Mobile devices: How secure are they?

Do you know what your smartphone is doing right now? Your favourite app may be sending email addresses from your contact list to spammers. It may be tracking your location and sending this information without your knowledge. Unfortunately, it is nearly impossible for users to know what their phone is really doing, and that is a significant problem.

According to the 2010 Statistics Canada report, 80 per cent of Canadians 16 and older use the Internet for personal use, and one-third of those accessed the Internet through mobile devices. Smartphone sales continue to increase as more people want the convenience of having the Internet continuously at their fingertips. Most smartphone users install apps on their phones to increase functionality, but this added convenience comes at an increased risk.

Applications from App Markets have little verification to ensure that they behave only as advertised. Those available in third-party markets or other sources have even less assurance of being safe. Malicious apps may be disguised as popular applications and it is very difficult for users to differentiate between the legitimate version and the malware. Cues such as relying on comments and ratings from other users can help, but even those can be subverted. Crowdsourcing websites typically pay pennies for users to complete small tasks, and they can include tasks such as paying individuals for posting positive ratings on particular apps. In this way, a malicious app can quickly gather hundreds of positive reviews at negligible costs.

When installing apps, users are faced with the choice of allowing or denying access to certain resources on the phone. While the interface is intended to inform users and allow them to make an educated choice, the choice really becomes “do you want to install this app or not?” since typically the only choice is to allow all requested permissions or refuse installation in its entirety. The descriptions of the permissions are too technical for most users, and even if they are understood, there is no way of knowing what the app will do with a particular permission once granted. For example, an app may legitimately request access to your location in order to display nearby restaurants, but there is nothing stopping the app from also tracking and transmitting your location for other, malicious, purposes.

It is not only apps that are cause for concern. Photos taken with a smartphone may automatically contain metadata that embeds the exact location where the photos were taken. Consider the potential consequences: tweeting or posting that family photo online could lead a predator right to your doorstep.

Recent reports reveal details of text-messaging programs that surreptitiously send text messages to pre-defined premium-rate numbers, surprising phone owners when their monthly bill arrives. In another breach, a developer recently found evidence of software called CarrierIQ hidden on many phone models. It is capable of tracking all user interaction on the phone, including all keystrokes, phone location, websites visited, and app usage, then reporting this information to the phone carrier. Its stated purpose is to allow carriers to optimize services, but its capabilities allow for far more invasive tracking. Carriers are now scrambling to explain their use of the software and some are vowing to stop using it. In response, enterprising attackers quickly released a new version of the premium-rate text messaging malware; this time masquerading as an application intended to detect and remove CarrierIQ from your phone.

It is clear that security and privacy too often take a back seat to practicality and functionality, despite the fact that they are important concerns for consumers. So what are users to do? Consumers should not settle for this state of affairs and should demand better from phone manufacturers, from service providers, and from developers. These are complex problems to solve, but we can only make progress by making them a priority. In the meantime, beware of your phone’s extra-curricular activities.

Assistant Prof. Sonia Chiasson is the Canada Research Chair in Human Oriented Computer Security, School of Computer Science, at Carleton University.



This entry was written by Editor and posted in the issue. Tags applied to this article are: . Leave a comment, bookmark the permalink or share the following short URL for this article via social media:

Be a part of the Carleton Now community

Carleton Now strives to be an inclusive, relevant and informative publication focused on building and fostering an engaged campus community. You can be a part of our community by: sharing or voting for this article (below), joining in the conversation, or by sending a submission/letter to the editor.

Comments are closed.

Current issue