Vulnerabilities in Mobile Devices
The New Mobile Reality
There are now more mobile devices than people on the planet and most people get most of their information through a mobile device.
We text, talk and share on the go, often without thinking about the consequences.
Your mobile devices contain a lot of information about you. Learn how to be careful so your information doesn't end up in the hands of a cyber criminal.
— Get Cyber Safe
Learn about the inherent risks that go along with the freedoms these devices provide so you can make better decisions about the software you use.
Detox Your Phone
Do your apps share unnecessary data? Five ways to reset your relationship with your phone from Mozilla.
Update Your Device
One of the most important security measures you can take is to ensure your software and devices are updated regularly.
How Security Aware Are You?
Canadians are accessing everything online via their smart devices more often than their computers and that trend is only increasing. With that change comes a need to learn to protect yourself and your data.
See the full infographic to learn more.
Today's mobile devices, by their very nature, are not in a fixed location. Data is often stored in the “cloud” and is available to other applications and services you've permitted to have access to it.
While most apps aren't malicious and need these permissions to work properly, it's worth reviewing them at times to make sure an app isn't taking information it doesn't need.
And in the case of apps like Facebook, the absurd amount of permissions might make you want to uninstall it completely.
Microsoft Windows used to be a mostly closed system that contained your programs and data on your own computer.
Essentially a Mobile System
To enable access across devices, much of your data is no longer stored locally by default. By storing it on OneDrive, it becomes available to all your devices. Unfortunately, that includes anyone on the Internet that can guess your password.
Following the guessing game when Windows 10 was launched, we now have more clarity on what information Microsoft collects as well as easier access to privacy settings. Major Windows updates have sometimes reset privacy defaults, something that you'll need to check for.
Security on Mobile Devices
Mobile devices are much better “out of the box” than they were a few years ago.
That doesn't translate into secure experiences once they are put into everyday use.
We've reached a point where mobile ecosystems and platforms are relatively secure at an OS and hardware level; the biggest risk comes from what we do with those devices and what we install on them, what email messages we read, and what links we click.
SIM Card Fraud
Sim swapping is a nasty business that can destroy lives and provide access to your bank accounts, social media, online files, all while denying you access to your your social media, email and other accounts.
After rolling out of bed, I picked up my Apple iPhone XS and saw a text message that read, "T-Mobile alert: The SIM card for xxx-xxx-xxxx has been changed. If this change is not authorized, call 611." Well, seeing as how T-Mobile took away my cell service, I could not call 611 for help so that was a worthless message.
— Matthew Miller
Besides the financial and data risks, the hacker can destroy any credibility you've built up over the years. It also compromises multi-factor authentication for most of your accounts, including online banking.
SIM swapping, sometimes called SIM hijacking, occurs when a bad actor convinces a telecom carrier to transfer a mobile phone number to a SIM card they control.
Once a fraudster associates a victim's phone number with a new SIM card, they can use the number to access bank accounts or other sensitive information associated with it.
With as little as the last four digits of your credit card, your birth date, phone number and current address (all probably revealed in some data breach or in your social media posts), someone else can convince your cell provider that your phone was lost or stolen and allow your cellular account to be transferred to a new phone by authorizing a new SIM card.
- Mozilla explains: SIM swapping.
- Why this teen walked away from millions of TikTok followers.
- SIM swap horror story: I've lost decades of data and Google won't lift a finger.
End SIM Card Fraud in Canada
It is time for the CRTC to regulate cell phone company accountability.
- The SIM card swap scam: What it is and what you can do to minimize risk.
- Regulators and telecoms are refusing to release data about SIM swapping in Canada.
- Unauthorized mobile telephone number transfers and SIM swapping in Canada.
- Canadian teen arrested for SIM-swap attack that looted $36 million.
Apps Abusing Access to Your Data
You need to be careful about how much information you provide to apps rather than simply clicking the “Accept” button.
Let's look at a real-world example.
In 2017 Appthority discovered a vulnerability in 685 enterprise apps affecting nearly 700 iOS and Android devices (44% Android, 56% iOS) which had provided access to private data since 2011.
The vulnerability is called Eavesdropper because the developers have effectively given global access to the text/SMS messages, call metadata, and voice recordings from every app they've developed with the exposed credentials.
Importantly, Eavesdropper does not rely on a jailbreak or root of the device, take advantage of a known OS vulnerability, or attack via malware.
An Eavesdropper attack is possible simply because developers have failed to follow Twilio's documented guidelines for secure use of credentials and tokens and allowed theses apps to leak audio and message-based communications.
This vulnerability could only be fixed by the developer. These developers probably lacked the knowledge or motivation to fix the issue.
