Security challenges for smartphones

Discussion in 'Android OS' started by GoodPDAuser, May 17, 2015.

  1. GoodPDAuser

    GoodPDAuser Mobile Deity

    Messages:
    141
    Likes Received:
    23
    Trophy Points:
    23
    I've been browsing the current wisdom on security best practices as well as the online info on what might be the most reasonable smartphone for the security conscious. It dawned on me that it really depends on the degree of one's paranoia. Here are the increasing levels of paranoia as I see them. If you're worried about losing the phone, or people shoulder surfing, you would use a passcode (indispensable in any case) and install apps for remote location and remote wipe. If you're worried about malware, install antimalware. If you're worried about apps stealing your personal info and/or inflicting you with ads, install permissions controllers and don't install apps indiscriminately. If you're an enterprise, you'd worry about policies for preventing loosy goosy users from bringing malware within the firewall, or making corporate info available to others while off-site. The 2nd most paranoid level is where I sit: If you worry about storing your most personal identification/authentication info on your phone, you avoid the cloud, eschew the vendor OS by going open source, and only install apps when necessary. And finally, the maximum level, if you're worried about certain national establishments (domestic or otherwise) spying on you...well, I'm not sure what people at that level do, but I've read about things with which I am unfamiliar, e.g. securing the baseband, possibly the firmware.

    OK, so maybe my paranoia creeps a tiny bit into the maximum level, but only in the sense of being diligent against the possibility of spyware from nondomestic sources. It's such an opaque world that, unless one is willing to make this into a full time career, the available courses of action to users (not developers) to deal with this risk are limited. Speaking from an uninformed standpoint, perhaps a reasonable level of due diligence might be to select a phone made by a company from a country that one is comfortable with.

    About the 2nd most paranoid level: I'm beginning to wonder whether it is even feasible trying to contend with perceived risk. I'm finding that it's actually harder to forgo the vendor OS than first thought -- and by vendor OS, I also mean specifically a carrier's variant of an open source OS like Android. The reason I lump that in with a vendor OS is because of the Carrier IQ issue from years back; although there may not have been ill intent, it shows that it is feasible for carriers to augment an open source OS with unwelcome "chaperon" code, and that it is in fact practiced.

    Here are the challenges that I've found in trying to pro-actively contend with the 2nd most paranoid level. First, the terrain of open source alternatives is a wild west. I chose CyanogenMod (CM) because it seemed to be the most popular and (I reasoned) would be most mature. The problem, at least so far as I've guessed it to be, is that there are so many phones out there that the port of the OS to the specific phone that one owns is a hit-or-miss proposition. In my case, the images of CM for the 1st generation Moto-G were all nightlies, with no milestone versions, i.e., no verification of proper functionality. The Moto-G has a few more variants, so either the 1st gen has too small a user base or is just too "1st gen" to attract the attention that would lead to a milestone version of CM.

    The 2nd challenge is related to the 1st: The recovery software to install non-native apps also seems to be a wild west. I tried to 2 most popular, ClockworkMod and TeamWin. The first did not work and the 2nd worked sometimes. Again, there is no one on a paid staff porting these software to the multitude of phones out there, so one can only guess what forces lead to stable, robust releases for specific phones.

    The 3rd challenge has to do with a lower level of paranoia, that of seemingly unreasonable permissions needed by apps. According to my tiering scheme, therefore, it doesn't fall under the 2nd most paranoid level, but it's related in that is has to with protecting your personal info. The most front-line course of action is simply to avoid apps that require permissions that you're not comfortable with, or which you can't fathom the need for. This would rule out a vast sea of apps, including those that you want. Additionally, you can inquire with the vendor about the permissions required by an app that you especially covet and/or install an app permission controller. Along the lines of the latter, CM has Privacy Guard, which would seem to be a magic bullet. It is better than nothing, but far from a magic bullet. Phone operation can break if you indiscriminately refuse permissions (especially to apps native to the OS, even though the permissions may not make sense to you). Furthermore, there are many apps on the list which are unrecognizable. This begins to look like the personal firewall situation of more than a decade ago: It is impossible for users to intelligently create permission rules without some rather deep expertise in how things work under the hood. I see an analogy with apps permission controllers.

    The final challenge in contending with the 2nd most paranoid level is where I am currently at an impasse. The OS developers don't just progress the evolution of the OS; at some point, they can decide that the OS will require a different bootloader. This means that you need to download the bootloader from a 3rd party site. It's one thing to put one's faith in open source sites for software that is open to the scrutiny of a large body of users. It's another to go to a less-known site to get a low level piece of software. For example, you wouldn't get a BIOS for your PC from an unknown source (or at least, I wouldn't). So you're faced with the decision of how long to go without an OS upgrade before tossing the phone.
     
