Security of mobile devices

2016-02-09 10:03:03

Our main goal in PhoneX is to protect the privacy of our users. In this article we would like to alert users of PhoneX on security risks arising from the use of older phones with outdated operating system.

Android devices

Devices with Android are largely affected by the aforementioned problem. The reason is the large variety of devices and manufacturers on this platform - security updates for operating system come to the end devices with considerable delay (manufacturers need to adapt these changes to their system), or in some cases not at all. Typically, the support provided by a manufacurer lasts for two years (or a warranty period) since the phone release. Thus often a lot of devices in circulation are still vulnerable (such as Android 4.2 and lower still comprises more than 25% of the market - to date 01/02 2016).

The outdated operating system exposes users to a great risk. Security flaws found for affected versions are publicly disclosed and may be exploited by an attacker. This problem surprisingly affects a large fraction of the Android devices.

Cambridge University study states there are 87.7% of Android devices vulnerable to at least one of 11 known critical bugs on average.

The study also evaluates the security of the individual device manufacturers and operators. With the highest security score placed Nexus, thanks to regular security updates. Current safety score of Android devices can be found on the research project web site http://androidvulnerabilities.org/. We recommend you to check here for your phone model on known vulnerabilities and should you device be affected by any vulnerability consider upgrading it.

iOS devices

Apple devices suffer much less from the mentioned problem. Latest updates are available on most Apple devices on the market, namely from iPhone 4S to the newest devices iPhone 6S (iOS 9.2.1 at the time of writing this article). Apple protects their customers against new security threats even after the standard two years after the release on the market. Lately Apple stared putting increased emphasis on the security of their customers, which is underlined by practical changes in a security policy (e.g., data encryption turned on by default and other measures) and Apple CEO discussions with the US on security level of end-user devices.

Recently, a security firm Zerodium announced a reward for finding a critical vulnerability in iOS in the amount of $ 1,000,000. This high figure reflects the complexity of finding new vulnerabilities on iOS devices compared to Android, where the price of similar security flaws significantly smaller (estimated at $ 100,000).

Vulnerabilities "Price list" according to the Zerodium document.

Vulnerabilities examples

For a better idea, we would like to present a couple of serious security flaws - and especially pointed out how easy it is to exploit these vulnerabilities.

Vulnerability CVE-2012-6636

This bug affects all devices with Android 4.2 and lower.
Example of exploitation: an attacker on the local network (connected to the same WiFi as a victim) can potentially execute arbitrary code on a victim's device without her knowledge, if the victim has an application installed that uses the components in which this vulnerability is present (a considerable part of the application). After the successful exploitation of the vulnerability, an attacker can fully control the application and abusing its permissions (e.g. to read text messages if the app has an access to messages). A tool to test this vulnerability is publicly available, for example, at this address.

"Stagefright" vulnerability

Vulnerability code: CVE-2015-1538, CVE-2015-1539, CVE-2015-3824, CVE-2015-3826, CVE-2015-3827, CVE-2015-3828, CVE-2015-3829 a CVE-2015-3864
CVE-2015-6602 (Stagefright 2.0)

This vulnerability has been publicly disclosed at the BlackHat security conference in August 2015. On the severity scale CVE it received a score 10 (full score, the most critical error). The vulnerability affects a large range of Android devices from version 2.2 to version 5.1.1. In the time of disclosure it was over a billion devices.

The vulnerability can be exploited for example by receiving a specially crafted MMS or playing specially crafted music or video file (.mp3 or .mp4). An attacker can send a message to the victims at a distance and execute an arbitrary code on the phone without their knowledge (e.g., download data from your phone, gain a control over the microphone or camera). The device is older, the probability of a successful attack is greater (newer systems like Android 4.4+ have certain security countermeasures but they only reduce the chance that an attack will be successful). Demonstration of successful Stagefright exploitation can be found in the video:

 

You can test your device on the Stagefright vulnerability for free using the Android application Stagefright detector.

Other vulnerabilities

Mentioned flaws were given as an example and they are not one of a kind. There is a public database of published flaws (for Android here), often with greater or lesser severity.

Using PhoneX on insecure system

PhoneX protects user data during transmission over the network as well as on the operating system itself. However, a big role plays OS security itself. It is of crucial imporance to have OS patched with latest security updates.

PhoneX has defense mechanisms implemented for this case - e.g., it stores user data (messages, files) in a separate encrypted storage. However, if the phone or its operating system is already infected, there is a threat of privacy violation and data theft. In such case no application can in principle help to avoid it. Generally, if an attacker penetrates into the system  using a vulnerability and obtains root privileges, he can hide himself very well in the system by its modification (rootkit). With gained access he can eavesdrop a keyboard, capture the screen, microphone, camera and so on. In this case, no software protection measures can help.

Recommendations

We encourage all customers to consider the following steps:

  • In the case of Android devices do not use a device with OS version lower than Android 4.4. There are some security vulnerabilities exploitable also on versions 4.4 or 5.0, making it ideal to use the latest version Android version which is currently Android 6.0 Marshmallow.
  • If the system update is available, install it immediately.
  • When choosing a mobile phone we suggest to prefer manufacturers rolling out security updates quickly and on regular (e.g., monthly) basis. We recommend mainly Nexus - e.g., Nexus 5, Nexus or Nexus 5x 6P, which are using original Android system and are the first to receive all updates. We are happy to help our customers with choosing the right phone, just contact us at info@phone-x.net.
  • As an alternative to Android can recommend the iPhone, where PhoneX run without problems. Securing the platform is at a very high level.
  • Under no circumstances use rooted / jailbroken devices. The level of protection of these devices is downgraded and potentially harmful applications or websites may cause severe damage or leakage of data. You could significantly simplify attackers work. Additionally, you are never confident that the new firmware from an unknown hacker that you manually upload to the device does not have a backdoor or a botnet client embedded inside (as is typically the case of PC gaming titles cracks).
  • Android 5.0 and higher support the encryption of all data on the phone. For an effective defense against attackers use a strong password, PIN or unlock pattern. We recommend using a strong password. The pattern is better than no protection, however note that this is a very simple mechanism with a small number of combinations. Moreover, the pattern easily observable by people in your vicinity, or from greasy imprints on the surface of the display.
  • Turn off application installation from unknown sources in Android device Settings if you have it enabled. By default, this option is turned off.