Russ Harvey Consulting - Computer and Internet Services

Mobile Security

Privacy | Spam & Deception | We're No Safer
Tighten Security | Virtual Assistants | Charging Issues?

Vulnerabilities in mobile devices.

Vulnerabilities in Mobile Devices

The New Mobile Reality

There are now more mobile devices than people on the planet and most people get most of their information through a mobile device. — CSO

We text, talk and share on the go, often without thinking about the consequences.

Your mobile devices contain a lot of information about you. Learn how to be careful so your information doesn't end up in the hands of a cyber criminal. — Get Cyber Safe

Learn about the inherent risks that go along with the freedoms these devices provide so you can make better decisions about the software you use.

Detox Your Phone

Do your apps share unnecessary data? Five ways to reset your relationship with your phone from Mozilla.

Update Your Device

One of the most important security measures you can take is to ensure your software and devices are updated regularly.

“Update your software!?” infographic -- click to learn more.
See the full infographic.

How Security Aware Are You?

Canadians are accessing everything online via their smart devices more often than their computers and that trend is only increasing. With that change comes a need to learn to protect yourself and your data.

“How Cyber Safe are You in the Digital Age?” infographic -- click to learn more.
See the full infographic to learn more.

Today's mobile devices, by their very nature, are not in a fixed location. Data is often stored in the “cloud” and is available to other applications and services you've permitted to have access to it.

While most apps aren't malicious and need these permissions to work properly, it's worth reviewing them at times to make sure an app isn't taking information it doesn't need.

 

And in the case of apps like Facebook, the absurd amount of permissions might make you want to uninstall it completely. — MakeUseOf

Windows 10

Microsoft Windows used to be a mostly closed system that contained your programs and data on your own computer.

Essentially a Mobile System

Windows 10 focused on the needs of mobile devices and is itself a cloud-based Software as a Service (SaaS).

One Drive

To enable access across devices, much of your data is no longer stored locally by default. By storing it on OneDrive, it becomes available to all your devices. Unfortunately, that includes anyone on the Internet that can guess your password.

Privacy

Following the guessing game when Windows 10 was launched, we now have more clarity on what information Microsoft collects as well as easier access to privacy settings. Major Windows updates have sometimes reset privacy defaults, something that you'll need to check for.

Return to top

Security on Mobile Devices

Mobile devices are much better “out of the box” than they were a few years ago.

That doesn't translate into secure experiences once they are put into everyday use.

We've reached a point where mobile ecosystems and platforms are relatively secure at an OS and hardware level; the biggest risk comes from what we do with those devices and what we install on them, what email messages we read, and what links we click. — TechRepublic

End SIM Card Fraud

End SIM card fraud in Canada.

SIM swapping, sometimes called SIM hijacking, occurs when a bad actor convinces a telecom carrier to transfer a mobile phone number to a SIM card they control.

 

Once a fraudster associates a victim's phone number with a new SIM card, they can use the number to access bank accounts or other sensitive information associated with it. — VICE

It is time for the CRTC to regulate cell phone company accountability.

Tell your Minister Bains to protect our phones from fraud!

Apps Abusing Access to Your Data

You need to be careful about how much information you provide to apps rather than simply clicking the “Accept” button.

Let's look at a real-world example.

Eavesdropper Vulnerability

In 2017 Appthority discovered a vulnerability in 685 enterprise apps affecting nearly 700 iOS and Android devices (44% Android, 56% iOS) which had provided access to private data since 2011.

The vulnerability is called Eavesdropper because the developers have effectively given global access to the text/SMS messages, call metadata, and voice recordings from every app they've developed with the exposed credentials.

 

Importantly, Eavesdropper does not rely on a jailbreak or root of the device, take advantage of a known OS vulnerability, or attack via malware.

 

An Eavesdropper attack is possible simply because developers have failed to follow Twilio's documented guidelines for secure use of credentials and tokens and allowed theses apps to leak audio and message-based communications. — Appthority

Careless Developers

This vulnerability could only be fixed by the developer. These developers probably lacked the knowledge or motivation to fix the issue.

The cause of the Eavesdropper issue is careless developers. We've seen many cases in the past where developers leave API and server credentials inside an app's source code, instead of storing them in a secure, remote database. — Bleeping Computer

Removing the apps from your device became the only logical option.

