Our main goal in PhoneX is to protect the privacy of our users. In this article we would like to alert users of PhoneX on security risks arising from the use of older phones with outdated operating system.
Devices with Android are largely affected by the aforementioned problem. The reason is the large variety of devices and manufacturers on this platform - security updates for operating system come to the end devices with considerable delay (manufacturers need to adapt these changes to their system), or in some cases not at all. Typically, the support provided by a manufacurer lasts for two years (or a warranty period) since the phone release. Thus often a lot of devices in circulation are still vulnerable (such as Android 4.2 and lower still comprises more than 25% of the market - to date 01/02 2016).
The outdated operating system exposes users to a great risk. Security flaws found for affected versions are publicly disclosed and may be exploited by an attacker. This problem surprisingly affects a large fraction of the Android devices.
Cambridge University study states there are 87.7% of Android devices vulnerable to at least one of 11 known critical bugs on average.
The study also evaluates the security of the individual device manufacturers and operators. With the highest security score placed Nexus, thanks to regular security updates. Current safety score of Android devices can be found on the research project web site http://androidvulnerabilities.org/. We recommend you to check here for your phone model on known vulnerabilities and should you device be affected by any vulnerability consider upgrading it.
Apple devices suffer much less from the mentioned problem. Latest updates are available on most Apple devices on the market, namely from iPhone 4S to the newest devices iPhone 6S (iOS 9.2.1 at the time of writing this article). Apple protects their customers against new security threats even after the standard two years after the release on the market. Lately Apple stared putting increased emphasis on the security of their customers, which is underlined by practical changes in a security policy (e.g., data encryption turned on by default and other measures) and Apple CEO discussions with the US on security level of end-user devices.
Recently, a security firm Zerodium announced a reward for finding a critical vulnerability in iOS in the amount of $ 1,000,000. This high figure reflects the complexity of finding new vulnerabilities on iOS devices compared to Android, where the price of similar security flaws significantly smaller (estimated at $ 100,000).
Vulnerabilities "Price list" according to the Zerodium document.
For a better idea, we would like to present a couple of serious security flaws - and especially pointed out how easy it is to exploit these vulnerabilities.
This bug affects all devices with Android 4.2 and lower.
Example of exploitation: an attacker on the local network (connected to the same WiFi as a victim) can potentially execute arbitrary code on a victim's device without her knowledge, if the victim has an application installed that uses the components in which this vulnerability is present (a considerable part of the application). After the successful exploitation of the vulnerability, an attacker can fully control the application and abusing its permissions (e.g. to read text messages if the app has an access to messages). A tool to test this vulnerability is publicly available, for example, at this address.
Vulnerability code: CVE-2015-1538, CVE-2015-1539, CVE-2015-3824, CVE-2015-3826, CVE-2015-3827, CVE-2015-3828, CVE-2015-3829 a CVE-2015-3864
CVE-2015-6602 (Stagefright 2.0)
This vulnerability has been publicly disclosed at the BlackHat security conference in August 2015. On the severity scale CVE it received a score 10 (full score, the most critical error). The vulnerability affects a large range of Android devices from version 2.2 to version 5.1.1. In the time of disclosure it was over a billion devices.
The vulnerability can be exploited for example by receiving a specially crafted MMS or playing specially crafted music or video file (.mp3 or .mp4). An attacker can send a message to the victims at a distance and execute an arbitrary code on the phone without their knowledge (e.g., download data from your phone, gain a control over the microphone or camera). The device is older, the probability of a successful attack is greater (newer systems like Android 4.4+ have certain security countermeasures but they only reduce the chance that an attack will be successful). Demonstration of successful Stagefright exploitation can be found in the video:
You can test your device on the Stagefright vulnerability for free using the Android application Stagefright detector.
Mentioned flaws were given as an example and they are not one of a kind. There is a public database of published flaws (for Android here), often with greater or lesser severity.
PhoneX protects user data during transmission over the network as well as on the operating system itself. However, a big role plays OS security itself. It is of crucial imporance to have OS patched with latest security updates.
PhoneX has defense mechanisms implemented for this case - e.g., it stores user data (messages, files) in a separate encrypted storage. However, if the phone or its operating system is already infected, there is a threat of privacy violation and data theft. In such case no application can in principle help to avoid it. Generally, if an attacker penetrates into the system using a vulnerability and obtains root privileges, he can hide himself very well in the system by its modification (rootkit). With gained access he can eavesdrop a keyboard, capture the screen, microphone, camera and so on. In this case, no software protection measures can help.
We encourage all customers to consider the following steps: