The ACLU has a point about smartphone security

The ACLU complained to the FTC that carriers aren’t patching vulnerable Android phones. They have a point.

Phones are profitable, and the carriers are trying to have it both ways.

They lock down the phones so that we can’t change them, then they subsidize the phone, but once the phone is paid off, they continue to charge the same monthly rate. But they won’t issue updates for the phones, and they won’t let end users apply patches either. So we all run around with vulnerable phones.

The ACLU wants carriers to start delivering updates, or allow users to terminate their contracts so they can switch to carriers who do. The problem with that is no carrier seems to deliver updates for anything but the very newest, highest-end phones, so I don’t know that the opt-out clause will do much. My old Samsung Galaxy S 4G phone might theoretically work on AT&T’s network, but I know AT&T isn’t going to give me updates for a two-year-old phone that was a T-Mobile exclusive. Switching to Sprint or Verizon isn’t an option–the phone won’t work on their networks.

I could take matters into my own hands and run the unofficial build of Cyanogenmod for my phone, but to do that, I have to unlock the phone, which violates the DMCA, which makes me a criminal.

So I don’t know that the ACLU’s suggested fix will do much to resolve the issue, but they are correct that cybersecurity is a bigger threat than terrorism, and I’m glad they raised the issue. Get enough smart people talking, and eventually a good solution will come about. Then, of course, there’s the matter of making that solution reality, but let’s not get too far ahead of ourselves.

In a job interview this week, someone asked me what the best, most secure phone was. I couldn’t really give a good answer to that. Apple doesn’t allow anyone to develop an antivirus or antimalware app for their phones, which is eventually going to be a problem. Their phones and tablets are so popular it’s only a matter of time before malware appears on them, and in the meantime they don’t need to be passing malware for other devices around. Android, on the other hand, does have good security apps available for it, some free of charge, but most Android phones don’t get any kind of updates. At least Apple phones do. I felt like a politician trying to answer that question, because I couldn’t give an answer that I could defend. At least I didn’t say, “Right now, I’m devoting a great deal of time and study to that problem. And I intend to issue a position paper on that. A position that is at once simple, yet complex, flexible, and above all else, fair to every American.” But I kind of wish I had–at least that answer would have been good for a laugh. And no worse than flipping a coin.

If you found this post informative or helpful, please share it!

7 thoughts on “The ACLU has a point about smartphone security

  • April 19, 2013 at 9:47 am

    “Apple doesn’t allow anyone to develop an antivirus or antimalware app for their phones, which is eventually going to be a problem.”

    Your lack of experience with Apple products has caused you to say something that’s simply not true.

    The only software that will run on a non-jailbroken Iphone are apps from the App Store that have been approved by Apple, and they vet all software submitted to their store rather thoroughly (unlike Google, which has a rather laxdasical approach to policing its Google Play store). Iphone apps are written in Apple’s proprietary development language and have to be digitally signed to run on the devices at all. Some instances of malware have shown up in the app store, IIRC, but the apps were taken down as soon as their true nature was discovered.

    Meanwhile, the web browser on Iphones and Ipads is locked down tight — there’s no plugins, no add-ons permitted, java and flash simply don’t work. So there is absolutely no way for idevices to be “passing malware for other devices around.”

    If you had taken any time at all to learn about IOS and Apple’s policies, you’d know that the reason Apple doesn’t allow an antivirus app for the platform is because it is not needed. IOS is the most secure and malware free computing platform out there precisely because it’s locked down so tight (which causes no end of bellyaching from open source advocates).

    • April 19, 2013 at 11:00 am

      In 2012, Symantec identified 387 known vulnerabilities in Apple’s mobile OS, and one known successful piece of malware. While impressive, that proves that Apple’s walled garden isn’t impenetrable, and there’s every reason to believe more malware will appear as time goes on and the platform gains popularity. It’s happened with every other platform in history. One is a small number, but one is not zero.

      A Google search on “ios malware” turns up some interesting reading that contradicts Apple’s marketing claims. For example, there’s a profile-related exploit discovered last month that’s easy to avoid, but if you believe malware is impossible and you aren’t looking for it, and there’s no software looking for it for you, then you’re a perfect target. Is this malicious profile really malware? You can argue over semantics, but in the end a compromised system is a compromised system, and vendor-sanctioned poor security awareness coupled with no software protection is a dangerous combination.

      • April 19, 2013 at 1:10 pm

        If we’re going to be skeptical of marketing claims, then I wouldn’t listen much to Symantec, since they are primarily interested in bolstering their lucrative protection racket selling anti-malware products.

        If you look past the headline, Apple patched those IOS vulnerabilities on average within 12 days, and even Symantec, which obviously wants to be able to sell their PC-based protection racket to businesses using Iphones, admitted that IOS is more secure than Android, that both are far more secure than PCs, and that most of the vulnerabilities in IOS were quite minor.