Data Collection Significant

The vast numbers of apps on the app stores and the number of downloads can make a seemingly minor oversight affect millions of users.

That assumes that all this was accidental. Not so.

The collection of personal data has become a multi-billion dollar industry that will require legislation to fix.

Android

While Google regularly updates the Android OS, manufacturers are free to deny the upgrades on their devices, leaving you vulnerable to known weaknesses to create an artificial need to upgrade your hardware regularly.

Android devices are ubiquitous, and the Android platform isn't locked down the way iOS is. Even if you stay away from third-party app stores and refrain from jailbreaking your device, you can still get hit with Trojans, ransomware, and other kinds of Android malware. Smart users protect their devices with an Android antivirus. — PCMag

Android Vulnerabilities

It was recently revealed that a spyware program was installed on more than 700 million Android smartphones and was collecting information and sending it to China.

But that isn't the only Android threat. Gooligan, breached the security of over one million Google accounts, one of the largest Google breaches yet. Check your Google account activity and choose better security

iOS

Apple iOS is significantly more secure than Android.

Unlike Android users, who are largely at the mercy of their carriers for OS updates, Apple pushes out new versions of iOS to anyone with a compatible phone all at once. That's why 89 percent of iOS users are on iOS 10 as of Sept. 6 [2017], while only about 16 percent of Android users are sampling Nougat as of Sept. 11. — PCMagazine

iOS isn't free from issues.

iOS Vulnerabilities

iOS apps may be vulnerable to silent man-in-the-middle attacks (where a nefarious third party can intercept the communication and steal data).

As for iPhones and other iOS devices, Apple's built-in security makes life tough both for malware coders and antivirus writers. Many cross-platform suites simply skip iOS; those that don't typically offer a seriously stripped-down experience. Given the platform's intrinsic security, it rarely makes sense to expend one of your licenses installing protection on an iPhone. — PCMag

As iOS moves away from 32-bit software, users are warned that older apps may slow down their devices. In many cases, these apps are no longer maintained and probably should be deleted.

Mobile phishing attacks are on the rise and iOS is the biggest target. 63% of mobile phishing attacks target iOS devices. The number one source of those attacks is gaming apps. People are getting wise to email phishing, so hackers are becoming much sneakier. Mobile phishing that hides inside apps is harder to catch, making it a huge security risk.— TechRepublic

Return to top

Privacy on Mobile Devices

Tech companies are on a buying spree, which can compromise your privacy.

Combined Services Share User Data

When a company or service is purchased by a new parent company the privacy policies change to suit the new owner. Often it is the user base that is the reason for the purchase more than the technology.

Did Microsoft acquire LinkedIn to access the wealth of user data as much as adding a social media platform to their holdings? What about Facebook's purchase of Instagram and WhatsApp?

Generate Unique Identities

When you log into a service using your Facebook identity, you provide that service with details about your Facebook friends, likes, dislikes and much more.

Logging in with your Google or any other identity, you provide similar access to that service.

While convenient, you provide much more than if you login using a unique ID.

it is better to segregate this information by using a unique user name and password for each service you use.

It also creates a massive vulnerability to your accounts if the Facebook or Google account becomes compromised.

Remove Combined Access

I recommend that you change your logins for any services that you've used Google, Facebook or other accounts for access. LastPass can track these for you and generate new passwords on the fly.

Be Selective in Permitting Access

When an app requests access to your contacts, photos, etc. you need to determine if that access is necessary for the app to provide the functions you're requesting.

For example, consider why the app needs access to your contacts or camera and how that data is going to be used.

Developers often say that they collect information to create enhanced functionality in their app or to deliver a better user experience.

 

Think about it like this — why in the world does your calorie tracker need to access your contacts? And really, why does your flashlight app need to know your location? — ZoneAlarm Blog

Review App Permissions

If an app requests unnecessary permissions, you're probably better off finding another app that doesn't abuse your privacy.

Mobile Location Analytics Invades Privacy

By tracking cell phones, Mobile Location Analytics (MLA) technologies allow facilities to learn about traffic patterns within their venues including how long people stand in line.

This information is more valuable than a “free” app: Your Facebook profile is estimated to be worth $50 per month in advertising revenue.

While this information could benefit the user, it also invades their privacy.

More About Privacy in the Mobile World

Return to top

Spam & Deception

Dealing with Spam

Spam and deceptive advertising are rampant in mobile computing.

From the ads running in the free apps we download to the misleading links on our Facebook feed, we are being bombarded with misinformation.

With the exploding use of small devices like cell phones and tablets (both in addition to and in replacement of computers), advertisers have been determined to penetrate that new market.

CASL prohibits anyone from installing software—including updates—on your electronic devices without your consent.

 

It also applies to updates and upgrades installed by somebody else, even if you installed the original software. — Canada's Anti-Spam Legislation

Secure your devices has information from the Government of Canada on how you can be protect your devices and information from being compromised.

Deceptive Software

Edward Snowden revealed that the US government was capturing and storing information from our Internet, phone and other electronic interactions using a number of programs designed to avoid congressional oversight.

The Five Eyes coalition, China and other nations were also involved in spying on the world's citizens.

Deceptive Services

Facebook is known for allowing deceptive advertising links on their newsfeed. Not only do they obfuscate these links so the user cannot determine where they'll take them without clicking on the link, but state that they are unable to monitor these deceptive practices.

Interestingly enough, Facebook guaranteed the Chinese government that they will be able to control content unapproved for their population in order to keep Facebook from being blocked in China, yet have failed to control fake news in other markets.

Facebook allows a wide mass of its users the freedom to spread fake news (which they won't regulate), while simultaneously working to prevent another group from sharing actual news. — Mashable

Return to top

We're No Safer

Police and spy agencies now gather massive amounts of our private information.

When questioned, these officials often use terrorism or child pornography to excuse this behaviour. Now the police want even more powers.

We allowed our governments to introduce legislation that traded our privacy for “protection” against terrorists, yet we are no safer.

The Act does not require individualized suspicion as a basis for information sharing amongst government agencies. There is no impediment in the Act to having entire databases shared with CSIS or the RCMP. The standard for ‘sharing’ is very, very low. — BC Civil Liberties Association
[W]e have seen too many cases of inappropriate and sometimes illegal conduct by state officials that have impacted on the rights of ordinary citizens not suspected of criminal or terrorist activities. — Privacy Commissioner Therrien

Few Successes

The successes have been few (and mostly could have been accomplished without the loss of our privacy).

It is far more likely that a common thief is caught up in this web than the mass terrorists the legislation is supposed to deter.

The Assumption

Agencies looked at the data they had when 911 occurred and realized that if they had more information they may have stopped the attack. Sounds good, right?

Unfortunately, the reality is different.

Too Much Data

The problem wasn't the amount of information so much as the ability to quickly sift through it and make sense of what it meant.

Were it working as advertised, the Boston Marathon bombing would have been stopped. The government had been warned about the perpetrators, but that information was lost in the mass of collected data.

An Illustration

Think of the problem of finding a single red coin in a pile one foot high across your entire city.

Would it be easier to find in a pile spread across your entire province (or state)? How about across the nation or around the world?

Even if your search parameters were precise, you'd be highly unlikely to discover the marked coin.

What's the Solution?

We need to tell our governments and corporations to quit collecting our private information and to restore a sense of privacy.

Unfortunately, too often security is seen as a cost center, and privacy is seen as the revenue generator for the company that develops the app.

 

Therefore, apps are often not secure -- and privacy is nonexistent -- to minimize cost and maximize revenue. The only way to combat these breaches is to actually pay full price for the apps consumers are using and to reject advertising-supported apps. — Roger Entner

Corporations won't do this on their own. Our “metadata” is simply worth too much to them.

They've Abused Our Ignorance

They've abused our ignorance about the value of this information to allow it to be traded for very little in return.

They may allow us to be otherwise compensated (American legislators have discussed this possibility) but is highly unlikely they'd set the value high enough to reflect reality.

Government Regulation Necessary

We need governments to regulate how easily our private data is accessed by police, spy agencies and corporations in the same manner they've regulated the sorts of questions that are allowed on an employment application or a rental agreement.

Take Back Our Privacy

We need to take back our privacy.

