Mobile Insecurity

Published on Monday, 07 October 2019 09:00

CyberSense is a monthly bulletin by CSA that spotlights salient cybersecurity topics, trends and technologies, based on curated articles and commentaries. CSA provides periodic updates to these bulletins when there are new developments.


OVERVIEW

Mobile mania hit Singapore again in September 2019 with the launch of some freshly dropped Apples, in the form of the iPhone 11, iPhone 11 Pro, and iPhone 11 Pro Max. Owning the latest hardware is, of course, only half the story: what each of these handheld supercomputers offers is the ability to load all kinds of apps - providing entertainment, connectivity with family and friends, and also serve as a productivity tool for work. However, we are often unaware of the risks inherent in such devices and apps. This can be from simply clicking “Yes” when asked if you would allow an app to access your device’s phonebook or hardware. The previous issue of CyberSense focused on the problem of mobile malware; building on this, we now look at some security risks that mobile phones and apps themselves present.

OS security

REPORTS

SOFTWARE FRAGMENTATION

Over half of all Android devices (that’s more than one billion units) are running firmware currently more than two years out of date; this problem will likely worsen with time, given that the uptake of new versions of Android operating systems (OS) appears to be slowing. This issue of older versions of OSes remaining on active mobile devices, or ‘fragmentation’ as it is known, is particularly serious for Android-based smartphones. .

Part of the problem can be attributed to different smartphone manufacturers adding their customised builds (skins, features, preloaded apps, etc.) on top of Google’s base Android OS, which has the effect of extending the upgrade cycle for these smartphones. In a recent blog post, Sony summarises what is involved when manufacturers develop their own firmware upgrades: lengthy, multi-stage processes that include rationalising the new OS with the hardware, integrating it with the manufacturer’s set of apps and functions, and several rounds of tests and certifications. To make matters worse, manufacturers have also been known to cease support for “older” products altogether – as Samsung recently announced for their S6 smartphone- which is less than three years old.

Mobile devices running outdated versions are prime targets for malware and other mobile exploits, putting their users and developers at risk. Fragmentation, however, is much less of an issue for Apple devices, given how the company maintains total control over its development ecosystem. According to Forbes, more than 65% of Apple devices are currently running the latest firmware; at the same time, devices as old as the iPad Air and iPhone 5S (launched five years ago, in 2013) are still being supported with software updates. On its part, Google launched Project Treble in late 2017, reducing the time needed for manufacturers to develop updates for their devices, but only time will tell if this solves the fragmentation conundrum.

Read on by clicking on the story below:


USER NEGLIGENCE

A number of messages would usually pop up when we launch a newly-downloaded app for the first time. These usually inform us of the app’s terms of use, and request various kinds of permissions: for example, access to the phone’s contacts, camera and media files. Most users tend to grant these permissions freely: case in point, many had willingly granted full access to their Google account in order to play Pokemon Go!

By doing so, however, users could unknowingly allow the app to access – in addition to private data - hardware functions on the smartphone, such as the camera and microphone. It was revealed in Jan 2018 that a large number of gaming apps downloadable from Google’s Play Store (and a smaller number from Apple’s App Store) were accessing the phone microphone to record ambient sounds around users, to be sold as data to advertisers. The sophistication of such apps has reached the extent where they can continue to gather data even when the apps are not running. This development prompted US lawmakers to query both Apple and Google in July 2018 on the susceptibility of their devices to such activities; Apple replied that users are always asked to approve microphone access to third-party apps, and that the company also required developers to disclose when they were assessing the microphones. Google did not reply, but it was noted that their latest OS (‘Android Pie’) includes privacy protections that could prevent apps from discretely accessing the phone’s hardware - provided, of course, if users updated to this firmware version.

Ultimately, it all boils down to being vigilant; a good starting point is to query if an app really needed specific permissions to operate. For example, does a compass app need access to the device’s media files? Similarly, is there any reason why a cooking game should require access to one’s phonebook? If these seem far-fetched, it might be better not to grant the permission, or give the app a miss altogether.

Read on by clicking on the story below:


COMPANY OWNERSHIP

The John S. McCain National Defense Authorisation Act passed by the US Congress in August 2018 bans government agencies and employees from using phones and hardware made by some Chinese manufacturers, the latest in a series of moves by the US against Chinese companies. In 2012, the US government first banned Huawei from selling telecommunications equipment in the country over national security concerns; this was expanded into an overall ban on Huawei and ZTE from bidding on all government contracts two years later. It was also rumoured that the US government pressured American Telco AT&T to pull out of a deal in January 2018 that would have seen Huawei smartphones sold in AT&T outlets. Given that there had never been any evidence of espionage by either firm, many have speculated that the US government’s mistrust appeared to stem from the suspicion that both firms are linked to the Chinese government. There are also suggestions that the enhanced measures against the Chinese companies (especially from the inception of the Trump Administration) was related to the ongoing trade spat between the US and China.

On their part, China had banned Apple products from official use since 2014, citing security concerns; this is in spite of Apple’s well-known refusal to cooperate with the US government to extract data from its products. It should be noted that Germany and the UK have, on occasion, also banned Apple devices from official government functions.

Generally, while there is no substantial evidence of systematic abuse of user data by phone manufacturers, several isolated incidents have occurred in the past, including an embarrassing episode for Xiaomi in 2014 when security group F-Secure discovered that their smartphones were siphoning users’ address books back to a remote server in China.

Read on by clicking on the story below:


QUICK BYTES

Google can ‘control’ your Android phone remotely

On 13 Sept 2018, Android phones running Google’s latest OS suddenly had their battery-saver function turned on, much to their users’ bewilderment. Google later apologised, explaining that their engineers had activated the function by accident. The incident caused considerable alarm as it confirmed what observers had long suspected – that Google can activate various functions on smartphones running their OS, even without users’ permission. The incident raises the question of the extent in which one’s phone can be accessed or controlled remotely by its manufacturer or OS developer.


SOURCES INCLUDE: The Verge, TechCrunch, Ars Technica, The New York Times, ZDNET, and CNET