Russ Harvey Consulting - Computer and Internet Services

Mobile Security

Vulnerabilities in Mobile Devices

Privacy | Spam & Deception | We're No Safer | Tighten Security

Vulnerabilities in mobile devices.

Helping You Make Better Decisions

It is hard to remember a time we didn't all have these devices. We text, talk and share on the go, often without thinking about the consequences.

Traditionally, software was installed onto a computer and the data was stored there as well. References to a “mobile device” meant a laptop.

When this site was first launched, the Internet was a relatively-new concept for the majority of people. Few businesses and even fewer individuals had a website. Facebook and Twitter didn't exist.

The New Mobile Reality

There are now more mobile devices than people on the planet and most people get most of their information through a mobile device. Because humankind's mobile prowess is only likely to increase, IT security professionals need to take mobile devices, mobile threats, and mobile security seriously. — CSO

You need to educate yourself about the inherent risks that go along with the freedoms these devices provide and to help you to make better decisions about the software you use.

“How Cyber Safe are You in the Digital Age?” infographic -- click to learn more.

How Cyber Safe Are You In The Digital Age? See the full infographic to learn more.

Today's mobile devices, by their very nature, are not in a fixed location. Data is often stored in the “cloud” and is available to other applications and services you've permitted to have access to it. When you log into a service using your Facebook identity, you provide that service with details about your Facebook friends, likes, dislikes and much more.

While most apps aren't malicious and need these permissions to work properly, it's worth reviewing them at times to make sure an app isn't taking information it doesn't need. And in the case of apps like Facebook, the absurd amount of permissions might make you want to uninstall it completely. — MakeUseOf

Windows 10 Essentially a Mobile System

Microsoft Windows used to be a mostly closed system that contained your programs and data on your own computer.

Windows 10, Microsoft's newest operating system, focuses on the needs of mobile devices and is itself a cloud-based Software as a Service (SaaS). Data sharing means that much of your data is no longer stored locally and is available to anyone on the Internet that can guess your password.

Major updates have often resetting privacy defaults, thereby making Windows 10 a privacy nightmare. The Creators Update brought more clarity on what information Microsoft collects as well as providing easier access to privacy settings, but it is still less than perfect.


While Google regularly updates the Android OS, manufacturers are free to deny the upgrades on their devices, leaving you vulnerable to known weaknesses to create an artificial need to upgrade your hardware regularly.

Unlike Android users, who are largely at the mercy of their carriers for OS updates, Apple pushes out new versions of iOS to anyone with a compatible phone all at once. That's why 89 percent of iOS users are on iOS 10 as of Sept. 6 [2017], while only about 16 percent of Android users are sampling Nougat as of Sept. 11. — PCMagazine

iOS Vulnerabilities

iOS apps may be vulnerable to silent man-in-the-middle attacks (where a nefarious third party can intercept the communication and steal data).

As iOS moves away from 32-bit software, users are warned that older apps may slow down their devices. In many cases, these apps are no longer maintained and probably should be deleted.

Mobile phishing attacks are on the rise and iOS is the biggest target. 63% of mobile phishing attacks target iOS devices. The number one source of those attacks is gaming apps. People are getting wise to email phishing, so hackers are becoming much sneakier. Mobile phishing that hides inside apps is harder to catch, making it a huge security risk.— TechRepublic

Android Vulnerabilities

It was recently revealed that spyware program was installed on more than 700 million Android smartphones and was collecting information and sending it to China.

But that isn't the only Android threat. Gooligan, breached the security of over one million Google accounts, one of the largest Google breaches yet. Check your Google account activity and choose better security

Common Vulnerabilities

Evesdropper is a vulnerability affecting both nearly 700 iOS and Android devices (44% Android, 56% iOS) that provides global access to confidential information. This vulnerability can only be fixed by the developer.

The vulnerability is called Eavesdropper because the developers have effectively given global access to the text/SMS messages, call metadata, and voice recordings from every app they've developed with the exposed credentials.
Importantly, Eavesdropper does not rely on a jailbreak or root of the device, take advantage of a known OS vulnerability, or attack via malware. An Eavesdropper attack is possible simply because developers have failed to follow Twilio's documented guidelines for secure use of credentials and tokens and allowed theses apps to leak audio and message-based communications. — Appthority

Privacy on Mobile Devices

Combined Services Share User Data

Microsoft, Apple and others are on a buying spree. The information from that purchased service is being accessed by the new parent company and privacy policies change to suit the new owner.

Often it is the user base that is the reason for the purchase even more than the technology. For example, Microsoft probably acquired LinkedIn to access the wealth of user data as much as providing a social media platform.

Apps Abusing Access to Your Data

You need to be careful about how much information you provide to apps rather than simply clicking the “Accept” button.

Don't Use Facebook to Log into Services

When you see the option to use your Facebook account to log into a service rather than creating a unique ID it provides access to your Facebook profile to that third-party (including your list of friends, likes and much more than they'd get if you login using a unique ID).

While convenient, it is better to segregate this information by using a unique user name and password for each service you use. LastPass can track these for you and generate new passwords on the fly.

Be Selective in Permitting Access

When an app requests access to your contacts, photos, etc. you need to determine if that access is necessary for the app to provide the functions you're requesting and how that data is going to be used. In most cases it is used to generate advertising profiles to sell you to their advertisers.

You're probably better off finding another app that doesn't want to abuse your privacy.

Don't Give Apps Unnecessary Access

This information is worth billions yet many folks have been unaware of how valuable the price they've paid for their “free” apps. This has made it much harder to take back control of our privacy.

Apps collect information about their users. Developers often say that they collect information to create enhanced functionality in their app or to deliver a better user experience. But more often than not, its not easily understood why certain apps need all the information they collect.

Think about it like this — why in the world does your calorie tracker need to access your contacts? And really, why does your flashlight app need to know your location?

Recently the FTC called out flashlight apps on both iOS and Android platforms for collecting unnecessary information — both were guilty of being built to track location and access calendars, contacts and unique identifying factors. The settings also allowed them to share all that information with third party ad networks. Yikes — All that, just for a flashlight! — ZoneAlarm Blog

Mobile Location Analytics

By tracking cell phones, Mobile Location Analytics (MLA) technologies allow facilities to learn about traffic patterns within their venues including how long people stand in line.

While this information could benefit the user, it also invades their privacy.

Learn more at MLA Opt Out.

More About Privacy in the Mobile World

Return to top

Spam & Deception

Dealing with Spam

Spam and deceptive advertising are rampant in mobile computing.

From the ads running in the free apps we download to the misleading links on our Facebook feed, we are being bombarded with misinformation.

With the exploding use of small devices like cell phones and tablets (both in addition to and in replacement of computers), advertisers have been determined to penetrate that new market.

CASL prohibits anyone from installing software—including updates—on your electronic devices without your consent.

It also applies to updates and upgrades installed by somebody else, even if you installed the original software. — Canada's Anti-Spam Legislation

Protect your devices has information from the Government of Canada on how you can be safer.

Deceptive Software

Edward Snowden revealed that the US government was capturing and storing information from our Internet, phone and other electronic interactions using a number of programs designed to avoid congressional oversight.

The Five Eyes coalition, China and other nations were also involved in spying on the world's citizens.

Deceptive Services

Facebook is known for allowing deceptive advertising links on their newsfeed. Not only do they obfuscate these links so the user cannot determine where they'll take them without clicking on the link, but state that they are unable to monitor these deceptive practices.

Facebook allows a wide mass of its users the freedom to spread fake news (which they won't regulate), while simultaneously working to prevent another group from sharing actual news. — Mashable

Interestingly enough, Facebook guaranteed the Chinese government that they will be able to control content unapproved for their population in order to keep Facebook from being blocked in China.

Return to top

We're No Safer

Police and spy agencies now gather massive amounts of our private information.

When questioned, these officials often use terrorism or child pornography to excuse this behaviour. Now the police want even more powers.

We allowed our governments to introduce legislation that traded our privacy for “protection” against terrorists, yet we are no safer.

The Act does not require individualized suspicion as a basis for information sharing amongst government agencies. There is no impediment in the Act to having entire databases shared with CSIS or the RCMP. The standard for ‘sharing’ is very, very low. — BC Civil Liberties Association
[W]e have seen too many cases of inappropriate and sometimes illegal conduct by state officials that have impacted on the rights of ordinary citizens not suspected of criminal or terrorist activities. — Privacy Commissioner Therrien

Few Successes

The successes have been few (and mostly could have been accomplished without the loss of our privacy).

It is far more likely that a common thief is caught up in this web than the mass terrorists the legislation is supposed to deter.

The Assumption

Agencies looked at the data they had when 911 occurred and realized that if they had more information they may have stopped the attack. Sounds good, right?

Unfortunately, the reality is different.

The problem wasn't the amount of information so much as the ability to quickly sift through it and make sense of what it meant. Were it working as advertised, the Boston Marathon bombing would have been stopped. The government had been warned about the perpetrators, but that information was lost in the mass of collected data.

Too Much Data

Think of the problem of finding a single red Loonie (or silver dollar) in a pile one foot high across your entire city.

Would it be easier to find in a pile spread across your entire province (or state) make it easier to find? How about across the nation or around the world?

You could ensure that the marked coin was within your search parameters, but are far less likely to locate it.

What's the Solution?

We need to tell our governments and corporations to quit collecting our private information and to restore a sense of privacy.

I don't want to live in a world where everything I say, everything I do, everyone I talk to, every expression of creativity and love or friendship is recorded. — Edward Snowden

Corporations won't do this on their own. Our “metadata” is simply worth too much to them.

They've Used Our Own Ignorance

They've used our own ignorance of the value of this information to allow it to be traded for very little in return.

Government Regulation Necessary

We need governments to regulate how easily our private data is accessed by police, spy agencies and corporations in the same manner they've regulated the sorts of questions that are allowed on an employment application or rental agreement.

Take Back Our Privacy

We need to take back our privacy.

Return to top

Tighten Security

2016 saw continued growth in mobile and a corresponding increase in security issues.

We need to tighten security on our devices and pay more attention to what we're giving away.

More Than a Phone

More than a phone, mobile devices contain our most private thoughts and the sort of personal information we once kept locked in our diaries and private records.

This data is invaluable in profiling us for advertising and marketing. Laws have not kept up with technology and our privacy is being eroded.

Can you imagine Google or Microsoft allowing you to have unfettered access to their personnel files or planning documents? Why do you think hacking is penalized so severely?

Tighten Your Settings

Take some time to clean up your device as well as tighten security and privacy settings:

Return to top

Related Resources

Related resources on this site:

or check the resources index.

Return to top

If these pages helped you,
buy me a coffee!
Updated: October 29, 2019