Smartphone spying: How can users protect themselves?
by Catalin Cosoi - Chief Security Strategist, Bitdefender - Wednesday, 29 January 2014.
Smartphone users need to realise that their mobile phone is less of a phone and more of a mobile computer, in which applications can collect data from other applications installed on the same device. Some, such as browsers, can also access browsing history information from other machines belonging to the same user as well.

Smartphone apps are able to access information that is specific to other applications due to the way applications integrate with each other within the mobile operating system – for instance, a game could access and use the information stored in the address book or could read profile data taken from social connectors such as Facebook, LinkedIn, Twitter and Google+.

In addition to this, carriers (namely, mobile phone companies) also install their own software on the phones, both at the operating system level with personalized interfaces and at the baseband level – essentially, the part that puts the “phone” in “smartphone”.

The baseband has higher levels of access to the smartphone hardware than even the user-visible operating system itself, so any leak or compromise at this level cannot even be detected by security apps running on the smartphone. On an even lower and therefore more privileged level, there are SIM card operating systems, which deal with phone network operations such as registering with a base station and delivering baseband software updates over the air.

Depending on what permissions are granted upon installation, an application might process the accessed information and send it to the developer or a third party. Most of the time, these pieces of information are collected by independent third parties such as ad networks that use the information for pushing targeted advertisements, and, in exchange, pay the developer a specific amount per user.

As these pieces of information are exfiltrated from the “victim’s” device, another third party could just duplicate them as they travel across the carrier’s mobile network and store them for further processing. In this case, the ad network only serves as a vector.

Applications that require permissions related to social networks or access to the device’s sensors (for example the camera, accelerometer, microphone or GPS) are highly likely to collect and report these inputs. We advise users to not install any such applications unless they feel comfortable with this information landing in a third party’s hand.

Spotlight

Most popular Android apps open users to MITM attacks

Posted on 21 August 2014.  |  An analysis of the 1,000 most popular free Android apps from the Google Play store has revealed a depressing fact: most of them sport an SSL/TLS vulnerability that can be misused for executing MITM attacks, and occasionally additional ones, as well.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Thu, Aug 21st
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //