The ongoing battle between Apple and the FBI highlights fragile smartphone security mechanisms. The fact that the FBI is resorting to such extreme measures suggests that iPhones are reasonably secure, but the suggestion that Apple could load a new operating system to bypass security features is cause for serious concern.
It could be worse. Amazon quietly removed encryption features from Fire tablets. Users with encryption enabled lost that functionality when upgrading to Fire OS 5. A public relations “Fire” storm ensued; Amazon subsequently promised to restore encryption in a future release. Consumers have a right to be furious that Amazon removed it in the first place.
These two examples illustrate one alarming problem with the current generation of mobile devices: Security functionality can change quickly after a device has been purchased.
Backup security is another issue facing smartphone users. Services such as iCloud provide a simple and effective way to protect data. In a worst-case scenario, it is reassuring for users to be able to purchase a new device and restore all their data. However, iCloud lacks a critical security control as backups are not encrypted. Even though data on a user’s device is protected by strong encryption, the backup can be accessed with a court order or by compromising the user’s iCloud password.
Applications create another area of significant risk. The recent report from The Citizen Lab at the University of Toronto’s Munk School of Global Affairs found that “the Android version of Baidu Browser transmits personally identifiable data, including a user’s GPS coordinates, search terms, and URLs visited, without encryption, and transmits the user’s IMEI and a list of nearby wireless networks with easily decryptable encryption.”
To make matters worse, “the data leakage is the result of a shared Baidu software development kit (SDK), which affects hundreds of additional applications developed by both Baidu and third parties in the Google Play Store and thousands of applications in one popular Chinese app store.” Information is stored on Baidu servers in China and is reportedly available to the Chinese government.
While perhaps the most aggressive, Baidu is certainly not the only search and advertising company that collects information about users. For example, Google retains extensive search and browsing information. According to Google’s Transparency Report, they received 35,365 requests from governments in the first half of 2015.
The first step to improving mobile device security and privacy is acknowledging there is a problem. The next step is to create a standard and easy-to-understand way for product vendors to communicate security features before consumers purchase, install, or upgrade software.
Other models exist to inform consumers. The EnerGuide program allows consumers to compare the energy performance of different household appliances. Cars have safety ratings. Packaged food products must include standard nutrition information.
Security may be more complex than counting carbohydrates and fat, or testing the amount of electricity a product uses, but simple questions can reveal a lot of important information. Is all data encrypted at rest? What information is sent to the vendor? Is authentication required to access the device? Are backups encrypted? Can the vendor bypass security features? Is it possible to upgrade the operating system on a locked device without destroying encrypted data?
Consumers have a right to know how their information is being used and protected. Requiring vendors to disclose this information in a standard format would increase consumer confidence and enabled better informed decisions.
Have a security question you’d like answered in a future column? Email email@example.com
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…