  2. GoodPDAuser

    GoodPDAuser Mobile Deity

    Messages:
    141
    Likes Received:
    23
    Trophy Points:
    23
    Kinda hoping that a wizened gray beard would say:

    "Young lad (even though I'm not that young), don't despair. It is not hopeless -- you are being overly concerned. Based on my vast and timeless experience, here are the things that matter if you target the 2nd most paranoid level, as you have tiered it up. You should select vendor ACME, phone model blah-dee-blah because ACME has every business imperative to not betray your trust. And such-and-such historical events demonstrate that their priorities are such that you can trust their OS. No need to muss around with the wild west of open source, which leaves you stranded unless you want to upgrade your bootloader from Booty Al's Free Bootlegged Bootloaders. Furthermore, since it's not a toy for you, the limited ACME apps market place should not too much of a deficiency for you as you have all the tools you need to browse documents rather than play games, watch movies, or socialize online."

    Just as a focus to help me pen the parody above, I had a particular vendor in mind (which is easy to guess at), but I just don't know whether all the good things above can be said about them.

    Of course, I'm being facetious about bootlegged bootloaders. I know that people donate their time to make them available. I just wanted to milk the parody. The fact is, despite such kindness of strangers, trusting unknown 3rd party sources is simply inconsistent with the model of due diligence for the security conscious.
     
  3. Hook

    Hook Have keyboard, will travel

    Messages:
    20,239
    Likes Received:
    13,564
    Trophy Points:
    288
    I don't know if, at age 62, I'm a graybeard (my face is bare), but I would probably advise that you really can't sustain the 2nd level of "paranoia" and use a smartphone (or, frankly, have a computer connected to the internet). This more or less agrees with a thought you wondered about out loud above. The best you can do is to take some simple and practical precautions, be careful and observant, and hope (which is not a method, as has been pointed out many times) that the more dire possibilities which can happen even with your precautions won't happen. What precautions you take will depend on your level of expertise. I'm pretty sure Internet Pilot's and Headcronie's precautions are far better than mine, but I haven't had anything dire happen (yet). My precautions amount to reasonable encryption of WiFi, going only with apps I think are reputable and reliable from equally reputable devs and putting most of my truly sensitive data in a password locker with strong encryption. I don't encrypt my device and in fact don't require a pin to unlock the device. Too annoying and hubris coming from never having lost a PDA or phone.

    The thing is, most of your critical information is on-line whether you want it or not. For example, it doesn't matter whether you sign up for on-line banking or not. The fact that you can means all your banking data is already on-line.

    I wouldn't count on Windows Phone apps being more secure. Blackberry, maybe. :vbwink: Don't actually know.

    Ultimately, if you can't make peace with the possibility of your more paranoid scenarios (which can happen), I think you need to contact Chris Short and see about a perfectly fine refurbished PDA and get a flip-phone. That's not criticism, just an observation. I prefer to save my worry for when something bad happens rather than anticipating all the bad somethings that can happen but might not. Again, JMHO.

    By the way, I don't know if you know about this:

    https://f-droid.org/

    F-droid is an open source app store that also tends to be more aggressive about calling out questionable permissions. I don't use it so this isn't an actual endorsement, just providing information.

    Cheers!
     
    jigwashere, scjjtt and RickAgresta like this.
  4. GoodPDAuser

    GoodPDAuser Mobile Deity

    Messages:
    141
    Likes Received:
    23
    Trophy Points:
    23
    Yes, you're a figurative gray beard.

    I appreciate your perspective, as disappointing the implications may be. While it would be a royal pain, I should give more serious consideration to having separate devices for PIM versus those activities requiring interaction with the network, e.g., calling, texting, browsing. Complete isolation of PIM info from a network, except syncing with Outlook (likely over cable rather than WiFi, cuz if there's WiFi capability, there's also www browsing capability). I'll have to consider the device options for these two separated functions.

    I searched for security-related postings by Headcronie, and while there are a number of them, none are really about overarching security postures and approaches. It's a pretty wholistic question, and I don't actually expect many people to tackle it, especially since most technical fora deal with specific issues.

    The forum seach engine errors-out when I search for security postings from Internet Pilot. I assume it is because of the space in the user name. However, I also tried googling {security "Internet Pilot" site:www.forum.brighthand.com} without curly braces -- no joy.

    You mentioned securing communications links by encryption. I didn't mention this because I am assuming it by default. As for encrypting sensitive bits of info on the handset with a password manager...it's something I'm aware of but haven't looked into. Depending on time & priorities, I may do so. From a personal standpoint, it boils down to whether I find a compelling enough description of the vulnerabilities and the remedies offered by a password manager without actually being an expert in the operating system or security. Granted, most of that challenge stems from my ignorance of the subject areas, but I would say that the limitations I face afflict the majority of even the technically inclined user base. The only people who *wouldn't* have those limitations are those who work in the area, and of course, society can't just be composed of such experts.

    I need to respond to your comment about one's information already being online. While there are risks associated with that, I would contend that the actual threat that people should try to take measures against are not from having their data in institutes that they allow to have such information. For example, I've known for decades that my bank has my personal info. I wish these organizations would be more protective of my info, but I willing enter into a relationship with them (not much choice, really) and they are obligated to protect my privacy. Furthermore, they don't have my passwords for accounts other than those at the bank. On the other hand, I do *not* elect to make my info available to Google or Koodo Mobile -- and those are just the nonclandestine organizations. I do *not* wish to make sensitive info visible to apps (clandestine or otherwise) that may be running on the phone, nor to external organizations to which such info may be sent.

    Of course that sounds paranoid, but I would argue that explicitly admitting that I don't know the likelihood of such threats makes my assessment realistic. I can only look back at actual events like the Carrier IQ issue and realize that it seems technically feasible and anything but implausible. Without having researched the heck out if it, I admit that there is only one such historical incident -- that we are aware of. Regardless of the technical feasibility and actual likelihood, however, my previous paragraph was more about differentiating between banks having our info versus organizations that merchandise in personal info, clandestinely or otherwise.

    Aha, so you cued in to Blackberry as the picture that I had in mind in writing my parody. It seems to be darling for *corporate* security; just not so sure that non-enterprise users can be comfortable about their PIM info. I tend to think that the competencies for the former overlap largely with those for the latter. The only reason I went with Android is because it wasn't clear that Blackberry's presence in the handset sector would persist (it still isn't clear). Furthermore, Android (CM) is open source, and it seemed to me that OS transparency was a "pro" for the security conscious.

    As for not worrying about loss of personal info until it actually happens, I would be comfortable with that approach if the potential consequences weren't so great.

    About f-droid, I did in fact run into it when I tried to research how people dealt with this overarching security conundrum. (Frankly, not many people seem to care about it). I stopped pursuing F-droid when I found that QuMu PDF Viewer worked fine. It was highly regarded, and seemed to suit the functionality that I needed (its predecessor had become less favoured, and it was the one available on F-droid). CM's Privacy Guard provide some level of insurance that the app didn't do anything untoward.

    If I had to do it again, I might go the F-droid route because of my negative experience with the Google Apps app. It's not just for browsing the apps store; it takes over many aspects of your entire device. It tooks forever just to reign in the permissions so that I wasn't using Google Apps applications at every turn. Some googling reveals that this is Google's strategy reigning in control of Android. Just bury much of the functionality into a meta OS, which Google Apps is fast becoming, and make it a requirement for accessing Google Play. The user experience then becomes markedly different from the Android variants outside of Google's control. Perhaps at some point, their services will only be compatible with GApps, and the other Android variants will be out in the cold.

    For those who don't want to be completely transparent to Google, F-droid takes on a whole new significance, but with caveats. You have to trust the browsing app, just like you would any other app, and you have to trust the F-droid vetting and see it as sufficient added value to make up for the limited selection. I may not want many elaborate apps, but I do want the most suitable one, which I found on Google Play. In any case, the F-droid store only deals with the app side of the challenges for the security conscious. It does not address the current deal breaker: Having to upgrade the bootloader from an unknown 3rd part source, just upgrade CM.
     
  5. EdmundDantes

    EdmundDantes Mobile Deity

    Messages:
    2,706
    Likes Received:
    3,134
    Trophy Points:
    288
    Hook is probably right. Even Tier 2 is hard to sustain in some respects as you note. For me, permissions are the biggest concern and as you note, there is not full solution to that. I wish Google would hurry up with re-releasing that permissions-panel they briefly released.
     
  6. GoodPDAuser

    GoodPDAuser Mobile Deity

    Messages:
    141
    Likes Received:
    23
    Trophy Points:
    23
    Yes, the situation looks bleak.

    From my browsings some time ago, there are doubts as to whether Google has much incentive to clamp down on permissions. It would certainly dampen the active apps marketplace, as it seems that many apps developers are motivated by the possibility of income both from paid apps and from serving ads to those who don't want to pay. I don't know where trafficking in personal info fits into that -- perhaps the small print permits them to gather such info and then share it with other parties for the purposes of augmenting their service to you (the service of providing info on products that you might be interested in).

