Insights For Success

Strategy, Innovation, Leadership and Security

Will your Android phone allow someone to hack you?

GeneralEdward KiledjianComment
Image by Jared Tarbell used under creative commons license

Image by Jared Tarbell used under creative commons license

When a new undisclosed (0 day) vulnerability is used to hack a target's device, the media jumps all over it and create a small panic. Government intelligence and organized crime are always looking for new creative ways to break into target devices and are willing to pay top dollar for new unknown hacks. Vulnerability brokers (companies that are willing to sell 0-day vulnerabilities) are paying to dollar for these rare and very in demand weaknesses. Zerodium is now paying $1.5M for a good complete IOS attack.

Although these are troubling, the truth is the majority of attacks (and malware/virus') still exploit time tested and patchable vulnerabilities. This is why keeping your computer, smartphone and tablet operating system/apps updated is so important.  This is one of the reasons Microsoft switched to an automatic forced update model with Windows 10.

Apple's products are opaque and I do not believe in security through obscurity. I wish they allowed for more scrutiny of their mobile products but when something is discovered, they release updates very quickly and make it immediately available to all supported devices worldwide regardless of the carrier it was acquired through. 

This is one of the chief complaints against Android. Most Android devices are never updated once they ship and the ones that do receive updated typically get them slowly and infrequently. Check out the Android Platform distribution statistics:  

Only 0.3% of Android devices support the latest version (Android 7.0 Nougat) 1.5 months after release. On the IOS side, 60% of devices had updated to IOS 10 a month after release.

Only 0.3% of Android devices support the latest version (Android 7.0 Nougat) 1.5 months after release. On the IOS side, 60% of devices had updated to IOS 10 a month after release.

Even top tier manufacturers like Samsung (Note 7 issue notwithstanding) only update their most recent flagship products and that is if your carrier decides to allow it. 

Right now, as I write this, I have an Apple iPhone 6s Plus and and Google Nexus 6P sitting next to me. I  love android and find many of the features in the most recent Nougat release better than comparable Apple features. Don't call me an Apple fanboy or Google hater. The moral of the story is you shouldn't buy any Android phone where the manufacturer has not committed to delivering (quickly) the OS updates and the monthly security releases

As it currently stands, the only android products I can recommend are those sold directly by Google (Nexus or Pixel).

Buy an unlocked Nexus or Pixel product directly from Google to make sure you receive all of the updates quickly. 

Questions

Q A question I will likely receive is what about [insert brand / model here]?

A I expect emails asking me about the OnePlus 3, ZTE Axon 7, HTC 10, LG V20, Motorola Moto Z, etc. None of these manufacturers have committed to providing the OS and security updates quickly. The answer therefore is no. I love the price / quality proposition of the ZTE Axon 7 and the OnePlus 3 but without a commitment to updates, its a no go for me.

Q. Aren't iPhones more secure?

A iPhone's are slightly more secure because of the way the operating system is designed and applications are sandboxed. This doesn't mean it is unbreakable and the attempted hack of Saudi human rights activist Mansoor proves it( Read this article by CitizenLab

Both platforms can be used safely if you ensure you don't break their built in security (rooting on Android and Jailbreaking on iPhone) and you ensure you only download "real" apps from the official app stores. 

A. What else can I do?

Q In addition to using the "right" device, it is important to think about your privacy and security. Use the right apps for the right job.

  • Use encrypted communications apps like Signal. Signal's encryption has been reviewed by leading cryptographers and has been given a big thumbs up.
  • When browsing the web, use Tor to protect your identity (easier on Android) with a browser like OrFox. You can even configure Facebook and Twitter (on Android) to use Tor via OrBot.
  • Every picture taken with a smartphone contains "hidden" information called Exif information. This is information like the type of camera used, the settings used to take the picture, etc. It also contains the GPS coordinates of where the picture was taken. If you send this to someone, they can extract this information and use it to pinpoint the location the picture was taken. Send it to a social media site and they will start building a travel pattern of you. Make sure you remove EXIF information, using an app, before posting. There are tones of apps, just search the app store.
  • Uninstall apps you no longer use. Remember that apps are sometimes sold and the new buyer may push out an update that adds unwanted features "like tracking or recording". If you no longer use an app, get rid of it.