. On an iPhone 8 or earlier, double-click the Home button to show your most recently used apps
2. Swipe right or left to find the app that you want to close.
3. Swipe up on the app's preview to close the app.
Note
For older devices, you may have to press and hold the Sleep/Wake button for a few seconds until a red slider appears. Then press and hold the home button until the app quits.
ExamAlert
Understand how to stop apps on Android and Apple devices.
There are third-party apps that can close down all of the apps in one shot if you need to save time. However, these can cause erratic behavior as well. Finally, if an application is causing the device to lock up and you can’t stop the app normally or through a force stop, then a soft reset or a hard reset will be necessary.
Initiating Resets
Sometimes, mobile devices are the victims of a frozen screen; tapping on the screen and pressing any buttons has no effect. To fix this problem, consider a soft reset. A soft reset is done by simply powering off the mobile device and powering it back on. (You might have to hold the power button for longer than usual.) This resets the drivers and the OS. Soft resets are similar to shutting down a PC and powering it back up. Some technicians will also call this a power cycle. The soft reset can help when certain applications are not functioning properly or when network connectivity is failing. When a smartphone is still locked up when it is restarted, try pulling the battery (if applicable), replacing it, and restarting the phone again, or attempt a hard reset.
iOS-based devices can do a variety of more advanced software resets beyond a simple power cycle, such as Reset All Settings, Erase All Content and Settings, Reset Network Settings, and so on. These are available by tapping Settings > General > Reset.
A hard reset should be initiated only when things have gone terribly wrong; for example, when hardware or software has been compromised or has failed and a soft reset does not fix the problem. You want to make sure that all data is backed up before performing a hard reset because some hard resets will reset the mobile device back to the original factory condition.
Warning
All data will be wiped when a hard reset is initiated!
Hard resets vary from one device to the next. They can be initiated from within the OS (for example, within the Backup and Reset settings screen). Or they can be initiated by pressing a special combination of buttons, possibly while restarting the device. For example, you might press and hold the Power button, Volume Up button, and Home button until you access Recovery Mode. Or you might have to press the Volume Down button and press and release the Power button at the same time to access reset options such as Clear Storage and Recovery.
Note
On some devices, pressing and holding the Volume Down button and the Power buttons simultaneously will bring up Safe Mode. This turns off user-installed apps and can be very helpful when troubleshooting.
At the recovery location, follow the prompts to initiate a hard reset. Again, all data should be backed up prior to starting a reset—I can’t say it enough! At this point, the device will be reset and you will have to restore data and settings from backup.
ExamAlert
Know how to perform soft and hard resets on Android devices.
Unlike many other mobile devices, hard resets on iOS-based devices do not delete data. They instead stop all apps and reset the OS and drivers. This can be accomplished with the following steps:
1. Make sure that the device has at least 20 percent battery life remaining. (This process could take some time, and you don’t want the battery to discharge completely in the middle of it.)
2. Press the On/Off or Sleep/Wake button and the Home button simultaneously for 10 seconds or until the Apple logo appears. (Ignore the red slider.)
3. When the logo appears, the hard reset has been initiated. It may take several minutes to complete.
To fully reset an iOS-based device such as an iPad to factory condition, you need to go to Settings > General > Reset > Erase all Content and Settings. Another way to do this is to connect the iOS device to a computer via USB and open iTunes on the computer. Then select the iPad option, click Summary, and then click Restore. Regardless of the method you choose, initiate a hard reset to complete the procedure.
Note
For more information on how to restart your iPhone X (or later) and your iPhone 8 (or earlier) and iPad visit: https://support.apple.com/en-us/HT201559
For more information on how to restore your iPhone or iPad to factory settings visit: https://support.apple.com/en-us/HT201252
ExamAlert
Remember how to reset settings and erase all content on iOS devices.
As you have seen with Android and Apple, the types of resets vary from one device to the next, so be sure to go to the manufacturer’s website to find out exactly what the various resets do for your mobile device and how you can perform them—and one more time, back up your data!
