Doug Lhotka

Technical Storyteller

Opinions and commentary are mine, and do not reflect those of my employer.

(C) Copyright 2019-2023
Doug Lhotka.
All Rights Reserved.
Use of text, images, or other content on this website in generative AI or other machine learning is prohibited.

The Problem of Android

By

(c) Depositphotos / @abidal

I’m an Apple guy, and have a love-hate relationship with their recent product strategy, and the tight control they keep over the ecosystem.  The downside is that we’re stuck with some bad decisions (like building apps that expect to be online all the time), but the upside is that everyone gets access to updates at the same time – Apple has the most up-to-date user base of any major computing platform.  Android, not so much.

Android took the opposite approach – open code base, licensed to manufacturers to customize, and then further customized by carriers.  The advantage to that is lower cost and wider adoption, but it comes at a significant price for security.  When Google releases a new version of Android, only their own devices immediately receive the patch.  Everyone else has to wait for 1) the manufacturer to test, certify, and release the patch, and then 2) the carrier to do the same.   That assumes of course, that both actually bother to do the work to make updates available.  The net is that the vast majority of Android devices are running known-insecure versions of the OS.

I’m seeing a broad movement among businesses to tighten controls over mobile OS versions, and to apply the same policies to both corporate owned and BYOD devices:  If you’re not N or N-1, you can’t use your device.  That means that those old iPhone 4’s get retired too, by the way.

So what to do?  Well, some would say ‘jailbreak’ and install your own code.  There may be something to that, but you run into serious risks there too.  Most jailbreaking tools are from the shady side of the internet, so you never really know what you get.  Most companies block jailbroken devices from business use (all really should).  It’s also technically beyond most users, so let’s leave that off the table.

The next option is to only purchase devices that get updates directly from Google.  That limits choices significantly, but as a side benefit, you don’t get the pre-installed spyware that comes with many of the dirt cheap android phones – that’s how those companies subsidize the phone.  Buyer beware.    This is a hard choice for businesses because it largely erases one of the advantages of Android over iOS (cost), but it’s one I’m seeing a number of organizations do.  For individuals who buy Android devices, it’s the one I’d recommend.

Next is to buy cheap devices, and simply dispose of them when the OS expires.  That’s all well and good, but it’s expensive, time consuming, and you have a window of vulnerability during the transition.  Of course, banning Android completely is an option too, and I do see some of that happening.

But the most common approach I see these days is some form of risk limiting via containerization, or other restrictions on what the devices are allowed to do.  Containers can be bypassed (e.g. compromise the underlying device with a keylogger), but do provide reasonable protection for moderate risk content.  Organizations should leverage their data classification projects to determine what information is suitable for mobile device access, and potentially change that based on how current the OS is.

I know this challenge is top of mind for Google’s Android team, and they’re starting to look at separating the Carrier bloatware layer from the underlying OS as well as other measures to speed up manufacturer release.  I hope they succeed – we need an alternative to keep Apple on their toes.  In parallel, consumers shouldn’t buy devices without clear statements of patch release timelines from vendors and carriers.  Until all that happens, and we have a better option, Android users beware.

The Cell Phone Wiping Conundrum

By

(C) www.depositphotos.com / @ baloon111

A colleague of mine recently lost their cell phone while in airplane mode.  They triggered the remote wipe function, figuring that it if was turned on, it would trigger and erase the device.  They use a password manager, so figured all their data was safe.  But they didn’t call the cell phone carrier and disable the SIM, because that would prevent the wipe from working.

A month later, a cell phone bill for several hundred dollars shows up – the person that had found the phone, didn’t try to resell it or steal the data, they simply extracted the SIM card and put it into another phone, then made a bunch of overseas calls.  We saw that years ago with stolen calling card numbers and conference call passcodes, so it’s just a modern version of an old scam.

But she had a good point – the smart phone manufacturers are highlighting the ‘wipe’ function as a key security feature, but if the device is offline, it doesn’t work.  Even the cell carrier’s own sites will tell you to send the wiping commands, without an acknowledgement that reporting the device lost or stolen will disable data connectivity.  Don’t get me wrong, it’s still work sending the command (especially if it wasn’t in airplane mode), but you can’t rely on remote wipe.

Not a good tradeoff, but there’s some things we can do to help.  Let’s start with some before the device is lost.

  • Make sure you have the device set to wipe on 10 failed attempts, and lock out any biometrics after only a few (iPhone does the latter automatically)
  • Only use robust biometrics – post on that coming soon. Tons of snake oil out there – avoid iris and photo at the moment.  Bonus points for fingerprint readers if you don’t use index or thumb prints.
  • Only use airplane mode when required – otherwise leave cellular service on*
  • Be cautious about what you enable on the lock screen
  • Limit how much email you leave on your server. IMAP or exchange via a real email client allows you to move all your mail to a trusted local data store (drag from INBOX to On My Mac folders for example).  This will replicate and remove email from your device, so if someone does gain access to it, there’s limited email history available to them.  Good reason to avoid cloud-only email services by the way.
  • Put a sticker on the back of the phone with contact info, in case the device is found by an honest person and returned.
  • Back up the device regularly. I prefer local to the cloud because of the restore times (more on consumer cloud and it’s risks another time).
  • Have a quick response plan ready to go in case it’s lost with steps below

And when it is lost:

  • Call the device – if you’re lucky, an honest soul will answer and you can get it back. Also try ‘find my device’ to see if it’s locatable.  If not, move on to the next steps:
  • Immediately send wipe command / put in lost mode
  • Immediately change your email passwords. If the device is somehow unlocked, email is how other password resets are validated.
  • Notify the cell phone carrier the device has been lost.  This prevents the phone from being used for SMS or voice multi-factor authentication.
  • Buy a new phone.

The ecosystem is training people to not disable the SIM card, and the cell phone carriers aren’t doing any form of device authentication when SIM cards are moved.  I understand the convenience factor there, but at least it should trigger a higher level of fraud detection.  New device, no notification from the customer, well, if you see a bunch of calls to Europe happening, maybe the carrier should do some level of validation that it’s legit traffic?  Fraud detection algorithms like that are relatively straightforward to put in place.

Right now we’re given a choice between preventing calling fraud and providing a window for wiping the device.  Tough situation.

 

* Note:  This is why ‘find my mac’ type of functionality is essentially useless – it has to connect to a known, trusted network before activating.