    Also, I'm sure that Google is interested in any info that they can defensibly obtain via the operation of the Android system and GApps, so they wouldn't want to offer the user too much *comprehensible* visibility and control into how data is shared under the hood. In that sense, it's to their advantage for the greater visibility to be incomprehensible, which happens naturally anyway -- it is part of the problem with Privacy Guard (and the personal firewalls of decades pas). Just as a general observation, it seems to me that making enough of the the inner workings of any OS comprehensible and offering sensible options of control to normal users is a very nontrivial challenge. Look at the decades that it has taken Windows for to get where it is now.

    I'll just finish off this response with the reminder that apps permissions is one side of the problem. The wild west nature of the truly open source alternatives is another, along with their installation requirements.
     
    Last edited: May 18, 2015
  7. DTM

    DTM ---

    Messages:
    1,515
    Likes Received:
    208
    Trophy Points:
    238
    Yes. I learned that one a few years back when my father-in-law died and I had to help my mother-in-law get her finances in order. FIL had had numerous stocks and mutual funds, all in individual accounts. I wasn't supposed to have access to them; only my MIL was on the accounts. And they didn't have Internet service (or a PC, for that matter), so there were no web accounts set up. I just went online and set them all up. Made inquiries, located assets, made trades, changed addresses. No problem, even though technically I was nobody to each institution. Now, I was limited in some things. If I sold an asset, it had to be paid by check to my MIL and sent to her last confirmed address. But who knows what I could have done with even a minimal knowledge of hacking accounts? Lesson learned: Even if you never intend to use web access, set it up anyway. That way you can get immediate e-mail notification of any activity.

    Another suggestion: I have two e-mail accounts I normally use--work and personal--and have those set up on my phone for easy access. But I have a third one that I use only for financial institutions, access only through the web portal, and manually enter the password every time. That way, if someone steals my phone, thereby gaining access to my e-mail, then goes to my bank's website and clicks "Forgot Username", the temporary reset code goes to a different e-mail account that they have no access to.

    By the way, I'm not a graybeard, but I am a graymustache. Does that count?
     
  8. GoodPDAuser

    GoodPDAuser Mobile Deity

    Messages:
    141
    Likes Received:
    23
    Trophy Points:
    23
    Only if it's twirl-able.

    About the bank sending you a temporary reset code...I would hope it's not as simple as that. I would hope that there is additional info needed to authenticate. Though I've never tried.
     
  9. GoodPDAuser

    GoodPDAuser Mobile Deity

    Messages:
    141
    Likes Received:
    23
    Trophy Points:
    23
    Given that this is the state of truly open source Android, and the movement of Google away from a truly open source system, I think it's time to plan a migration to Blackberry. It's crapshoot either way as to whether they are more trustworthy, but I have only impressions to go on at this point. The only sunk cost at this point is the Moto G, the cadillac app AkrutoSync, and most importantly, tons and tons of time.
     
  10. GoodPDAuser

    GoodPDAuser Mobile Deity

    Messages:
    141
    Likes Received:
    23
    Trophy Points:
    23
    After reading about the Stagefright threat to Android, I temporarily broke out of my laziness spell and browsed around a bit for the prospects of Blackberry remaining in the handset arena. I discussed this at length with a colleague who works in the cellular SW industry, albeit on the base station side rather than the handset side. He pointed out a weakness in my plan. Even if Blackberry stays in the game, it will (like other handset vendors) wean resources from supporting an old handset after very few years so that upgrades to avoid vulnerabilities will be limited or nonexistent. It is not in a handset vendor's interest to make it attractive to stick with an old phone, nor is it viable for them as a business. For all practical purposes, it will be as if it had gone out of business, and that would be no different regardless of which model from which vendor I choose. And that in turn is no different from my inability to upgrade Cyanogenmod 12 today, due to the requirement to download a bootloader upgrade from an unknown site, which would blow away any due diligence that one might try to uphold. Even if that were not the case, Motorola's handset market has been sold to extra-continental interests, and I have no idea how that impacts the trustworthiness of new bootloaders.

    Not surprisingly, the only 2 realistic ways ahead from that conversation is (1) to have one phone for connectivity and another for calenar/contact/notes (goodbye texting), or (2) use a single phone, but put the truly sensitive stuff like passwords & personal ID numbers into password locker. All stuff that has been discussed before on this site. Next step: Research how reliable password lockers are when one cannot take for granted that the host OS or peer apps are secure.
     
    scjjtt likes this.
Loading...

Share This Page