Sunday, August 1, 2010

Smartphones - a threat to privacy?


I've noticed several articles over the past week pointing out how smartphones store a great deal of information about their users - information that might be used against them under certain circumstances.

First, the Sydney Morning Herald reports:

Australian security experts, consumer advocates and privacy campaigners have sounded the alarm over the hundreds of thousands of free smartphone applications that spy on their users.

Lookout, a smartphone security firm based in San Francisco, scanned nearly 300,000 free applications for Apple's iPhone and phones built around Google's Android software. It found that many of them secretly pull sensitive data off users' phones and ship them off to third parties without notification.

That's a major concern that has been bubbling up in privacy and security circles.

The data can include full details about users' contacts, their pictures, text messages and internet and search histories. The third parties can include advertisers and companies that analyse data on users.

The information is used by companies to target ads and learn more about their users. The danger, though, is that the data can become vulnerable to hacking and used in identity theft if the third party isn't careful about securing the information.

Lookout found that nearly a quarter of the iPhone apps and almost half the Android apps contained software code that contained those capabilities.

The code had been written by the third parties and inserted into the applications by the developers, usually for a specific purpose, such as allowing the applications to run ads. But the code winds up forcing the application to collect more data on users than even the developers may realise, Lookout executives said.

"We found that, not only users, but developers as well, don't know what's happening in their apps, even in their own apps, which is fascinating," said John Hering, chief executive of Lookout.

Part of the problem is that smartphones don't alert users to all the different types of data the applications running on them are collecting. iPhones only alert users when applications want to use their locations.

And, while Android phones offer robust warnings when applications are first installed, many people breeze through the warnings for the gratification of using the apps quickly.

Australian online users' lobby group Electronic Frontiers Australia spokesman Colin Jacobs said the issue of applications spying on their users "was something that everybody needs to be aware of".

Jacobs said that many did not think of their phone as a computer.

"Mobiles contain as much personal information as people’s everyday computers do," he said.

. . .

Intelligent Business Research Services analyst Joe Sweeney said that many users had installed firewalls on their PCs, but weren't doing so on their mobiles.

In many cases this is because they can't. Apple, for example, doesn't offer a firewall product on its iPhone.

"If the numbers in this report are correct, then obviously this is an issue," Sweeney said.

"We may need to see firewall-type software on phones."


There's more at the link.

Intrigued by this report, I looked for more. The Detroit Free Press reports that Apple's iPhone is known for retaining a great deal of information about its users.

There's a burgeoning field of forensic study that deals with iPhones specifically because of their popularity, the demographics of those who own them and what the phone's technology records during its use. Law-enforcement experts said iPhone technology records a wealth of information that can be tapped more easily than BlackBerry and Android devices to help police learn where you've been, what you were doing there and whether you've got something to hide.

"Very, very few people have any idea how to actually remove data from their phone," said Sam Brothers, a cell phone forensic researcher with U.S. Customs and Border Protection who teaches law-enforcement agents how to retrieve information from iPhones in criminal cases.

"It may look like everything's gone," he said, "but for anybody who's got a clue, retrieving that information is easy."

. . .

An estimated 1.7 million people rushed to buy the latest iPhone version released last month. Before that, Apple had sold more than 50 million iPhones, according to company figures.

. . .

Just as users can take and store a picture of their iPhone's screen, the phone itself automatically shoots and stores hundreds of such images as people close out one application to use another.

"Those screen snapshots can contain images of e-mails or proof of activities that might be inculpatory, or exculpatory," Minor said.

. . .

"Most people enable the location services because they want the benefits of the applications," Minor said. "What they don't know is that it's recording your GPS coordinates."

Bill Cataldo, an assistant Macomb County prosecutor who heads the office's homicide unit, said iPhones are treated more like small computers than mobile phones.

"People are keeping a tremendous amount of information on there," he said.

Cataldo said he has found phone call histories and text messages most useful in homicide cases. But Zdziarski, who has helped federal and state law-enforcement agencies gather evidence, said those elements are just scratching the surface when it comes to the information police and prosecutors soon will start pulling from iPhones.

. . .

Adam Gershowitz, who teaches criminal procedure at the University of Houston Law Center, said that the new technology brings with it concerns about privacy -- especially when it comes to whether investigators have the right to search someone's iPhone after an arrest.

So far, the courts have treated mobile phones like a within-reach container that police can search the same way they can check items in a glove box or cigarette pack, Gershowitz said, though the Ohio Supreme Court in 2009 ruled to bar warrantless searches of cell phone data. That case is being appealed to the U.S. Supreme Court.


Again, there's more at the link.

Jonathan Zdziarski, mentioned in the Detroit Free Press report, offers courses to police departments on how to extract information from iPhones. One of his courses is called 'Advanced iPhone Forensics L-1: Recovering Evidence, Personal Data, and Corporate Assets'. In it, he covers areas such as:

  • What kind of evidence is stored on an iPhone, and what can be recovered through desktop trace
  • Raw disk recovery of a v1.x, v2.x, and v3.x iPhone user disk partition, preserving and recovering the entire raw user disk. Recovery over USB cable or Wi-Fi.
  • Making commercial tools, such as Encase, recognize an iPhone disk image
  • Bypassing passcode protection and device encryption to gain access to the device’s user interface for compatibility with third-party triage tools, or for time-sensitive cases where preservation of life is priority.
  • Interrupting the iPhone 3G’s “secure wipe” process
  • Recovering deleted voicemail, images, email, and other personal data using data carving techniques
  • Recovering geotagged metadata from camera photos (GPS coordinates taken at the time the photo was taken)
  • Electronic discovery of Google map lookups, WiFi connect records, keyboard typing cache, and other sensitive data stored on the live file system
  • Extracting contact information and other data from the iPhone’s database
  • Collecting desktop trace and establishing trusted relationships to owners’ desktops
  • Different recovery strategies based on case needs.


More details of the course are at the link.

I'm sure there are those who'll argue that if you're a law-abiding citizen, you've no need to be concerned about such courses, or about police interest in your smartphone. On the other hand, I'm sure that law enforcement authorities aren't the only people who find the wealth of information on your smartphone intriguing. Since criminals can hack a smartphone as easily as anyone else, I think I'll be avoiding them and sticking to my plain-jane cellphone for the foreseeable future!

Peter

1 comment:

Tim D said...

On the other end of the stick UAE suspends Blackberry service. Just because the government couldn't monitor them.

-Tim D