Apps on a smartphone can open up a world of information, all available at your fingertips. This mobile technology doesn't come without a paradox - how open is your personal information to the world?
“How is life with your new iPhone? Has it changed?” one of my more tech-savy coworkers asked. At first, going from a pink Motorola phone with a broken battery to an iPhone 4 was like moving from a cardboard box to Beverly Hills. I can download emails anywhere, translate instantly just by speaking into the phone, collect apps from Angrybirds to the Paris metro schedule – and most of all, my inability to navigate my way out of a paper bag is no longer a problem. My iPhone is my personal Mapquest, telling me exactly where I am and where I need to go (without the annoyance that most friends have in their tone of voice when they tell me how to get to their apartment for the billionth time). My new augmented life is good.
At some point, my ibubble had to break. In a recent conversation with a web developer who currently is trying to get his share out of the app goldrush, I realized how open my data was to the outside world. The developer (who prefers to remain anonymous for security reasons) explained that many apps use social media to allow users to sign in more effectively. Some apps record a phone’s serial number before a person signs in, and once the user signs into a social network the app scrapes the data. According to the developer the user agrees to these terms before accessing the app - it’s those terms and conditions that are technically available, but are long to read and most people do not reflect on the implications.
Digital data collection and privacy issues are certainly not new, although there is a new spin on security in our mobile world. Mobile devices are becoming an augmented extension of ourselves in society, and most of us never leave home without our smartphone (and some even have the device under their pillow while they sleep). This makes the question even more critical: How secure are smartphones, which have completely permeated our personal lives?
I might have thought twice about giving up my Motorola if I knew I could tap into essentially any European phone conversation with my obsolete device. As demonstrated recently at the Chaos Communication Camp(CCC) in Berlin, Karsten Nohl was able to hack into mobile networks in several European countries. Apparently, he was able to this with a seven-year old phone and a few free open source applications. Nohl blames GPRS and EDGE networks, claiming in his presentation at the CCC:
The cryptographic protection of GPRS/EDGE is out-dated and vulnerable to several attacks:
- Lack of mutual authentication allows for ‘fake base stations’ to harvest data.
- Lack of encryption (some countries) allows for passive intercept with EUR10 phone and [additional] software…
- Weak encryption (remaining countries) enables cryptanalysis.
In short, mobile operators using GPRS/EDGE are very weak, allowing the possibility for hackers to break into your mobile’s photos, text messages, and conversations – all for the the low price of $14 or 10 euros. Nohl claims that “GPRS networks provide the communication backbone for society,” with the network being used for mobile phones throughout Europe and the United States. According to ComputerWorld, anytime your iPhone reads “E” instead of 3G, it is using a GPRS network.
So are hackers going to break into my email while I’m at the supermarket? Can they track me while I’m navigating myself on the Maps application? Why aren’t my mobile operators easing my paranoia and upgrading their encryption technology so I can sleep better with my iPhone under my pillow? As Nohl explained to the New York Times:
“One reason operators keep giving me for switching off encryption is, operators want to be able to monitor traffic, to detect and suppress Skype, or to filter viruses, in a decentralized fashion. With encryption switched on, the operator cannot ‘look into’ the traffic anymore while in transit to the central GPRS system.”
Another theory was provided by the developer I spoke with - the high level of data encryption, the more energy it requires to encode and decode information within the network. In turn this requires more servers, which requires more money (not to mention how this affects your phone’s battery performance). Even if mobile operators decide to increase their security, this process will not occur overnight. So much for trying to sleep well with my iPhone.
Yet Nohl seems to affirm that these reasons are explanations, and not excuses claiming “not securing mobile data would be negligent.” Increasingly people are turning to mobile networks as their means for communication. In a recent Pew Research study, 35% of all American adults have a smart phone. Additionally, 25% of smartphone users prefer to access the Internet on their phone rather than a fixed line, with a third of this population lacking a high-speed broadband connection altogether. Add to the mix that apps are increasing receiving more personal data from users via social networks, leading to a larger potential for sensitive data to be hacked.
While any network can be hacked, some are obviously more resilient than others. Nohl asserts that Internet-grade encryption is more secure, and it would be wise for mobile applications to follow those trends. He recommends operators use SSL, which could easily protect all relevant forms of data – including currently exposed messaging apps and mobile websites.
On another take on mobile security, the app developer mentioned that while most fixed computer connections usually have antivirus and antispyware programs, these technologies currently don’t exist (or are not well known) for smartphones – unless you include all the “antivirus” games on the app store….