Is your phone secure?

Many people may have been scared by the "super mobile phone virus" that suddenly appeared a few days ago. Some people may have been scared because they were afraid that their mobile phones were inexplicably infected with this so-called "super mobile phone virus". A small number of people were scared because they were surprised that the "super mobile phone virus" is actually a "super simple mobile phone virus" with very low technical content and can be completely avoided with a little attention.

It is reported that the creator of this locust malware (virus) is just a student who is just learning Android software. He only used this malware to practice, but he didn't expect it to spread widely and have an impact. Because the installation of this malware requires users to click a link to download, authorize the option to read contacts and send text messages, and confirm the installation, mobile phone users with a little security awareness can avoid it. This reflects that the problem is not that mobile phone viruses are powerful, but that compared with computer security, most users have no clear awareness of mobile phone security issues.

Looking back at past news reports, we find that the outbreak of the "super mobile phone virus" is just a small ripple in the mobile phone security issue, and the mobile phone security issue we face does not seem to be very optimistic.

Android's openness and security

For mobile phone systems, security and openness seem to be an irreconcilable paradox. Because the file suffix downloaded after clicking the download link is apk, the "super mobile virus" that broke out this time can only spread within the scope of Android phones.

The mobile Internet security report released by Internet security company F-secure pointed out that the Android platform faces relatively large security issues. In 2012, 79% of malware was parasitic on Android, which was 12.3% higher than in 2011. In contrast, malware on the iOS platform only accounted for 0.7% of the total. Now two years have passed, and with the rising share of Android, the security issues of the Android platform have not improved.

Public Intelligence published a joint statement from the U.S. Department of Homeland Security and the Department of Justice in 2013, with data similar to F-secure's, showing that 79% of malware (Trojans) came from Android in 2012, while iOS only accounted for 0.7%. The proportion of Trojans from Symbian was 19%, and the proportion of mobile Trojans from BlackBerry and Windows Mobile was the same, both 0.3%.

It is not that Android itself does not pay attention to the security of the system. In 2012, Android 4.1 was the first version to fully support ASLR technology. ASLR (Address space layout randomization) technology is a security protection technology for buffer overflow. By randomizing the layout of linear areas such as stacks and shared library mappings, it increases the difficulty for attackers to predict the target address and prevents attackers from locating the attack code, thereby preventing overflow attacks. This can greatly increase the difficulty for hackers to exploit memory vulnerabilities.

Looking back, there have been many news reports about security issues on Android phones. Google Play is generally considered to be safer than some other unknown software markets, but even this official software store may contain malware.

Looking back at the old accounts in 2012, according to a report by Ars Technica, researchers have found that more malware has entered Google Play. And what's interesting is that these malware can stay in the official market for a long time, even if they have a large number of downloads, they can still go undetected. For example, a Trojan program called Android.Dropdialer, which squeezes high fees by forcing users to call certain specific numbers, was discovered only weeks after entering Google Play; and "Super Mario Bros" and "GTA 3 Moscow City" were packaged as malicious programs, with 100,000 downloads.

Google seems to be powerless to deal with the serious security issues of Android. When asked about Android malware by French Android site FrAndroid, Google Vice President and Android Department Director Sundar Pichai replied:

"We don't guarantee that Android is used for security purposes, it's mainly used to provide more freedom. When people talk about 90% of Android Trojans, they have to recognize the fact that it is the most popular operating system in the world. If I were a company producing malware, I think I would also target Android."

Chrome has closed the entrance to plug-ins for security reasons and can only be installed from the store. It has been accused of becoming closed. Security and openness are indeed difficult to reconcile at this time. Moreover, security issues are not just the responsibility of the system. Users and third-party security companies cannot stay out of it.

Is iOS definitely safe?

As mentioned above, in 2012, the number of malware from iOS accounted for only 0.7% of the total, which was a good result compared to the market share of iOS at that time. But this means that iOS is only relatively safe, not absolutely safe. In fact, there are many news reports about iOS security vulnerabilities.

Also in 2012, according to Forbes, a Kaspersky anti-virus researcher Maslennikov found an application called "Find and Call" in App Store. On the surface, it looked no different from other calling applications, but through investigation, it was found that this "Find and Call" application would also collect users' private information without authorization, and then upload this information to a remote server. Finally, the server would send a text message to everyone in the user's contact list, with a download link for the application. This principle sounds exactly the same as that of the "super phone virus".

