Smart phones are popular. An estimated 55 percent of consumers buy them, up from 34 percent in 2010. For the latest three months ending May 2011, the share of the smart phone market is dominated by Google/Android (38.1%), Apple/iOS (26.6%), RIM (24.7%), Microsoft (5.8%), and others (4.8%). Companies are racing to replace consumers' credit cards and cash with mobile wallets (a/k/a mobile payments) on smart phones.
My wife bought me a smart phone in December as a Christmas present. My Windows Phone is very convenient. The camera, handling of multiple e-mail accounts, ESPN ScoreCenter, Twitter, Ars Technica, and BBC News apps are my favorites. However, I have a love-hate relationship with my smart phone.
The interface is inconsistent across apps. Different apps use different buttons and controls. Some apps automatically collect updates using my data plan, and others let me control the refresh/update. The voice-activated Bing search on my phone is great, but I don't have yet Google/Bing searches integrated with McAfee SiteAdvisor on my smart phone as I do on my laptop.
While browsing various websites with my smart phone, I often see a warning message that my phone uses an obsolete web browser. While browsing Marketplace Hub for new apps to download and install on my smart phone, I have noticed that some apps have privacy policies and many don't. Not good.
When I start to think about poor smart phone data security, apps lacking privacy policies is one example. Apps that lack privacy policies make no promise or commitment to consumers about how that app (and its developer) will protect, use, sell, and/or share consumers' data collected by that app. Nor does the app make any promises about what data it will, or won't, collect and transmit back to the app developer.
After discussing this with friends, my phone experience doesn't seem much different from other brands: Apple/iOS, and Google/Android.
All of this leads me to wonder how secure smart phones really are. So, I've started to compile a list of smart phone data security statistics. According to Infosec:
"Existing mobile operating systems are under attack... Current research is primarily geared towards securing mobile payments, but there is a lack of coordination between mobile payment developers, device manufacturers, and mobile operating system platform developers. Hackers are taking advantage of the loophole created by this lack of coordination."
The New York Times reported on another measure of smart phone (in)security:
"Phishing is also a growing problem on all smartphone platforms... Mobile users are three times more likely to fall for these scams than PC users, according to statistics on phishing recently gathered by one security company, Trusteer. The company believes that is because mobile devices are activated all the time, and small-screen formatting makes the fraud more difficult to spot. It cautions people not to click on Web links in messages."
In prior blog posts, I have reported about class-action lawsuits against OpenFeint and Apple which included allegations of unauthorized tracking and data collection by apps of consumers' sensitive personal information. That is another measure of smart phone data security (or lack thereof).
Since there are reportedly 200,000+ apps in Apple's App Store, 70,000+ in Android's Market, and 25,000+ apps for Windows phones, I spent some time reading app-related studies.
In October 2010, researchers at Intel Labs, Penn State, and Duke University released results of their study of Google/Android apps. The researchers randomly selected 30 apps from the 358 most popular free apps in Android market, and developed a method called TaintDroid to track what private information was shared. The researchers found:
"In a study of 30 popular applications, TaintDroid revealed that 15 send users' geographic location to remote advertisement servers. The study also found that seven of the 30 applications send a unique phone (hardware) identifier, and, in some cases, the phone number and SIM card serial number to developers."
The researchers also studied notification of consumers, because privacy violations can occur when data is used in unexpected or unauthorized ways. The researchers also found:
"... the install-time permission checks do not indicate to the user how these services and data will be used. There is no way to determine simply from the set of permissions how data will be used, and in some cases misused. Users can also be notified of an application's behavior via a license agreement that is displayed on first use. With one exception, we found the user license agreements in the studied applications, if present at all, do not provide any additional information on how data is used."
In June 2010, SMobile Systems (now Juniper Neworks) released the results of its study about Google/Android apps (PDF):
"... one in every five applications request permissions to access private or sensitive information that an attacker could use for malicious purposes. One out of every twenty applications has the ability to place a call to any number without interaction or authority from the user. More frighteningly, 29 applications were found to request the exact same permissions as applications that are known to be spyware and have been categorized and detected as such by SMobile’s solution. A full eight applications explicitly request a specific permission that would allow the device to brick itself, or render it absolutely unusable. 383 applications were found to have the ability to read or use the authentication credentials from another service or application. Finally, 3% of all of the Market submissions that have been analyzed could allow an application to send unknown premium SMS messages without the user's interaction or authorization."
SMobile concluded (bold emphasis added):
"... the fact remains that there is no means available for a user to know for sure that the app they just downloaded is doing only what the user sees it doing. One must look at the permissions it has requested to determine what the application's true capabilities might be."
These permissions are the actions an app could perform: make a phone call, send an SMS/text, send an e-mail, transmit data, save/edit/delete a file in the smart phone's memory, modify a phone setting, access a smart phone feature (e.g., camera), and so forth.
Another measure of data security has been document by the News Of The World and News Corporation phone-hacking scandal. The Boston Globe explained well the vulnerability from "caller ID spoofing" combined with the lack of voice-mail password access by most mobile carriers:
"... caller ID spoofing, which can make a call appear to be coming from any phone number. Hackers can use it to access someone else’s voice mail messages by fooling the system into thinking the call is coming from the owner’s cellphone... Three of the four major US cellphone carriers - AT&T, T- Mobile, and Sprint - do not require customers who call voice mail on their own phones to use a password to listen to messages, making them vulnerable to malicious spoofers. That is a serious shortcoming..."
Smart phones don't seem nearly as secure as I though before compiling the above list of statistics. There seems to be several ways to assess smart phone data security:
- Consistency of privacy policies across the manufacturers, service providers, and app developers
- Presence of privacy policies across apps
- Compliance rates by app developers with an app store's security policies and guidelines
- Whether app privacy policies disclose both data collected and how that data will be used
- Whether apps perform actions (e.g., transmit e-mail, SMS/text, or data) without first notifying users and gaining authorization. Some of these actions can produce charges on consumers' monthly mobile bills
- Whether apps collect and transmit data to third parties (e.g., advertisers, manufacturers, affiliates)
- Whether apps that mimick known spyware's features and behaviors are indeed acting as spyware
- Malware installed secretly on consumers' smart phones by phishing attacks via websites, email, text/SMS
- Whether the telecommunications carrier provides a secure access to voice-mail with a password, and builds this into the app on the smart phone
Besides this list of discrete data security measurements, there is an overarching consideration. Today's mobile devices (e.g., smart phone and tablets) are pre-programmed and designed by manufacturers to be always tethered to some telecommunications service, unlike traditional desktop and laptop computers which can be configurred to operate with any of several telecommunications networks chosen by the user. The Observer concluded:
"... we are on the slippery slope towards a much more controlled, less open, internet. If these trends continue, then it won't be all that long before a significant proportion of the world's internet users will access the network, not via freely programmable PCs connected via landline networks, but through tethered, non-programmable information appliances (smartphones) hooked up to tightly controlled and regulated mobile networks... The danger, in other words, is that we move from an internet designed for people to a networked tailored only to the needs of corporations."
It seems to me no accident that mobile the device manufacturers use the term "jail-break" to describe consumers' desire to use mobile devices on the telecommunications network of their choice (and not the manufacturer's choice). My view: the Internet was designed to be flexible for users to explore and to innovate. Otherwise, why bother?
What's your opinion about smart phone data security? What studies have you read?