By Stephen Bryen
There is growing enthusiasm and interest in encryption for smartphones and tablets in order to protect privacy. But encryption is only half the story, and probably not the most important half. What really matters is platform security.
A smartphone is a powerful computer and communications tool harnessed to a number of radios that link to the outside world. Those radio links can be compromised fairly easily. People worry about how they can keep their phone calls secure and private and are looking at alternatives such as secure phone APPS.
A secure phone APP encrypts the connection between one phone and another. In some cases the encryption works in a phone to phone scheme; in others the encryption and connections are managed by a server. Either scheme can deliver some security for phone calls. In elaborate set ups with servers, they can try and protect emails and text messages. While encryption folks promise a lot, there are two main pitfalls to using encryption that are not so well understood.
The first pitfall is that a determined adversary, such as a competitor or enemy or government agency, can bypass your encryption without too much effort. That is to say, any of these intruders can install spyware on your phone. Spyware can record your conversation or transmit it no matter if you are using encryption or not. That’s because your microphone and cameras are accessible to programs that might be secretly running on your phone being put there by the intruder. In these circumstances you may think that you are protected, but you are not and your risk is even greater since you are unlikely to be cautious and circumspect in what you say on your phone.
The second pitfall is that the platform’s vulnerability will be there with encryption installed, meaning that offline conversations can be “overheard” by an intruder without you knowing it. This kind of malware is generally sophisticated and difficult to detect, making matters worse. Think about it: you are in a meeting in your office and every word is being recorded secretly and will be sent over the internet to an intruder without you knowing it. This can give a spy or competitor a tremendous amount of sensitive information. He can use it for commercial advantage, or to bribe you or your colleagues, or sell it to other parties.
Encryption does not help against either Pitfall #1 or Pitfall #2.
Some people think the best thing to do is to turn off one’s phone when serious conversations take place. To be sure, there are few people who actually do this, because they are always waiting for some phone call or text message to arrive. They “need” the information fix that the smartphone promises to give them on a minute by minute basis.
Even worse, turning off a phone does not really mean that it is safe. There are good quality spyware tools that can turn your phone back on without you knowing it. The screen won’t illuminate, but the phone’s microphones will be on and the phone can record and stream out information. One tip off that the phone might be so infected is that it seems oddly warm, even hot when you pick it up.
Are there solutions that can protect a phone’s platform and avoid the two pitfalls?
I will be talking about that in my next column.