There are four basic levels that combine to make smartphones what they are:
- Application Layer;
- Operating System (O.S) Layer;
- Hardware Layer;
- Infrastructure Layer
Each layer is dependent on those below it for operation. The Operating System is dependent on the top Application Layer (which is the user interface) for primary security. Increasingly, manufacturers and third party vendors apply customizing to this top layer to keep current with competitors’ models or to attract new customers. The customer of course usually adds after-purchase apps and it is often these that first expose any resident flaws in the O.S that provide the targets of choice for serious hackers. Some of these inherent flaws are similar to those of computers; buffer overflows, insecure sensitive data storage, improper cryptographic algorithms, hard-coded passwords and applications with back-doors. It can take manufacturers very little time to develop a patch for an operating system flaw – but much time to supply a customer, due to necessary collaboration with third parties (vendors), and because of wireless carrier restrictions. Also, it may be that with the increasingly rapid launches of new models, the manufacturer cannot – or has no vested interest – in supplying these patches efficiently. With all the people involved between the manufacturer and end-user (vendors, app authors, &c), and the any user modification carried out, it is very easy for anyone to refuse responsibility for any subsequent data-loss/theft.
The deal when buying a new smartphone can also be obscured by third party vendors who may introduce their own customizations – the question of who is responsible for a resulting flaw/vulnerability for example. And when buying a product, any modifications made can void a manufacturer’s warranty (like when buying a new car). With hundreds of different apps, no smartphone is identical. A user is likely to think that if an app is designed to run on a particular operating system, then it is safe. There doesn’t seem to be the awareness that a mobile device is comparable to a home computer and that it can possess similar (and even more extreme) vulnerabilities. The extent of vulnerability as a result of system/app flaws was highlighted in August 2015 at the U.S Black Hat conference, showing that it was possible to introduce an infection via a text message without the victim even opening the text. All that is required to send this malware code is the user’s phone number.
It is rather laughable how much personal information some people store on these devices, and that there are now even debates on whether to incorporate such features as fingerprint recognition for online banking transactions and other day-to-day security-sensitive activities. If the data on a smartphone is open to theft, what more could a hacker ask for than a person’s electronic fingerprint. With the advancements in 3D printing, the consequences of a hack could not just be an empty bank account – the victim could end up with a very serious criminal record…
Coding flaws in the Application Layer and appended apps add another layer of weakness. As these apps are seldom thoroughly tested or approved by the manufacturer, they can have the effect of destabilizing the operating system, making the device even more vulnerable – or carry the risk that they may even have intentional flaws built-in. Exploitation of user interface flaws can range in risk from elevated operating system privilege to exfiltration of personal/sensitive data.
A study carried out by Cambridge University in 2015 found that out of 20 000 smartphones, 87% of these had a high risk of being exploited through security flaws that could enable malicious attacks through apps and messages, and the research suggests that the number of vulnerable devices was rising.
“Unfortunately something has gone wrong with the provision of security updates in the Android market. Many smartphones are sold on 12–24 month contracts, and yet our data shows few Android devices receive many security updates. The difficulty is that the market for Android security today is like the market for lemons. There is information asymmetry between the manufacturer, who knows whether the device is currently secure and will receive security updates, and the customer, who does not.”
Another consequence of flawed smartphone can be personal data loss to third parties supposedly for marketing purposes. This works more or less like adware, or malvertising cookies that track certain user parameters and information. The Baidu Android browser was detected to automatically report the phone’s IMEI number, current GPS location and details of any wireless networks within range, back to its server on user start-up. There was a concern that this was just a fraction of the information being sent, that it was very easy to intercept, data was only partially encrypted – and that this encryption was very weak.