Vulnerabilities in Mobile Devices
Helping You Make Better Decisions
It is hard to remember a time we didn't all have these devices. We text, talk and share on the go, often without thinking about the consequences.
Traditionally, software was installed onto a computer and the data was stored there as well. References to a “mobile device” meant a laptop.
When this site was first launched, the Internet was a relatively-new concept for the majority of people. Few businesses and even fewer individuals had a website. Facebook and Twitter didn't exist.
The New Mobile Reality
This page is designed to educate you about the inherent risks that go along with the freedoms these devices provide and to help you to make better decisions about the software you use.
Today's mobile devices, by their very nature, are not in a fixed location. Data is often stored in the “cloud” and is available to other applications and services you've permitted to have access to it. When you log into a service using your Facebook identity, you provide that service with details about your Facebook friends, likes, dislikes and much more.
While most apps aren't malicious and need these permissions to work properly, it's worth reviewing them at times to make sure an app isn't taking information it doesn't need. And in the case of apps like Facebook, the absurd amount of permissions might make you want to uninstall it completely. — MakeUseOf
Windows 10 a Privacy Nightmare
Microsoft Windows was mostly a closed system that contained your programs and data on your own computer.
Windows 10, Microsoft's newest operating system, focuses on the needs of mobile devices and is itself a cloud-based Software as a Service (SaaS). Data sharing means that much of your data is no longer stored locally and is available to anyone on the Internet that can guess your password.
Major updates have often resetting privacy defaults, thereby making Windows 10 a privacy nightmare. The Creators Update brought more clarity on what information Microsoft collects as well as providing easier access to privacy settings, but it is still less than perfect.
While Google regularly updates the Android OS, manufacturers are free to deny the upgrades on their devices, leaving you vulnerable to known weaknesses to create an artificial need to upgrade your hardware regularly.
Unlike Android users, who are largely at the mercy of their carriers for OS updates, Apple pushes out new versions of iOS to anyone with a compatible phone all at once. That's why 89 percent of iOS users are on iOS 10 as of Sept. 6 , while only about 16 percent of Android users are sampling Nougat as of Sept. 11. — PCMagazine
iOS apps may be vulnerable to silent man-in-the-middle attacks (where a nefarious third party can intercept the communication and steal data).
As iOS moves away from 32-bit software, users are warned that older apps may slow down their devices. In many cases, these apps are no longer maintained and probably should be deleted.
Mobile phishing attacks are on the rise and iOS is the biggest target. 63% of mobile phishing attacks target iOS devices. The number one source of those attacks is gaming apps. People are getting wise to email phishing, so hackers are becoming much sneakier. Mobile phishing that hides inside apps is harder to catch, making it a huge security risk.— TechRepublic
- Malicious iOS app popup windows could be stealing your Apple ID.
- Secure your iPhone and iPad: change these iOS 11 privacy and security settings now.
- Dozens of iOS apps vulnerable to data theft, despite ATS mandate.
It was recently revealed that spyware program was installed on more than 700 million Android smartphones and was collecting information and sending it to China.
But that isn't the only Android threat. Gooligan, breached the security of over one million Google accounts, one of the largest Google breaches yet. Check your Google account activity and choose better security
- Here's how you can use Android but ditch Google .
- How to safely delete your Google or Gmail account for good.
Evesdropper is a vulnerability affecting both nearly 700 iOS and Android devices (44% Android, 56% iOS) that provides global access to confidential information. This vulnerability can only be fixed by the developer.
The vulnerability is called Eavesdropper because the developers have effectively given global access to the text/SMS messages, call metadata, and voice recordings from every app they've developed with the exposed credentials.
Importantly, Eavesdropper does not rely on a jailbreak or root of the device, take advantage of a known OS vulnerability, or attack via malware. An Eavesdropper attack is possible simply because developers have failed to follow Twilio's documented guidelines for secure use of credentials and tokens and allowed theses apps to leak audio and message-based communications. — Appthority
- Appthority's Mobile Threat Center lists advisories and news related to mobile security.
Privacy on Mobile Devices
Combined Services Share User Data
Microsoft, Apple and others are on a buying spree. The information from that purchased service is being accessed by the new parent company and privacy policies change to suit the new owner.
Often it is the user base that is the reason for the purchase even more than the technology. For example, Microsoft probably acquired LinkedIn to access the wealth of user data as much as providing a social media platform.
Apps Abusing Access to Your Data
You need to be careful about how much information you provide to apps rather than simply clicking the “Accept” button.
Don't Use Facebook to Log into Services
When you see the option to use your Facebook account to log into a service rather than creating a unique ID it provides access to your Facebook profile to that third-party (including your list of friends, likes and much more than they'd get if you login using a unique ID).
While convenient, it is better to segregate this information by using a unique user name and password for each service you use. LastPass can track these for you and generate new passwords on the fly.
Be Selective in Permitting Access
When an app requests access to your contacts, photos, etc. you need to determine if that access is necessary for the app to provide the functions you're requesting and how that data is going to be used. In most cases it is used to generate advertising profiles to sell you to their advertisers.
You're probably better off finding another app that doesn't want to abuse your privacy.
Don't Give Apps Unnecessary Access
This information is worth billions yet many folks have been unaware of how valuable the price they've paid for their “free” apps. This has made it much harder to take back control of our privacy.
Apps collect information about their users. Developers often say that they collect information to create enhanced functionality in their app or to deliver a better user experience. But more often than not, its not easily understood why certain apps need all the information they collect.
Think about it like this — why in the world does your calorie tracker need to access your contacts? And really, why does your flashlight app need to know your location?Recently the FTC called out flashlight apps on both iOS and Android platforms for collecting unnecessary information — both were guilty of being built to track location and access calendars, contacts and unique identifying factors. The settings also allowed them to share all that information with third party ad networks. Yikes — All that, just for a flashlight! — ZoneAlarm Blog
Mobile Location Analytics
By tracking cell phones, Mobile Location Analytics (MLA) technologies allow facilities to learn about traffic patterns within their venues including how long people stand in line.
While this information could benefit the user, it also invades their privacy.
Learn more at MLA Opt Out.
More About Privacy in the Mobile World
- Three tips for phone privacy.
- Your privacy at risk — Restoring your privacy.
- Uniquely you: the identifiers on our phones that are used to track us.
- The many identifiers in our pockets: a primer on mobile privacy and security.
- What your apps know about you.
- Battle of the secure messaging apps: how Signal beats WhatsApp.
- The art of social media scams and how to avoid them.
Spam & Deception
Dealing with Spam
Spam and deceptive advertising are rampant in mobile computing.
From the ads running in the free apps we download to the misleading links on our Facebook feed, we are being bombarded with misinformation.
With the exploding use of small devices like cell phones and tablets (both in addition to and in replacement of computers), advertisers have been determined to penetrate that new market.
CASL prohibits anyone from installing software—including updates—on your electronic devices without your consent.It also applies to updates and upgrades installed by somebody else, even if you installed the original software. — Canada's Anti-Spam Legislation
Edward Snowden revealed that the US government was capturing and storing information from our Internet, phone and other electronic interactions using a number of programs designed to avoid congressional oversight.
The Five Eyes coalition, China and other nations were also involved in spying on the world's citizens.
Facebook is known for allowing deceptive advertising links on their newsfeed. Not only do they obfuscate these links so the user cannot determine where they'll take them without clicking on the link, but state that they are unable to monitor these deceptive practices.
Facebook allows a wide mass of its users the freedom to spread fake news (which they won't regulate), while simultaneously working to prevent another group from sharing actual news. — Mashable
Interestingly enough, Facebook guaranteed the Chinese government that they will be able to control content unapproved for their population in order to keep Facebook from being blocked in China.
We're No Safer
Police and spy agencies now gather massive amounts of our private information.
When questioned, these officials often use terrorism or child pornography to excuse this behaviour. Now the police want even more powers.
We allowed our governments to introduce legislation that traded our privacy for “protection” against terrorists, yet we are no safer.
The Act does not require individualized suspicion as a basis for information sharing amongst government agencies. There is no impediment in the Act to having entire databases shared with CSIS or the RCMP. The standard for ‘sharing’ is very, very low. — BC Civil Liberties Association
[W]e have seen too many cases of inappropriate and sometimes illegal conduct by state officials that have impacted on the rights of ordinary citizens not suspected of criminal or terrorist activities. — Privacy Commissioner Therrien
The successes have been few (and mostly could have been accomplished without the loss of our privacy).
It is far more likely that a common thief is caught up in this web than the mass terrorists the legislation is supposed to deter.
Agencies looked at the data they had when 911 occurred and realized that if they had more information they may have stopped the attack. Sounds good, right?
Unfortunately, the reality is different.
The problem wasn't the amount of information so much as the ability to quickly sift through it and make sense of what it meant. Were it working as advertised, the Boston Marathon bombing would have been stopped. The government had been warned about the perpetrators, but that information was lost in the mass of collected data.
Too Much Data
Think of the problem of finding a single red Loonie (or silver dollar) in a pile one foot high across your entire city.
Would it be easier to find in a pile spread across your entire province (or state) make it easier to find? How about across the nation or around the world?
You could ensure that the marked coin was within your search parameters, but are far less likely to locate it.
What's the Solution?
We need to tell our governments and corporations to quit collecting our private information and to restore a sense of privacy.
I don't want to live in a world where everything I say, everything I do, everyone I talk to, every expression of creativity and love or friendship is recorded. — Edward Snowden
Corporations won't do this on their own. Our “metadata” is simply worth too much to them.
They've Used Our Own Ignorance
They've used our own ignorance of the value of this information to allow it to be traded for very little in return.
Government Regulation Necessary
We need governments to regulate how easily our private data is accessed by police, spy agencies and corporations in the same manner they've regulated the sorts of questions that are allowed on an employment application or rental agreement.
Take Back Our Privacy
We need to take back our privacy.