Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Why we can’t trust smartphones anymore

Mike Elgan | Nov. 27, 2017
A new class of security problem is caused by smartphone makers that create vulnerabilities deliberately without telling customers.

Your smartphone may contain secret “features” that leave you vulnerable.

I’m not talking about accidental design flaws that hackers might exploit. Security issues have always existed. They represent a cat-and-mouse game between malicious actors, who try to break smartphone security, and the smartphone industry, which tries to identify and fix the accidental vulnerabilities that make phones susceptible to hackers. Nothing new about that.

What I’m talking about is a new phenomenon — a trend we’ve learned about only in the past few weeks.

I’m talking about design decisions made by smartphone companies that cause phones to do things invisibly, behind the scenes and behind your back, that make phones potentially less secure.

Google, Apple and OnePlus have recently been caught sneaking intentional vulnerabilities into phones in ways no user would ever suspect. Phones running software installed by those three companies do potentially insecure things even when users take actions to prevent those very things from happening.

Smartphone industry motives are partially well intentioned. The purpose of these decisions is to improve performance or ease of use. But the decision to do these things without clearly informing users belies a new type of customer disrespect.

Here’s what we’ve learned in the past few weeks.

The Google Android Cell ID brouhaha

Quartz reported this week that for the past 11 months, Android has been sending user location data back to Google, even if location services are off, no apps have been used and the phone is without a SIM card. The location data is based on proximity to cell towers, something called “Cell ID.”

A Google spokesperson told me that in January, Google “began looking into using Cell ID codes as an additional signal to improve the speed and performance of message delivery.”

Google never used or even stored this data, and the data had no connection to location services, targeted advertising or other functions. The company basically turned it on with the intention of exploring performance tweaks later.

Google plans to remotely terminate this location function over the next month for all users as a result of the controversy. The termination does not require a software patch or download.

The company hasn’t announced the fate of the feature. It’s possible that the company could use it in the future to speed up messaging, either universally or as a user option.

To experiment with Cell ID as a way to speed up messaging was the right thing for Google to do.

To implement Cell ID on all Android phones without telling users that location data was being transmitted even with all location services off was the wrong thing to do.

The Apple iOS 11 Control Center wireless discombobulation

 

1  2  3  4  Next Page 

Sign up for CIO Asia eNewsletters.