The cause of the Eavesdropper issue is careless developers. We've seen many cases in the past where developers leave API and server credentials inside an app's source code, instead of storing them in a secure, remote database.
— Bleeping Computer
Removing the apps from your device became the only logical option.
Data Collection Significant
The vast numbers of apps on the app stores and the number of downloads can make a seemingly minor oversight affect millions of users.
That assumes that all this was accidental. Not so.
The collection of personal data has become a multi-billion dollar industry that will require legislation to fix.
- How secure is your business data on your employees' personal smartphones?
- 8 mobile security threats you should take seriously in 2020.
While Google regularly updates the Android OS, manufacturers are free to deny the upgrades on their devices, leaving you vulnerable to known weaknesses to create an artificial need to upgrade your hardware regularly.
Android devices are ubiquitous, and the Android platform isn't locked down the way iOS is. Even if you stay away from third-party app stores and refrain from jailbreaking your device, you can still get hit with Trojans, ransomware, and other kinds of Android malware. Smart users protect their devices with an Android antivirus.
It was recently revealed that a spyware program was installed on more than 700 million Android smartphones and was collecting information and sending it to China.
But that isn't the only Android threat. Gooligan, breached the security of over one million Google accounts, one of the largest Google breaches yet. Check your Google account activity and choose better security
- The Risk of Accessibility Permissions in Android Devices.
- Here's how you can use Android but ditch Google .
- How to safely delete your Google or Gmail account for good.
Apple iOS is significantly more secure than Android.
Unlike Android users, who are largely at the mercy of their carriers for OS updates, Apple pushes out new versions of iOS to anyone with a compatible phone all at once. That's why 89 percent of iOS users are on iOS 10 as of Sept. 6 , while only about 16 percent of Android users are sampling Nougat as of Sept. 11.
iOS isn't free from issues.
iOS apps may be vulnerable to silent man-in-the-middle attacks (where a nefarious third party can intercept the communication and steal data).
As for iPhones and other iOS devices, Apple's built-in security makes life tough both for malware coders and antivirus writers. Many cross-platform suites simply skip iOS; those that don't typically offer a seriously stripped-down experience. Given the platform's intrinsic security, it rarely makes sense to expend one of your licenses installing protection on an iPhone.
As iOS moves away from 32-bit software, users are warned that older apps may slow down their devices. In many cases, these apps are no longer maintained and probably should be deleted.
Mobile phishing attacks are on the rise and iOS is the biggest target. 63% of mobile phishing attacks target iOS devices. The number one source of those attacks is gaming apps. People are getting wise to email phishing, so hackers are becoming much sneakier. Mobile phishing that hides inside apps is harder to catch, making it a huge security risk.— TechRepublic
- Apple fixes another three iOS zero-days exploited in the wild.
- Malicious iOS app popup windows could be stealing your Apple ID.
- Five iOS 14 and iPadOS 14 security and privacy features.
- Dozens of iOS apps vulnerable to data theft, despite ATS mandate.
Privacy on Mobile Devices
Tech companies are on a buying spree, which can compromise your privacy.
Combined Services Share User Data
When a company or service is purchased by a new parent company the privacy policies change to suit the new owner. Often it is the user base that is the reason for the purchase more than the technology.
Did Microsoft acquire LinkedIn to access the wealth of user data as much as adding a social media platform to their holdings? What about Facebook's purchase of Instagram and WhatsApp?
Generate Unique Identities
When you log into a service using your Facebook identity, you provide that service with details about your Facebook friends, likes, dislikes and much more.
Logging in with your Google or any other identity, you provide similar access to that service.
While convenient, you provide much more than if you login using a unique ID.
it is better to segregate this information by using a unique user name and password for each service you use.
It also creates a massive vulnerability to your accounts if the Facebook or Google account becomes compromised.
Remove Combined Access
I recommend that you change your logins for any services that you've used Google, Facebook or other accounts for access. LastPass can track these for you and generate new passwords on the fly.
Be Selective in Permitting Access
When an app requests access to your contacts, photos, etc. you need to determine if that access is necessary for the app to provide the functions you're requesting.
For example, consider why the app needs access to your contacts or camera and how that data is going to be used.
Developers often say that they collect information to create enhanced functionality in their app or to deliver a better user experience.
Think about it like this — why in the world does your calorie tracker need to access your contacts? And really, why does your flashlight app need to know your location? — Check Point blog
Review App Permissions
If an app requests unnecessary permissions, you're probably better off finding another app that doesn't abuse your privacy.
- Clean up your phone's apps and review their permissions.
Mobile Location Analytics Invades Privacy
By tracking cell phones, Mobile Location Analytics (MLA) technologies allow facilities to learn about traffic patterns within their venues including how long people stand in line.
This information is more valuable than a “free” app: Your Facebook profile is estimated to be worth $50 per month in advertising revenue.
While this information could benefit the user, it also invades their privacy.
- Learn more at MLA Opt Out.
More About Privacy in the Mobile World
- Uniquely you: The identifiers on our phones that are used to track us.
- The many identifiers in our pockets: A primer on mobile privacy and security.
- Three tips for phone privacy.
- What your apps know about you.
Spam & Deception
Dealing with Spam
Spam and deceptive advertising are rampant in mobile computing.
From the ads running in the free apps we download to the misleading links on our Facebook feed, we are being bombarded with misinformation.
With the exploding use of small devices like cell phones and tablets (both in addition to and in replacement of computers), advertisers have been determined to penetrate that new market.
CASL prohibits anyone from installing software—including updates—on your electronic devices without your consent.
It also applies to updates and upgrades installed by somebody else, even if you installed the original software.
— Canada's Anti-Spam Legislation
Secure your devices has information from the Government of Canada on how you can be protect your devices and information from being compromised.
Edward Snowden revealed that the US government was capturing and storing information from our Internet, phone and other electronic interactions using a number of programs designed to avoid congressional oversight.
The Five Eyes coalition, China and other nations were also involved in spying on the world's citizens.
Facebook is known for allowing deceptive advertising links on their newsfeed. Not only do they obfuscate these links so the user cannot determine where they'll take them without clicking on the link, but state that they are unable to monitor these deceptive practices.
Interestingly enough, Facebook guaranteed the Chinese government that they will be able to control content unapproved for their population in order to keep Facebook from being blocked in China, yet have failed to control fake news in other markets.
Facebook allows a wide mass of its users the freedom to spread fake news (which they won't regulate), while simultaneously working to prevent another group from sharing actual news.
We're No Safer
Police and spy agencies now gather massive amounts of our private information.
When questioned, these officials often use terrorism or child pornography to excuse this behaviour. Now the police want even more powers.
We allowed our governments to introduce legislation that traded our privacy for “protection” against terrorists, yet we are no safer.
The Act does not require individualized suspicion as a basis for information sharing amongst government agencies. There is no impediment in the Act to having entire databases shared with CSIS or the RCMP. The standard for ‘sharing’ is very, very low.
— BC Civil Liberties Association
[W]e have seen too many cases of inappropriate and sometimes illegal conduct by state officials that have impacted on the rights of ordinary citizens not suspected of criminal or terrorist activities.
— Privacy Commissioner Therrien
The successes have been few (and mostly could have been accomplished without the loss of our privacy).
It is far more likely that a common thief is caught up in this web than the mass terrorists the legislation is supposed to deter.
Agencies looked at the data they had when 911 occurred and realized that if they had more information they may have stopped the attack. Sounds good, right?
Unfortunately, the reality is different.
Too Much Data
The problem wasn't the amount of information so much as the ability to quickly sift through it and make sense of what it meant.
Were it working as advertised, the Boston Marathon bombing would have been stopped. The government had been warned about the perpetrators, but that information was lost in the mass of collected data.
Think of the problem of finding a single red coin in a pile one foot high across your entire city.
Would it be easier to find in a pile spread across your entire province (or state)? How about across the nation or around the world?
Even if your search parameters were precise, you'd be highly unlikely to discover the marked coin.
What's the Solution?
We need to tell our governments and corporations to quit collecting our private information and to restore a sense of privacy.
Unfortunately, too often security is seen as a cost center, and privacy is seen as the revenue generator for the company that develops the app.
Therefore, apps are often not secure -- and privacy is nonexistent -- to minimize cost and maximize revenue. The only way to combat these breaches is to actually pay full price for the apps consumers are using and to reject advertising-supported apps.
— Roger Entner
Corporations won't do this on their own. Our “metadata” is simply worth too much to them.
They've Abused Our Ignorance
They've abused our ignorance about the value of this information to allow it to be traded for very little in return.
They may allow us to be otherwise compensated (American legislators have discussed this possibility) but is highly unlikely they'd set the value high enough to reflect reality.
Government Regulation Necessary
We need governments to regulate how easily our private data is accessed by police, spy agencies and corporations in the same manner they've regulated the sorts of questions that are allowed on an employment application or a rental agreement.
Take Back Our Privacy
We need to take back our privacy.
I don't want to live in a world where everything I say, everything I do, everyone I talk to, every expression of creativity and love or friendship is recorded.
— Edward Snowden