I don't want to live in a world where everything I say, everything I do, everyone I talk to, every expression of creativity and love or friendship is recorded. — Edward Snowden

 

Tighten Security

Mobile use continues to grow and with it an increase in security issues.

We need to tighten security on our devices and pay more attention to what we're giving away.

More Than a Phone

We forget that we're carrying a very powerful computer in our pocket.

More than a phone, mobile devices reveal our most private thoughts.

They contain the sort of personal information we once kept locked in our diaries and filing cabinets.

Laws Are Antiquated

Unfortunately, laws have not kept up with technology and our privacy is being eroded.

Laws that permit border searches of our devices are based upon conditions in a pre-computer era. The law assumes that any physical documents in your possession can be examined. It doesn't cover electronic documents like we carry around today.

It is as though crossing the border gave customs officers the right to go to your home or office and examine your private files.

A Double Standard

This data is invaluable in profiling us for advertising and marketing.

Can you imagine Google or Microsoft allowing you to have unfettered access to their personnel files or planning documents?

Why do you think hacking is penalized so severely? Corporations have lobbied for the right to collect our data while protecting their own.

Clean Up Your Settings

Take some time to clean up your device as well as tighten security and privacy settings:

Return to top

Virtual Assistants

We're now interacting directly with our computers using virtual assistants built into our devices (Siri, Cortana, Google Assistant). Internet-connected devices like Amazon Alexa and Google Home are have become the virtual assistants in our homes and offices.

Marketing Potential

While these can be tremendous help, there is much more involved.

There is a war for your loyalty.

In the future these virtual assistants are going to have a larger role in what music we listen to, what movies or TV programs we watch and what products we buy.

They're Listening

We are providing more information to these devices every time we use them.

By their very nature, they need to know a lot about us to be effective (one of the reasons that Siri or Cortana want to get to know you when you get started with them).

You can't have Google call Beth if they don't know who that is and how to best contact her. When we refer to Beth as our sister, then the assistant knows her relationship to us.

Danger, Will Robinson

Not all is as rosy as it appears. Using these virtual assistants is providing a lot of personal information to companies with a less-than-perfect track record for privacy.

Human Monitoring

We have less control over what is collected than you might think.

Voice data is being monitored all the time but the assistant is supposed to wait for the “hey Google” prompt. That may not limit what is recorded and can reveal a lot of private information.

Apple contractors regularly hear confidential medical information, drug deals, and recordings of couples having sex, as part of their job providing quality control, or "grading", the company's Siri voice assistant, the Guardian has learned. — The Guardian

Children's Access

Children are quick imitators and young children have been found to be conversing with these virtual assistants like they are a friend.

Your Devices Are Watching You

Samsung and Vizio televisions have recorded conversations and other devices can collect very personal information about us as well.

This issues is only going to get worse as the Internet of Things becomes pervasive and a thousand small devices like baby monitors, smart toys, security devices, etc. begin monitoring our activities

Protecting Your Privacy

You need to do several things to protect yourself. Start by choosing devices based upon their privacy track record. Next, change the default passwords and privacy settings on devices like Alexa and Google Home.

Return to top

Charging Issues?

Some mobile devices will not start unless there is sufficient charge, but run when plugged in and charging.

Verify Your Cable

The cable could be damaged. Try another matching cable.

Android

Most Android devices use USB-mini cables, but check first.

Apple

Apple devices sometimes won't charge with third-party cables or adapters. Use only genuine Apple accessories.

  • Older devices use Lightning to USB cables.
  • Newer ones use USB-C to Lightning cables.
  • A MagSafe Charger may be an option.

Verify that the USB block is the right ones for your device.

Power Blocks

Power blocks plug directly in the wall and convert AC power to DC.

Using the wrong power block can damage your device.

  • Block input is AC and should indicate that it is 110–240 VAC.
  • Block output is DC and should indicate the power in volts and amps (e.g. 0.5V 2.5–2.6A).

Ensure that the output plug matches the power receptor on your device (inside-positive or inside-negative).

Your device or its manual should indicate its power requirements.

Related Resources

Related resources on this site:

or check the resources index.


If these pages helped you,
buy me a coffee!


 

Return to top
RussHarvey.bc.ca/resources/mobilesecurity.html
Updated: April 3, 2021