Additional Mobile Device Troubleshooting
Let’s discuss a little more about troubleshooting mobile devices, namely display issues, application issues, overheating, and radio connectivity issues. We previously discussed some touchscreen and battery issues in Chapter 20, “Troubleshooting Video Issues and Mobile Devices,” so we won’t repeat those things here.
Mobile Device Application and OS Troubleshooting
The operating system and the loaded applications can give users some heartache, too—especially given how some people truly love their smartphones and tablets.
We talked about keeping the device updated; in general, this is true, especially for antimalware applications. But sometimes, an update is not a good idea. For example, the latest version of a mobile OS might not work well on your device (even if the experts say it will). The older the device, the slower the CPU; and the newer the OS version, the more CPU resources it requires. Ultimately, the new version of an OS will not function as well. The same goes for the latest versions of apps, though not to such an extent. In the case that a device is updated and it starts to work sluggishly, a downgrade may be necessary. This means going back to the original factory image for the phone and usually requires a USB connection to a desktop computer, with USB debugging enabled. In order to enable USB debugging, some devices require you to “become a developer,” which can be done, for example, by tapping the build number (in About) seven times or some other similar technique. Once you are in developer mode, you can enable USB debugging from Settings. Other devices allow you to select USB debugging when you first plug in the device via USB. You’ll need to have a full battery before initiating a downgrade. Check your device documentation for more information, or go to the manufacturer’s website to find out how to enable USB debugging for your specific device.
Applications can also cause a mobile device OS to perform slowly or freeze the system altogether. If this happens, first restart the device. If that does not work, consider force-stopping the application in question, uninstalling unnecessary apps, and possibly resetting the device. If you have previously enabled Developer Mode, you can access that and see a list of all running services, and modify them from there.
Apps might also fail to load or might load very slowly. That could be because there are too many apps open, or perhaps the web browser has too many tabs open. It could also be a sign that there is no space left on the device. Remove and/or relocate apps to see if it fixes the problem. On most Android devices, you can also clear the cache memory for the system and for individual apps. To clear the system cache, reboot the device into recovery mode (usually with a simultaneous button combination, such as Power, Volume Up, and Home), and then select “wipe cache partition” or similar name. Just be very careful not to select the factory reset option! It is often very close in proximity on the menu. Individual app cache (and app data) can be cleared on the same screen where force stops are performed.
External Monitor Issues
Earlier in the book we said you can connect anything to anything else, you just need the right adapter. That holds true with mobile devices as well. However, some adapters are made better than others. For example, it is sometimes wise to use an adapter made by Apple for connecting say an iPad’s Lightning port to an HDMI input. Seek out quality adapters for connecting from USB-C equipped Android devices to HDMI, or to the USB port of an automobile. (I use these all the time, so I can tell you from experience that there is a lot of junk out there.) Make sure there is a solid connection and that you are using the correct adapter. Generally, this just works out of the box, even if screen sharing or screen mirroring is turned off, because it relies on a cabled connection, not a wireless connection. The troubleshooting side of it is usually at the TV, monitor, or projector where the image is to be mirrored. Always remember to check the input option being used; it is usually part of the on-screen display (OSD). But in rare cases, there might be a setting deep in the options of Android that can disable physical screen mirroring. Be ready to search.
On the software side of things, we want to make sure that the screen mirroring is enabled. Different Android devices will have this setting in different places. One example is to go to Network > Screen Sharing (it could also be in General, Display, or elsewhere depending on the device.) Verify that screen sharing is enabled. On the other end, make sure the device that is being shared to is accepting the connection. There could be a passcode required if you are connecting to some kind of casting device (Amazon Fire TV, Google Chromecast, Apple TV, and so on…). Don’t forget to check the volume on the mobile device as well. iOS devices use the Screen Mirroring option which by default only connects to Apple TV devices, but there are third-party software offerings that can allow iOS devices to mirror to computer systems. Screen Mirroring can easily be found by double-tapping the Home button, or swiping up from the bottom of the display.
Note
If a physical cable is connecting the iOS device to an external display, then the Screen Mirroring name changes to Dock Connector. If you were to press Stop mirroring, then you might need to restart the iOS device in order to enable the mirror again.