It is worth mentioning that this is the first malware found in the App Store, which is known for its strict auditing. This malware incident on the iOS platform, as well as the repeated virus problems on Mac OS X, have challenged the security mechanism that Apple has vigorously promoted, and Apple's "virus-free" reputation has gradually become a thing of the past.

At last year's Usenix security conference, scientists from Georgia Institute of Technology demonstrated their research results - a piece of code that looked like an amoeba. When the code was tested by the App Store, it was harmless, but when it was installed on an iOS machine, the code would transform from a little sheep to a jackal. More importantly, in this way, they did successfully publish malicious applications on the App Store. Of course, because it was an experiment, the scientists did not use the vulnerability to do evil. But this also proved that the App Store review mechanism at the time still had opportunities to be exploited.

If the applications in iOS are relatively safe due to the Walled Garden Model, then vulnerabilities at the iOS system level are often discovered.

At the beginning of last year, before iOS 7 was released, a security vulnerability in iOS 6 affected all users who did not enable the two-step security mechanism. Using this vulnerability, users only needed the email address and the owner's date of birth, and then logged into Apple's iForgot website, and pasted the modified URL address when answering security questions, and they could reset their Apple ID and iCloud passwords at will. Apple later closed the iForgot website and acknowledged the existence of the vulnerability.

Shortly after iOS 7 was released, a netizen discovered a new iOS 7 security vulnerability: when the screen is locked with a password, click "Emergency Call", enter any number, and then quickly click the "Call" button until the Apple logo appears on the phone, and the call will be successfully dialed. In fact, many versions of iOS have different lock screen vulnerabilities.

The emergence of Touch ID is considered to have achieved a delicate balance between security and convenience. However, for hackers, cracking Touch ID fingerprint recognition is no problem. Starbug, a well-known German hacker, made a set of fingerprints by himself and successfully fooled the Touch ID system. However, Starbug said that cracking Touch ID was "not challenging at all" and he even felt "very disappointed":

"It took me only 30 hours to crack Touch ID. It took me about half an hour to prepare and more time to find the technical specifications of the sensor. I was very disappointed because I thought it would take 1-2 weeks to crack it. It was not challenging at all."

This cracking process reveals a cruel reality - fingerprints left anywhere can be used to bypass Touch ID. Starbug pointed out that Touch ID only increases convenience rather than security.

However, Apple's white paper pointed out that Touch ID is absolutely safe. However, this security is not the same as other security. It refers to the security of personal information and privacy: each A7 chip has a unique security module, and neither Apple nor the A7 processor can read the data in this module. Moreover, each authentication process is carried out in "end-to-end" encryption, which means that your fingerprint information will not be uploaded. After completing the processing and analysis of fingerprint data, iPhone5s will automatically delete the data and will not sync it to iCloud or iTunes.

Apple further explained the purpose of the fingerprint image. The fingerprint image will only be saved in the internal storage until it becomes a decoding key. If the user does not unlock or restart the phone for more than 48 hours, or the decoding fails more than 5 times, the iPhone's protection system will be activated. In addition, when an unfamiliar user touches Touch ID, the probability of them unlocking the phone is only about one in 50,000.

Sometimes it’s not the system’s fault.

What was mentioned above are all system-level things. In addition to the system level, the security vulnerabilities of mobile phones may also exist elsewhere.

A new study by computer security researchers Karsten Nohl and Jakob Lell found a serious security vulnerability in USB devices. A malware called BadUSB can invade personal computers through USB devices such as mice, keyboards and USB flash drives and tamper with the hard drive software.

Karsten Nohl and Jakob Lell have been engaged in the research of USB device security for a long time. This time, they did not write malware code to invade the storage of USB devices to test the security performance as usual; instead, they focused their research on the firmware that controls the transfer function in USB devices. It was found that by writing a certain program, hackers can easily hide malicious code in the firmware, which antivirus software cannot find at all.

In addition to storage devices such as USB flash drives, USB keyboards, mice, and even smartphones connected to USB cables can also have this problem. Matt Blaze, a professor of computer science at the University of Pennsylvania, believes that this research reveals a major security risk. He also speculated that the US NSA may have known about this problem a long time ago and used this method to collect a lot of data and information.

Behind the door of a public toilet, we often find illegal information such as "copying IM cards to eavesdrop", which may not be fraudulent information, but a real illegal service. The New York Times reported that Karsten Nohl, founder of the German firm Security Research Labs, revealed after testing about 1,000 SIM cards in North America and Europe that hackers can use a security vulnerability to send false information to mobile phone users, causing 25% of DES SIM cards to automatically reply to messages and expose their 56-bit security keys. After obtaining the security key, hackers can send viruses to SIM cards via SMS, which allows hackers to impersonate the owner of the phone, intercept SMS messages, and even make purchases through the mobile payment system. The above process only takes 2 minutes and only requires a PC to complete.

As early as 2011, Ralf-Philipp Weinman from the University of Luxembourg discovered that there was a vulnerability in the firmware of Qualcomm and Infineon Technologies chips used in most wireless devices to process radio signals. So he used this vulnerability to crack the baseband chip used to send and receive wireless communication network signals. Hacking the baseband chip is an unprecedented way to invade mobile phones. Since the wireless signals of mobile phones need to be transmitted through base stations, Weinman will first set up a fake base station to deceive other mobile phones to connect to it, and then send malicious code to the target of attack. The malicious code written by Weinman can only run on the firmware of the radio processor.

Not long ago, Mathew Solnik, a mobile researcher at the cybersecurity company Accuvant, said he could hack into a smartphone from 30 feet away without anyone noticing, including hacking into its calls, browsing contacts and even reading text messages. Solnik said they had roughly figured out a way to use a vulnerability in the radio of a smartphone to pretend to be a wireless operator - using a virtual signal tower the size of a laptop computer that costs less than $1,000 to upload malicious code to a phone within 30 feet.

USB interface, SIM card, baseband chip, different data transmission methods are often accompanied by different security risks.

BlackBerry's final glory

Although BlackBerry is declining and its market share is shrinking, the security of its mobile phones is still recognized by many people. Previously, the German Ministry of the Interior purchased 3,000 BlackBerry devices encrypted with technology from the German company Secusmart and distributed them to members of the department. Tobias Plate, a spokesman for the Ministry of the Interior, said that by using these BlackBerry devices, the risk of users being eavesdropped by hackers is reduced, so the German government will also order more BlackBerry phones for officials to use.

The German Ministry of the Interior then announced that BlackBerry was the only phone that met its security standards, and the German government would go on to order more than 20,000 BlackBerry phones using BB10.

In the enterprise market, BlackBerry phones are barely supported by security. When BlackBerry began to decline, Dan Croft, CEO of Mission Critical Wireless, which helps enterprises deploy mobile phones, said:

"It's too early to write the eulogies for RIM, they clearly have a lot of significant issues, but there are still millions of BlackBerrys running smoothly. We're not seeing RIM being driven out of the enterprise market. We're just seeing an increase in non-BlackBerry devices."

Croft believes that although iOS/Android devices have enhanced security features, BlackBerry's security features are more robust and easier to configure. It takes more planning to configure a proper security system for consumer devices such as iPhone and Android. This example is still not outdated.

Samsung has always wanted to expand its presence in the enterprise and government markets, and has developed the Knox security solution for this purpose. However, these phones, which are competing with BlackBerry for US government customers and installed with the Knox security solution, have been exposed to major security vulnerabilities. The existence of this vulnerability allows hackers to track the email information, personal data and other private information of mobile phone users. The exposure of this security vulnerability has put Samsung at a disadvantage in this competition.

Earlier this year, the Pentagon launched its latest management system, of which 98% of the new devices activated were BlackBerry phones. The new management system is expected to activate 80,000 BlackBerry phones and 1,800 iOS and Android devices. The new management system is expected to cost $160 million and will ensure that 300,000 security personnel will not leak military secrets when using mobile devices.

BlackBerry's continued trust in the German and US government markets does not mean that they can rest easy in the government and enterprise markets.

According to the Guardian, the BlackBerry BB 10 system was rejected by the British government last year because it failed to pass the security certification of the British Communications Electronics Security Group (CESG), the British national information security technology authority. Its rejection of certification means that the British government believes that the BlackBerry BB 10 system is not safe. In BlackBerry BB 10, in addition to BlackBerry's traditional unique network services, BlackBerry Balance is an application designed mainly for enterprises and governments, mainly used to isolate personal and work data, so that there is no intersection between the two, thereby ensuring security. However, the British government does not think it meets security standards.

Earlier, the U.S. Immigration and Customs Enforcement Agency, which has as many as 17,000 employees, abandoned BlackBerry and turned to iPhone.

We may have to spend more time and money on mobile phone security

With the increasing popularity of smart phones, mobile payments have begun to gradually penetrate. This method, which is more convenient than POS card swiping and Web payment, will undoubtedly have a broader imagination space.

Current mobile payment methods include Paypal digital wallet, Google Wallet, Square, etc. They are expanding rapidly with the help of smartphones. For example, Square's transaction volume reached 10 billion US dollars in 2012, and it has been gradually deployed in more than 7,000 Starbucks stores. This year, its transaction volume will reach a higher level.

However, security is still the biggest concern for users. Sometimes, consumers do not just pursue convenience. Since mobile payment is closely related to personal smart mobile devices, and mobile devices are easy to lose, security issues cannot be underestimated. Users may be deterred from mobile payment due to security issues. Sometimes, more complicated procedures to increase security are more likely to make users accept it.

Auriemma Consulting Group, a research organization from the UK, conducted a survey and found that contrary to the emphasis on user experience by smart devices, more complicated procedures are more likely to be accepted by users.

Convenience and security are often not achieved at the same time. For the sake of money, users are willing to endure more cumbersome procedures. On the Web, online payment has become more popular, such as online banking, credit cards and Alipay, which are more popular among users. From their operating methods, security authentication files, multiple password entries and verification codes are used in every transaction. However, mobile devices have a stronger demand for convenience, and simplifying the process is the general trend, but how to balance security and make users accept it has become a difficult problem.

Blackphone is a smartphone that is designed to prevent hackers from hacking. Blackphone is the result of a collaboration between a software and hardware team. The software team is Silent Circle, a well-known encryption company. The co-founder of the team is Phil Zimmermann, who invented PGP email encryption. Zimmermann himself was inducted into the Internet Society's "Internet Hall of Fame".

Silent Circle is a young security team founded in 2012. However, the team's lineup should not be underestimated. In addition to Zimmermann, the famous computer security expert Jon Callas is also one of the founders of the team. Other members of the team are senior engineers or former special forces communications experts.

Before the release of Blackphone, Silent Circle was already well-known in the security industry, having launched encryption services for phone calls, text messages, and emails, including Silent Phone, Silent Text, and Silent Mail. Blackphone will naturally use the team's accumulation in this area. In addition to providing encryption for the above three types of communications, the phone also anonymizes the user's online whereabouts through a 24-hour virtual private network (VPN). It is said that even the NSA cannot hack into this phone.

The deeply customized Android system based on PrivatOS, with built-in Silent Circle's encrypted instant messaging application, Spider Oak's encrypted data storage, Disconnect's anti-tracking service and Kizmet's anti-WiFi sniffing, makes Blackphone look really safe. At the same time, its price is relatively high at $629.

Blackphone is not the only company that provides specific security services for mobile phones. The Vertu Signature Touch, a luxury mobile phone, has built-in Kaspersky anti-virus software and anti-eavesdropping functions to ensure that calls and text messages are not stolen. Of course, the price of this phone starts at $11,350.

There is also time to wait for new technologies.

EyeLock, a security company from New York, is also trying to replace traditional passwords with more advanced biometric passwords, and their weapon is iris scanning. Myris is the device they brought, which can scan 240 key nodes on the user's iris and then generate a 2048-bit digital signature. When using it, the user only needs to grab Myris and scan the eyeball to complete the account login.

According to data provided by EyeLock, the probability of Myris authentication failure is only 1 in 2.25 trillion, far exceeding voice recognition and Touch ID fingerprint scanning. Its accuracy is only inferior to DNA verification. EyeLock CMO Anthony Antolino confidently said that Myris is expected to completely replace traditional passwords in the future. However, Myris is an external device about the size of a mouse and can only be used on the computer. The future of iris recognition should be integrated into devices such as mobile phones and computers.

As a winner of Toutiao's Qingyun Plan and Baijiahao's Bai+ Plan, the 2019 Baidu Digital Author of the Year, the Baijiahao's Most Popular Author in the Technology Field, the 2019 Sogou Technology and Culture Author, and the 2021 Baijiahao Quarterly Influential Creator, he has won many awards, including the 2013 Sohu Best Industry Media Person, the 2015 China New Media Entrepreneurship Competition Beijing Third Place, the 2015 Guangmang Experience Award, the 2015 China New Media Entrepreneurship Competition Finals Third Place, and the 2018 Baidu Dynamic Annual Powerful Celebrity.