Why your iPhone or Android Phone isn't as secure as you think

Computer Code Picture

The internet is a different place than it was 10 years ago, or even 5 years ago. Social Media and sharing has become an even bigger part of our lives. This rise in social sharing has also paved the way for mobile devices such as cellphones, tablets, and even IOT(Internet of Things) devices.

Apps and IOT devices give us much easier access to information and services than computers in many cases. This is highlighted by devices such as the Amazon Alexia that will allow you to order products by simply telling it what to order. While these are very much incredible feats and advances in technology, these advances come with some risks.

In the early days of computing, Microsoft came out with Windows Operating system. In the early days Windows was the easiest OS to use and thus quickly became the most popular OS. However, security was never the focus on the early Microsoft Windows OS. It took the wide spread and very impactful damage of worms such as Sasser, Blaster, and Code Red for Microsoft to finally begin taking security seriously with Windows XP Service Pack 2. It was after these changes that Microsoft took security seriously, and has ever since been baking more and more security into their OS. Windows is significantly more secure now than it was even 5 years ago.

This is where we get to mobile devices. Our cellphones, tablets, and IOT devices were designed with ease of use in mind not security much like early versions of Microsoft Windows. I'd say right now our mobile devices and smartphones are at about as secure as Windows 98/2000. It will probably take something big happening like a Code Red type of event or something on mobile devices before they learn what Microsoft learned the hard way in the late 90's and early 2000's.

To put Modern Windows security into perspective vs mobile device and tablet security consider the following.

A Standard Windows 10 Install for example just off the top of my head includes:
  • Modern Anti-virus/Anti-spyware with cloud technology via MAPS.
  • Windows Firewall that closes ports and blocks unsolicited incoming network connections.
  • Smart Screen URL and file reputation services that check web site URL's, files downloaded, and network connections made from programs and apps against a real-time updated list and machine learning based cloud system to stop threats in real time.
  • Virtualization based security that sandboxes programs and even drivers inside a secure virtual machine hypervisor via Hyper-V to prevent exploits from compromising your system.
  • Secure Boot that uses a code signing certificate to verify boot files and loaders haven't been tampered with.
  • Exploit mitigation technologies like Data Execution Prevention, Address Space Layout Randomization, High Entropy ASLR, Structured Exception Handling Over-Write Protection, and Control FlowGuard to monitor code as it runs and ensure it behaves and doesn't try to write to memory locations occupied by other data and various other things.
  • Advanced Behavior based protection to identify unknown threats and malware.
Most of your mobile devices have hardly any of these features.  This puts things into perspective. Our mobile devices are mostly being toted around without a firewall. Would we run our computers without a firewall? Of course not, so why do we do the same with our phones? Firewalls do more than just block open ports, 3rd party firewalls often include network signatures, and IDS(Intrusion Detection Systems) that stop attacks at the network level before the OS or device is compromised. Our mobile devices OS are not immune to exploits and bugs. See the recent FaceTime bug for example.

Now one could argue that mobile devices operate in a walled garden as only code signed by Google or Apple via approved devs can be run on an non-jail broken Apple or Android device, and you would be correct.

However, we have proof that both Apple and Google have had malicious apps uploaded into their app stores downloaded by thousands of people that are using devices that have no real viable anti-virus or security software on them...the damage is already been done. The fact that mobile device users are actually encouraged not to bother putting any kind of security software on their phones just further compounds this issue.

iPhone users for example are found to be twice as susceptible to Phishing attacks than their Android counterparts. This is due to the fact Android does have more options for types of security software, and is a little bit easier and more open for security companies. This is why most Android versions of security programs from the likes of Symantec, McAfee, Trend Micro, etc tend to have more features and functionality than they do on Apple devices. There is still a long way to go though on both fronts.

I mean even our President is getting his iPhone listened in on.  That's crazy.

The security on mobile devices is not up to where it needs to be, and more work needs to be done on this front.

The standard virus that plagued early Windows is not as much of a threat on mobile devices as it was on early Windows, however phishing, spear phishing, malicious links, and malicious emails that masquerade as legitimate services are very much a real issue on mobile devices.  Its very difficult for the average user to know the difference, and the lack of options by the major security companies due to the design decisions of the mobile app markets makes this a real problem moving forward.

Until these security changes come to fruition the best things you can do is:

1. Always verify the legitimacy of links you follow and files you open on your device.
2. Use a service like VirusTotal to scan files and URL's you are unsure of that you receive via emails or social media. (Android users can get the VirusTotal App here)
3. Be very careful of apps you install on your device and do research via Google on that "new popular app" before you install it on your device.
4. Install an Ad blocker on your device such as Ublock or Ad Block Plus from your app store as it will block malicious ads that try and trick you into phishing schemes.
5. Never share any personal information via email or social media. If you get an email from your bank, don't reply, call them. Family member asking for money? Call them. Coworker sending you files you were not expecting? Don't open it, talk to them first.

Stay safe out there!

Disclaimer: I am not responsible for anything that may happen to your PC when changing settings or changing registry values. If you choose to make changes, you do so at your own risk.. You are solely responsible for any damage to your computer , data, or other hardware due to user error, inadequate cooling, too high of voltages, incorrect software settings, and any other factors. Please remember to back up your computer before attempting this. If overclocking, Do not Overclock on the stock AMD or Intel CPU Heatsink and fans. Use Aftermarket cooling heat sinks of sufficient TDP or water cooling to ensure best chance of not having premature hardware failure. As always, remember to backup your data before attempting any change. I am not responsible for data loss or damage of any kind.  

Image courtesy of:
Santeri Viinamäki [CC BY-SA 4.0 (https://creativecommons.org/licenses/by-sa/4.0)]

Leave a Reply

Total Pageviews