Troubleshooting Mobile Device Security Issues
What it all boils down to is unauthorized access, loss of authorized access, and compromised or lost data—that’s what we need to protect against. In other words, we want to keep the bad guys out, and the employees in, all while preserving the data.
We can implement a variety of security measures, but we have to be careful not to over-secure. Too many hurdles for users can cause an unacceptable number of system lockouts. That means a loss of productivity for the users, and increased tech support calls to have the accounts and/or devices unlocked. Over time, this costs the organization money and slows down projects.
That’s why the “three strikes and you’re out rule” is a good middle ground. It gives enough attempts for the user that makes some typos during the login process, but it provides a lockout for an attacker who tries to guess at a user’s password. This rule can be set up as a policy within an MDM; affecting all mobile devices within the group. With a typical standalone mobile device, the lockout might last for 15 minutes, and subsequent lockouts can be longer. However, when configuring this within an MDM, the lockout should be more severe, most likely locking the account until an administrator confirms the user’s identity and perhaps runs a quick interview. Even that might not be enough, however. Just because an account was locked out today doesn’t necessarily mean it wasn’t compromised previously. The simple fact that the lockout occurred should be a red flag. Many organizations will then launch an investigation at some level or at least a basic analysis of the account. Logs should be checked for anomalous activity, resource usage should be looked into, and the admin should double check for any unauthorized usage of the device, apps, or the data.
Speaking of logs, always try to view log files to ascertain if any security issues have occurred within the mobile device’s OS or the applications. Some applications have their own logs that you can view. Many MDMs have log files that you definitely should review periodically. Finally, you can go deep into an individual mobile device programmatically. For example, with Android, use the Android SDK (system developer kit) and make use of the Android Debug Bridge (ADB) from a PC or other system—with USB-debugging enabled on the mobile device. What we are looking for are errors and anomalous activity that might indicate a security breach.
ExamAlert
Always try to view log files to ascertain if any security issues have occurred within the mobile device’s OS or the applications.
It’s those apps that can be a real target. Remember how we mentioned that every program installed to a computer increases the attack surface? That is one reason why so many mobile devices get hacked; because there are so many apps out there, each of which posing a security risk to some extent. Remember to limit the number of apps that a person has access to. An attacker might attempt to gain information from an employee of a company by initiated unauthorized location tracking. This can be done with an app or through a backdoor of the OS, or with malware, often a Trojan. If you suspect this then Location services should be disabled until the problem is resolved.
Attackers will also attempt to take control of the camera/webcam and microphone of a mobile device to spy on a user. One way to tell if this is happening is by listening for shutter noises occurring even when the user is not taking pictures. The temporary solution is to disable (or unplug) the camera/webcam or cover it with masking tape, and force stop any unknown applications. Another basic preventative action is to have the webcam indicate when it is in use, either with a light, tone, or message. Along those lines, you can also check application permissions. For instance, the Camera app will allow certain programs to make use of the camera. If there are any on the list that are not expected, are not desirable, or are potentially malicious, then disable them. For example, in Android a typical navigational path would be: General > Apps & Notifications > App permissions. From there you will see the Camera app; tap it to find out which applications are using it and disable them as necessary.
As a security person, what you are looking for is high resource utilization on the mobile device, or a power drain. These can indicate that a Trojan has been installed that has taken control of the webcam or is working in a remote desktop manner. Another indicator is high data usage. When the data transmission for a device goes over the limit set by the cellular provider—or over a wireless transmission quota that your organization has set—it could be that the mobile device has been compromised and is working as a bot. Not to mention the fact that the user will lose productivity.
If you suspect that there is unauthorized usage, then the mobile device should be taken offline, isolated, scanned, and otherwise analyzed. In many cases, the device will have to be wiped (as per company policy) and re-imaged. If the device is used in a BYOD environment, re-imaging the company partition might be enough, but with some organizations the device might be banned until the personal side is also re-imaged.
Primarily, we want to try to prevent all of these things from happening. Remember how we mentioned “an ounce of prevention is worth a pound of cure”? That means updated anti-malware, firewalls, strong passwords, disallowing public and open Wi-Fi hotspot connections, using DLP to prevent leaked data, and in general, locking the device down at the MDM workstation. That’s some of what we can do to protect the integrity of the data and keep it confidential, while maintaining productivity of authorized users.
Cram Quiz
Answer these questions. The answers follow the last question. If you cannot answer these questions correctly, consider reading this section again until you can.
1. An application won’t close on an Android smartphone. You’ve tried to force-stop it, to no avail. What should you do?
A. Hard reset the device.
B. Stop the service in Running Services.
C. Soft reset the device.
D. Take the device to an authorized service center.
2. Which of the following are valid Wi-Fi troubleshooting methods? (Select the two best answers.)
A. Power cycle the device.
B. Restart Bluetooth.
C. Use a static IP.
D. Make sure the device is within range.
E. Rename the SSID.
3. You are troubleshooting a mobile device’s e-mail connection. Your company requires the latest in security when it comes to e-mail sessions. The e-mail client is a separate app that is not browser-based. How should the mobile device’s e-mail client program be configured? (Select the two best answers.)
A. SSL on port 25
B. TLS on port 443
C. POP3 with TLS using port 995
D. SMTP using port 995
E. IMAP using SSL on port 110
F. SMTP using TLS on port 587
4. You suspect that a mobile device has been compromised and is now part of a botnet. What are some of the indicators that this has happened? (Select the two best answers.)
A. High resource usage
B. Notification of camera/webcam usage
C. Apps were force stopped
D. Power drain
E. Log files are unavailable
F. The user’s account was locked out
Cram Quiz Answers
1. C. If you’ve already tried to stop the application within Running Services, attempt a soft reset. Pull the battery if the application is frozen. Hard resets on Android devices should be used only as a last resort because they will return the device to factory condition—wiping all the data. The question indicated that the application won’t close, not that a service won’t stop, though you could try finding an underlying service that might be the culprit. But try resetting the device before doing this or taking it to an authorized service center.
2. A and D. Valid Wi-Fi troubleshooting methods include power cycling the device and making sure that the mobile device is within range of the wireless access point. Bluetooth could possibly cause a conflict with Wi-Fi. If you suspect this, Bluetooth should simply be turned off. Static IP addresses are one thing you can check for when troubleshooting. Normally, the mobile device should obtain an IP address dynamically from a DHCP server. Renaming the SSID of the access point could cause problems for all clients trying to connect. However, you should make sure that the correct SSID was typed (if the connection were made manually).
3. C and F. A common configuration is to use POP3 for receiving mail utilizing TLS on port 995, and SMTP for sending mail utilizing TLS on port 587. You might also use SSL and possibly port 465 for SMTP. SSL is not designed to run on port 25 by default. TLS can run on port 443, but that is primarily used for HTTPS or any other browser-based systems (in the question, the e-mail client was not browser-based). SMTP uses port 25 (insecure) or 587 or 465. IMAP uses port 143 (insecure) or 993 by default. Take a look at your mobile device and see what protocols and ports are used by your e-mail application.
4. A and D. If a mobile device has been compromised and added to a botnet, the user might never know, other than the potential for high resource usage, a power drain on the battery, and less commonly, high data usage. As a security admin, you should check all of these things as well as any available logs. (If the logs are not available then that could indicate other foul play.) Take the device off the network, isolate it, then run a scan of the device; you are on the hunt for Trojans especially. A notification of camera/webcam usage either means that it is being used properly by the user, or an attacker is attempting to spy on the user, but it doesn’t mean that the mobile device has joined a botnet; it is possible, but unrelated. If apps were force stopped, it could have been by the user, or by a rogue app, or by an attacker who has taken control of the mobile device, but this is also a separate problem. If the user account was locked out, it could simply be that the user forgot the password and had to many failed attempts. Or, it could be that a hacker was attempting to guess the password, either directly, or through other covert means. Again, separate problem. In all of these cases, the image should be preserved for later analysis, and the device should most likely be re-imaged to be sure that any bad apps, malware, and so on, have been removed.
And that does it for the security section of this book. Well done. But remember, always have security on your mind! As technicians, it should be a primary consideration for any of the technology that we work with.