        Finally, the higher number of IOS vulnerabilities found is almost entirely due to the jailbreaking community — since on Android there’s no need to jailbreak in order to sideload apps from non-official sources. Gee, I guess that would mean that unless the device was jailbroken, you’d have a lot harder time installing malware on an Apple device than on a Google device.

        Face it, the paradigm of having to exercise constant vigilance against malware and viruses that we’re all used to on PCs is one that doesn’t apply on mobile devices with a properly curated app ecosystem. The fact that Google hasn’t bothered to weed the malware from their store is shameful, but fortunately Apple is not so lax.

        • April 19, 2013 at 2:12 pm

          And like I said, hard does not mean impossible. And, back in July, malware did show up in the App store. Apple removed it, but I would take the words “properly curated” to mean malware never shows up.

          You’ve clearly decided who you want to believe, and that’s your right, but I’d rather listen to credentialed security researchers, regardless of the company they happen to work for. I didn’t have to dig all that much deeper to find people outside of Symantec discussing vulnerabilities and exploits. I even found an article in Forbes suggesting that the value of Apple exploits is so high that you’ll start seeing fewer jailbreaks for Apple products, because it’s more lucrative to sell those exploits. Who buys exploits? Governments creating malware for espionage, and criminal gangs creating malware for profit.

          And I’m not sure I understand your hostility. I didn’t say Android was better. I said both approaches have problems, and that I didn’t state which one was better, and I felt like a politician because I couldn’t. You accused me of ignorance, so I did some digging to make sure, and then I found out I was wrong: I saw that it’s not a matter of Apple devices being exploited some day. I found that it’s already happened.

          I didn’t tell anyone to sell their Apple gear and replace it. But if anything, your argument is convincing me the race is even closer than I first thought. And since we’re talking machines built by humans running software made by humans, regardless of whose logo is on the back, I’d rather err on the side of knowing what’s going on, because when it comes to security, I want to know what’s going on.

          You made a different choice, and I’m not trying to talk you out of it.

          • April 19, 2013 at 4:14 pm

            I’m sorry about the (unintended) hostility. Let me try again.

            IOS represents a fundamentally different philosophy towards security than any desktop operating system.

            The traditional attitude of software developers, including operating system developers, was that security was the user’s problem. You see that in everything from the fine print in every EULA out there (where the warranty is simply a disclaiming of any warranty whatsoever) to the huge aftermarket for antivirus products, to the huge industry of security professionals whose job is to keep the company they work for safe from malware by staying on top of an endless treadmill of patches, antivirus updates, configuration changes to enhance security, and so on.

            Apple has adopted a completely different model for IOS, in which security becomes Apple’s problem. That’s why they put so much effort into locking down the device (the time for a jailbreak to be found for each new version of IOS been increasing), that’s why they vet all the software in the App Store so thoroughly. Ultimately, that’s why the number of vulnerabilities reported for IOS is 10 times the number reported for Android — because there’s no community of jailbreakers endlessly poking at Android to find its weak points, because Google has not locked it down.

            Your complaint about Apple not allowing antivirus scanners for IOS shows that you don’t grok this fundamental shift from “security is the user’s problem” to “security is the OS developer’s problem.” Malware scanning software is, as I said, a protection racket — “pay us or something bad might happen to your computer.” It’s part of the problem, not part of the solution. Microsoft’s solution with Windows was Security Essentials — taking the thuggish demand for money out of the equation, but the threat of something bad happening is still there. Apple’s solution with IOS is to engineer things so that the danger of something bad happening is minimized to the point where you don’t need to worry about it — by locking down the system, by curating the app store and not allowing adware, malware, and spyware.

            I don’t think your comment about malware still sometimes getting onto the app store is apropos — previously unknown malware gets onto fully updated systems secured with MSE or Norton AV sometimes too. The difference is that every new example of PC malware in the wild necessitates the user getting a new set of AV definition files, and the AV software must forever after keep on the lookout for yet another species of malware. Whereas every new example of App Store malware discovered gets eliminated forever once Apple realizes what it is and takes it down.

            As a side note, I would say those 200 or so vulnerabilities found in IOS are a sign of strength, not weakness — because those are vulnerabilities that have been found by the good guys and fixed. I’d be much more worried about the mere 18 vulnerabilities found in Android — a sure sign that nobody in white hats has been looking for them.

  • April 19, 2013 at 12:29 pm

    Some day, somebody with deep pockets is going to take on the DMCA and fight it all the way up to the Supreme Court, and (hopefully) knock some sense into it. And the unlocking of post-initial-contract cell phones would be a great place to start.

Comments are closed.

%d bloggers like this: