Defending Your Cellphone Against Malware 157
Hugh Pickens writes "Kate Murphy writes that as cellphones have gotten smarter, they have become less like phones and more like computers, and that with more than a million phones worldwide already hacked, technology experts expect breached, infiltrated or otherwise compromised cellphones to be the scourge of 2012. Cellphones are often loaded with even more personal information than PCs, so an undefended or carelessly operated phone can result in a breathtaking invasion of individual privacy as well as the potential for data corruption and outright theft. But there are a few common sense ways to protect yourself: Avoid free, unofficial versions of popular apps that often have malware hidden in the code, avoid using Wi-Fi in a Starbucks or airport which leaves you open to hackers, and be wary of apps that want permission to make phone calls, connect to the Internet or reveal your identity and location."
Pickens continues: "One common ruse is a man-in-the middle attack when a target receives a text message that claims to be from his or her cell service provider asking for permission to 'reprovision' or otherwise reconfigure the phone's settings due to a network outage or other problem. Don't click 'O.K.' Call your carrier to see if the message is bogus. For the more paranoid, there are supersecure smartphones like the Sectéra Edge by General Dynamics, commissioned by the Defense Department for use by soldiers and spies which may soon be available to the public in the near future. 'It's like any arms race,' says mobile security consultant Michael Pearce. 'No one wins, but you have to go ahead and fight anyway.'"
Android only of course (Score:3, Insightful)
And of course the main platform prone to issues is android. Flame al you want but the endless reports of various significance all show it's true that android is more prone to malware than iOS and windows phone
Not realistic (Score:4, Insightful)
So, in other words, all apps that actually make use of the fact that it's a mobile device able to determine its position in real space to enhance the user's real-world experience...
Sounds to me like the OS makers need to address this, and give user-level ways of doing things that don't compromise the whole system if something nefarious happens, and then also give the manufacturer of the OS the ability to alert users when the manufacturer learns of malicious applications so that they can be removed.
Re:Android only of course (Score:4, Insightful)
Re:Step 1 (Score:4, Insightful)
What spyware is installed on an iPhone out of the box, pray tell?
Dumbphone user here... (Score:5, Insightful)
And the more I read about this, the better off I think I am.
Seriously, this summary sounds like there is really no way around this BS except by using a dumbphone and never connecting anything to the Internet.
>free app clones of pay ones are a problem
No, closed source "free" apps are the problem.
--
BMO
Simple really (Score:5, Insightful)
Don't download every dumb shit dancing santa talking cat bullshit app your mom's co-workers recommend
option B is to not use a smartphone and get over your facebook/twitter addiction
Re:Or... (Score:4, Insightful)
So we are once again stuck onthe myth perpetuated by the Apple marketing machine that iOS is secure.
Lets disregard that it's been hacked repeatedly and easily, and lets also forget the tens of thousands of people who've had there iTunes accounts hacked and been charged for apps they have never downloaded (I know of 3 personally, none of whom ever got their money back)
But yes, the 50 (out of 400,000) malware infected apps are scary.
Re:Android only of course (Score:4, Insightful)
It's a problem with being able to run software of the user's choice. Wall it up and the problem goes away. Users are stupid therefore you make decisions for them and it becomes more secure because the primary attack vector (the user) gets cut off.
I'm not advocating a Great Wall of China but it should be a bit harder to find malware than picking some random app from the platforms officially sponsored market place.
Re:Not realistic (Score:4, Insightful)
I don't know what Android has been up to since about 2.2, but one thing that has always irked me is that it displayed a list of "This application wants to do: X,Y,Z - Allow or Deny?"
What I'd much prefer is if you could allow or deny individually, i.e. Internet access but not contacts or phone. However I can kind of see why they wouldn't want to do that - it could cock up the advertising funded ones.
Re:And the truth will be modded -1, flamebait. (Score:2, Insightful)
Any system which allows users to run 3rd party software of their choosing is going to be vulnerable to the stupidity of its users. You can't fix stupid users without putting them in a jail cell.
As long as the user is the primary attack vector it's hard to make a blanket statement about a platform's security. Back when Windows would get infected simply by bing turned on and connected to a network without the user doing a damned thing, it was easy to make a blanket statement about how secure Windows was. And even though the trolls told us that there was nothing Microsoft could do because they were the most popular OS, Microsoft did finally do something and the platform did finally become more secure. Once again things have shifted to target the user rather than sending malformed packets and overflowing buffers. It's hard to call a modern Microsoft OS insecure because the attack vector is more commonly stupid user now.
If we can call MS's slow bloated crap secure because it's all or at least mostly on the user, then we can call Android secure too. Sure neither one is as secure as the walled garden but like I said, it's jail or freedom to fuck yourself.
Re:Or buy an iPhone (Score:5, Insightful)
It's not realistic to think that everyone would compile applications if they could, or be able to do a source audit to see they are truly safe.
No, it's not that *I* necessarily need to see the code (while I appreciate the freedom that I could), but I know other people *can* and *do*
That's the advantage.
Nefarious code does not live long in open sauce. Basically because not everyone is Ken Thompson to quote Tom Christiansen.
Tom Christiansen has a pretty good rant about why the source-code world is superior. I have saved this as a text file since I read it the first time here, because it is that good.
http://news.slashdot.org/comments.pl?sid=2540&cid=1522840 [slashdot.org]
--
BMO
Re:I defend ANDROID smartphones w/ HOSTS files (Score:5, Insightful)
Yes, it's THAT simple
Only on Slashdot could you say that with some vague sense of truth to it.
Amazon (Score:4, Insightful)
Re:Or... (Score:3, Insightful)
So we are once again stuck onthe myth perpetuated by the Apple marketing machine that iOS is secure.
Oh boy, "Apple marketing machine" eh? Queue "imperial march."
Lets disregard that it's been hacked repeatedly and easily
Hardly easily. The first jailbreak admittedly was easy, but take a look at the iOS hackers blogs: jail breaking these things is now crazy hard. Jailbraking now takes multiple exploits and a phone which is physically connected to your system. The latest exploits took months to develop, all the while people are told not to upgrade because the upgrades invariably patch the holes.
Anyway jail breaking is a red herring, what counts is exploits used in the wild. And to the best of my knowledge that's still a big fat 0 for iOS, which is why these articles invariably talk about Android.
and lets also forget the tens of thousands of people who've had there iTunes accounts hacked and been charged for apps they have never downloaded (I know of 3 personally, none of whom ever got their money back)
But yes, the 50 (out of 400,000) malware infected apps are scary.
iTunes is not iOS. They are completely separate products. The security of one has no bearing on the security of the other.
Re:Or... (Score:4, Insightful)
There's always a first time, but I think there's a good chance the security impact of these vulnerabilities will remain theoretical. Despite JailbreakMe 2.0 being open sourced after an updated version of iOS was released, which would have made it relatively easy to modify the code into an attack, I didn't hear about any such modification except a proof of concept that showed up much later.
Re:Easy fix (Score:5, Insightful)
I miss my blackberry everytime i write an email, but i would miss my android more as a useful device.