Smartphones

Please, hack my smartphone: Five surefire tips

Alan Wlasuk, managing partner of 403 Web Security, lists the top five smartphone mistakes you can make.

When I was growing up, my father used to have a saying: "Beauty is only skin deep, but dumb goes clear to the bone." Feel free to draw your own conclusions.

As we collectively wander America with our ubiquitous smartphones glued to our lives, most of us don't realize how fragile the relationship really is with this device. Think about it -- you have your diary, wallet, phone, social support system, and best friend all wrapped up in one piece of hardware. One slip, and it's all toast.

Your diary is hidden under the mattress; your wallet is securely tucked in your jeans; and your best friend knows your girlfriend is way off limits. Yet your smartphone gets left on the counter at Starbucks and you continue to download apps written in a cyber crime-lab in the Ukraine. "Bone-deep dumb" is well within the reach of us all.

Smartphone security disasters come in many forms. Given my security background and, honestly, my circle of friends and relatives, I think I may have seen every smartphone judgment mistake known to mankind. For your entertainment, education, and help in avoiding a big ‘Hack me, please' sign on your back, I've listed my top five smartphone mistakes below:

1. Download apps from unverified sources. Whether you know it or not, every app on your smartphone is a potential security risk. A well-meaning app treats you fair, while a malicious app might be recording your keystrokes, accessing your contact list, and signing you up for expensive services you never wanted. Every app is a potential risk, but the ones you download from unauthorized sources are far riskier. Either play within the lines (authorized Apple, Google, and Microsoft app stores) or risk an unexpected friend sharing your smartphone with you. Yeah, I know, that new version of Happy Bugs that just went viral is so tempting, and your best friend did recommend it -- but stay away. 2. Jailbreak your smartphone. There seems to be some appeal to be the guy at lunch who holds up his smartphone and proudly says it's been jailbroken (modified to bypass the original security features). At the risk of offending my tech fiends, I always think of this as the geek version of, "Hey, y'all, watch this!" There's a reason they don't let lawn tractors into hotel lobbies, just as there's a reason to trust Apple, Google, and Microsoft to have built smartphone operating systems that protect us from security risks. Everyone who thinks they're smarter than the guys at Google, mount your lawn tractors for the 3:00 A.M. race. 3. Going smartphone commando -- no passcode. Think about the embarrassment of having a bunch of high school students sitting around the lunch table wandering through your smartphone! This would be so easy to arrange; just drop your smartphone by accident at the mall without a passcode set. Emails and photos would be hit first (are any of us safe?), then social apps, and finally any app that could be used for fun and profit. The guitar you just unexpectedly bought for a deserving, yet unknown 16-year-old through your eBay account might be the least of your problems. Explaining your new Facebook status (your upcoming marriage to the Russian cross-dresser) to Grandma might be a bit more of a problem. You will misplace your smartphone sometime in the future, so why make it easy for a teen to use it?

Fun fact: 62% of smartphone users do not use password protection on their smartphones (Javelin Strategy & Research)

4. Pride goes before a fall or its smartphone equivalent. So, you're thinking you're one of the smart ones -- you've added a passcode and you never, ever download an app that doesn't have a pedigree. Given this feeling of safety, you're storing all kinds of private, secret, and embarrassing things on your smartphone. The good news is that the average bear will be thoroughly thwarted by a passcode-protected smartphone. The bad news is that the pasty-looking kid living in his mom's basement could break your code in about 30 minutes. Maybe keeping those pictures from Las Vegas are not the best idea.

Repeat after me: There are no secrets; there are no 100% secure smartphones.

5. Smartphone OS updates are never optional. We're not building rockets here, but when your crazy boyfriend moves out, it's time to change the locks. It's inexpensive, and your flat-panel TV will be there when you get home from work.

It's a cyber war out there; hackers figure out new ways to compromise smartphones, and then new OS versions are released to neutralize the vulnerabilities. When Apple, Google, or Microsoft send out a new OS update, it almost always means they have discovered and fixed a security problem. The more updates you skip, the more likely you are to get hacked during normal smartphone operations. Think of the hackers as your crazy ex and Apple (or Google or Microsoft) as handling the new locks. The bill you get for the fake calls to Bolivia (remember that seedy web site you visited?) will cost you more than a new TV.

A final tip from my dad: Never pay for a subway token with a $50 bill.

Alan Wlasuk is a managing partner of 403 Web Security, which is a full service, secure web application development company.

8 comments
screamino
screamino

1. I agree about unverified apps. But there have been security breaches even on authorized platforms, just as there have been on desktops and supposedly safe websites. The key is not that you should only download from the authorized locations, it's that you should know who makes the app and whether it's legit. There are plenty of apps with excess permissions and questionable code - I zap them before they get installed. Not to mention that the real problem is all the crapware loaded by the carriers as part of the preinstall, making the phone run more slowly and giving more places for a breach to occur (because most crapware is busy sending out your information constantly). All of the institutions that you trust so much have been guilty of spying on their customers and/or uploading data without notice, or installing bug reporters to use their customers as testing guinea pigs. 2. Jailbreaking/Rooting - since you said Smartphone, not iPhone, I'm going to include rooting because it's much more dynamic than jailbreaking, though I understand using them interchangeably by some people (they are not used that way in the android dev community). Probably the best thing you can do for security. Wipes out bloatware/crapware and trackers/senders that can be piggybacked by a trojan or malware, allows the user (now superuser) to install a REAL firewall, encrypt files and data, and install security software and utilities that aren't carried in the official app stores because they are for "evil rooted" devices. Blah blah blah. It only took the ICS update to finally have something resembling a BACKUP program without rooting. A freakin' backup program. And you think those guys are on the bleeding edge? No way. 3. Only an idiot doesn't have a password. As for the pasty kid, what the hell is he doing in your house to begin with? And I'm pretty sure he can break a 4-digit password, but I'm pretty sure he can't break military level 64-bit encryption. The real risk is black hat hackers in the cloud who use the stock OS vulnerabilities to break the security protocols. 4. Duh. As if people are scanning all their important documents and loading them on their smartphones. Not. 5. Hmmm....you mean the first release that everyone (almost) downloads right away and installs for those security fixes? The one with all the bugs that will be patched over in a month or two after the carriers and phone manufacturers have figured out the additional vulnerabilities by having their customers use them? Yeah, that sounds great. No thanks, I think I'll wait until the sheeple have tested it, then I'll flash over my previous leaked version of the ROM that was carefully deodexed, zipaligned and debugged by an experienced developer, with the newer version of the stock operating system, once again deodexed, zipaligned and debugged. It appears that you have no idea what is happening in the real world, since you just spewed out a bunch of general guidelines that followed the decision tree rules of (1) Carriers and phone manufacturers good; (2) Third party developers bad; (3) Anything that's official is good; (4) Anything that's not official is bad; (5) Adults are stupid and should not be allowed to make decisions about the phone they own, but should be told by egomaniacal, deluded people (Verizon: We run the internet!) what they can and cannot do. You can put glasspacks, a Detroit locker and a Hurst shifter in your car, but don't be making changes to that phone, the entire technological universe will come crashing down upon us. Oh, and btw, can we spy on you for our marketing department? And they wonder why people hate them so much.

Trilln451
Trilln451

I'm on Virgin, & the only way to get an upgraded OS is to buy a newer phone. I understand that, since they don't hold customers to yearly contracts, they need a different way to maximize profit, but that not exactly a way to endear one to the customers. I've been mulling over hacking my Triumph because, with the release of Jelly Bean, I'm 3 upgrades behind now. Plus there are glitches in my current OS that will NEVER be fixed, so it starts to look better all the time. I just wish rooting was not such an increased risk in security.

creed
creed

you say the kid next door could by pass the pass-code you setup. The FBI might need to higher the pasty kid....read the link below he state parole agent assigned to monitor Dears seized the pimp's Samsung Exhibit II Android phone on Jan. 17, but Dears refused to unlock the phone's screen or provide the agent with his login credentials. (His refusal violates the conditions of his parole, which state that he "Shall not use any method to hide or prevent unauthorized users from viewing specific data or files" on his phone.) On Feb. 14, agents at the FBI Regional Computer Forensics Lab in Orange County were unable to get past Dears' "pattern lock," Soghoian explained; without Dears' Gmail username and password, their efforts to crack his phone came to a standstill. http://www.securitynewsdaily.com/1623-fbi-warrant-pimp-android.html

TheLip95032
TheLip95032

"Jailbreak your smartphone. There seems to be some appeal to be the guy at lunch who holds up his smartphone and proudly says it???s been jailbroken (modified to bypass the original security features). At the risk of offending my tech fiends, I always think of this as the geek version of, ???Hey, y???all, watch this!??? There???s a reason they don???t let lawn tractors into hotel lobbies, just as there???s a reason to trust Apple, Google, and Microsoft to have built smartphone operating systems that protect us from security risks. Everyone who thinks they???re smarter than the guys at Google, mount your lawn tractors for the 3:00 A.M. race." You really don't get it , those of us that jailbreak our iPhones do it add things not circumvent what's there. Apps like "Firewall IP" add an extra level of security that is not provided by Apple. It is very similar to "Little Snitch" for OSX ( little snitch is the app that detected that Apple had OSX sending data to Apple without telling customers). Many of the "new" features that show up for the iphone are things that are in the jailbroken world long before they show up in a IOS. Good example is "MobileNotifier" , Apple thought this was such a great App they hired the developer that wrote it to improve their notification system http://www.appleinsider.com/articles/11/0/03/apple_hires_iphone_jailbreak_notification_developer_for_ios_team_at_corporate_hq.html Most of the jailbreak Apps have to do with modifying the look of the icons,etc. that allows people to express their individuality, something Apple holds in contempt as apparently do you. This is FUD nothing more.

HypnoToad72
HypnoToad72

3 - your point 4 above quickly explains point 3 and vice-versa... 2 - that's a given, but people feel more secure jailbreaking theirs because the OS or phone vendor never bothered to add in stuff like a proper firewall... oops... 5 - then let's hope the OS manufacturers and hardware vendors both keep up to date. So far, many phone vendors (Verizon, AT&T, etc) tend to be a tad slower with OS updates... 4 - doesn't this point contradict point 3, making one wonder why one would then protect the phone at all? Yeah, some kid might get through it - unless the security is so badly designed (such as face recognition or security bypass features that have not been fully tested...)... 1 - that's a given :)

PLeRuse
PLeRuse

Screamino, that was very well written and informative. Thank you for the information, as well as the entertaining rant. I may be a little late reading it, but I'm still giving you props.

weserphillip
weserphillip

If they updated them, we wouldn't need to "jail break" them. You are lucky to get and update every 6 months. Anything that old is a greater security risk than the software we download. Plus they don't support their devices beyond 2 years at all in most cases. My Droid X is 2 years old and it could at least, go another year or 2. Anyway, a reputable Cyanogen ROM is obviously better for security than stock phones, stock just never gets updated.

Editor's Picks