jump to navigation

Smartphone Security Concerns December 7, 2013

Posted by louloizides in Security.
trackback

I recently entered into a common iPhone vs. Android debate with a friend of mine. He had broken his Android phone’s screen but was able to get into his phone and back up his data by using SSH (SSH provides access to a shell remotely – such as the admin account on the phone). This is possible because with Android, unlike with iOS, Google makes it very easy for an Android user to obtain root access and enable this feature.

My opinion was that enabling SSH on any device can be risky and shouldn’t be allowed on a phone. Brute force SSH based attacks are common on any internet connected device. And if a vulnerability in an OS is found SSH will likely be the pathway that allows an attacker to enter, steal data and/or use the device for a malicious reason.

Being an avid iOS user and developer, my feeling on the matter was that most smartphone users don’t understand the security risks of the devices they’re carrying. Making it easy for a person to gain root access to their phone also meant that vulnerabilities had to have been exposed that would allow an attacker to do the same. His pro-Android argument was that if it’s your phone you should be able to do what you want with it.

While I respect the pro-Android argument, I believe smartphones represent a greater security concern than PCs and should be more locked down for two reasons. First, a smartphone is a phone. If you brick your phone (make it inoperable due to a bug or software error) you lose your method of communication. This can be very bad when traveling or during an emergency. It has actually happened to me while traveling when I had a jailbroken iPhone with some malicious software installed.

The other is that while smartphones are computers, common users don’t treat them as such. Google Play and Apple’s App Store have created the illusion of trusted apps. The software from these sources, however, is only statically analyzed and there’s no reason malicious code couldn’t be created dynamically. Java on Android provides some protection against this since the apps are run on a virtual machine (whereas iOS apps are native code). But Java is common across all Android devices. So if someone finds a Java exploit, which seems to happen frequently nowadays, the exploit can be used to attack any device.

Even riskier, Android allows a user to download unsigned apps from non-Google Play sources. These apps are not analyzed at all and can contain virtually any kind of malicious code. Yet users routinely enable it and are completely oblivious to the risks. Smartphones apps today are a little bit like computer programs a couple of decades ago. The smartphone app eco systems are relatively new and there’s a of a false sense of security around the potential risks. This will likely change as more and more people start to find exploits for malicious purposes.

Advertisements

Comments»

No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: