iphones, Androids, and history repeating

Remember when everyone was bashing Bill Gates because his operating system was insecure and a primary target for malicious software? While Microsoft has (tried to) improved on this, the IT world keeps on turning and the new target is your mobile phone. The Android and iPhone market is still growing. Can you live without your mobile phone today? Probably not. Mobile phones have become part of our identity.

 

They are with us all the time and record every step we take (see the iPhoneTracker application). Do you worry that your iPhone sends a unique token to every app company who wants to pin-point you and your activity? 15 years ago there was a rebellion and legal measures against Intel’s Pentium II/III unique serial number intended to do the same (see this CNN article). Also, think about how much confidential or sensitive stuff you already store on your phone (e.g. your mail, music, photos, credentials). In the future, you might even be able to pay with your phone - initial plans have already surfaced from all major Internet companies. This will make your mobile phone an even more valuable target for attackers - cyber attackers or just old-fashioned thieves!

We don’t want to “cry wolf” here, but you should be aware that the shiny world of iPhones and Androids has a dark side, too. Thus, beware! Some apps available from your favourite app store are malicious and try to steal your private data once installed or auto-dial expensive phone numbers. Unfortunately, the open model for Android apps employs neither quality control nor an approval process. Several Android apps, e.g. wallpaper apps or sound clips, have already been identified as being malicious. For the iPhone, things look a bit better since Apple tightly controls their app store. But the risk remains high for those who have “unlocked” their iPhone.

Finally, if you want to roam around incognito, switch off the geo-localization services on your mobile phone, and recall that a unique token might still identify you to your app company. Use common sense before installing a new app or sound clip. Check what permissions the application asks for. If you just want, for example, a compass and it asks for your address book and Internet connection, don't install the app. If in doubt, don't install. In order to protect your mobile phone against theft, lock it with a PIN code, back it up regularly, and familiarize yourself with ways to wipe your mobile phone remotely if it gets lost or stolen (1).

Of course, if you have questions, suggestions or comments, please contact Computer.Security@cern.ch or visit us at http://cern.ch/security.

(1) The CERN Mail Service provides a possibility to remotely wipe your phone's Inbox: Log into CERN webmail (http://cern.ch/owa), select "Options" and "See All Options" and click then on "phone". The "Wipe Device" option can then be used to clear all Exchange information.

by Computer Security Team