How Secure Is Your Phone’s Software?
The software that runs your phone is called an Operating System. There are many ways an OS can protect you and your data, such as sandboxing, encryption, and how it handles or enables malicious software. Let’s take a look at how your phone’s software is (or isn’t) taking care of you, and how you can take measures to protect yourself.
The Beginning
How effective your phone is at protecting you today really comes down to the intent of the software makers at the beginning of their development process. In this regard, the differences between Android and iOS are deep.
Android
Android was originally conceived as sort of a desktop operating system in your pocket—like a Windows PC in a 3.5″ screen. That gave it a technical edge over iOS in its early days because it allowed users to do many things that iOS wouldn’t, like access the phone’s internal filesystem or run apps in the background. That seemed great to more advanced users, until our collective veil of naivety over data security was lifted. Google has since realized that these unlimited capabilities could sometimes do more harm than good, and has been trying to rein it in, adding layers of security on top of this ingrained openness, to varying levels of success.
iOS
The operating system formerly known as iPhone OS started life in a much different way. The iPhone was originally an evolution of the iPod, a decidedly appliance-like piece of electronics. Although the iPod and the iPhone are, in essence, computers, Apple doesn’t want you to think of them the way you think of your PC. Famously, Steve Jobs didn’t want to have third party apps on it in order to avoid degrading the user experience. Because of this, and also because the first modern smartphones had very weak computing capabilities, iPhone apps were severely restricted in what they could do at first. This “control freak” approach has paid off in the long run, because it has allowed them to eventually build a capable platform in a very secure and user-oriented way.
Sandboxing
Data encapsulation, or sandboxing, means that the apps you install are only aware of their own files and are not allowed to even know about the existence of anything else on your device, unless you manually grant them access to it.
Android
Apps installed on modern Android devices are isolated in terms of permissions from the rest of the system, so by default, they are safe. But because Android was pretty much a wild west on its early days, apps can still potentially access almost anything if you give them permission. And here is where it get tricky. Apps built for Android 6 (released in 2015) and later can ask for the permissions they need at the moment that they need them and not earlier, which means that you can install and use them without handing over the keys to your house right away. But apps targeting older versions of Android can only ask for all the permissions they may or may not eventually need at the moment of installation, even if the app is being downloaded on a newer version of Android.
This incentivizes developers to ask for as many permissions as possible in case they might use them in the future. Because the list of permissions can get very long and needs to be dismissed in order to install an app, most users don’t pay attention to it, which allows developers to ask for more than they need and potentially use the blanket access in unexpected or malicious ways. You might not realize that something like “Photos/Media/Files” (which allows an app to see all files on the phone’s storage) or “SMS” (which allows an app to send, receive, read, and edit your texts) could be on that list. This was famously exploited by Facebook to get your SMS and call logs.
As of this writing, 38.6% of Android’s over 2 billion active devices are running a version released before 2015 and will most likely never receive an update. You can be sure that the biggest app developers will want to keep targeting those 760 million devices, that the huge list of install-time permissions is not going away anytime soon, and that it will keep getting exploited by companies and developers across the shadiness spectrum.
iOS
Apps on iPhones and iPads get sandboxed in a slightly different way technically, but the results are similar: apps are, by default, completely isolated from the rest of the system. The iOS permission model is a bit different though: since the beginning, permissions on iOS have only been granted at the moment of access, so there is no possible way for an app to secretly get into your contacts without you seeing an alert asking for access, and once you’ve granted it, it’s easily revokable in the Settings app. And because iOS has kept apps in check since the beginning, permissions to liberally read and write the phone’s storage system, or to read and write your texts and call logs, are unavailable to developers.
The system is not perfect, though. If you need an app to access your photos, it will get full access to your photo library. This improved a bit in iOS 11, where a new permission tier was created for apps that only need write-access to your photos, but the potential for an app that might already have permission (like, say, Facebook) to secretly upload all your camera roll to their server is still there.
Data Encryption
Encryption means that your data is scrambled, unless you unlock your device. If someone were to get physical access to your phone and didn’t have your passcode, if your OS encrypts your files, they won’t be able to access them. But if your phone doesn’t have good encryption, or if it’s disabled by default, it would be fairly trivial for them to bypass your phone’s security and see your stuff.
Android
Google implemented a secure method of full-disk encryption in Android 5.0, but didn’t require manufacturers to enable it by default until Android 6.0. In 2017, only 25% of Android 6 devices were encrypted, and about 80% Android 7 devices had the feature enabled. It’s safe to assume that over half of Android’s 2 billion active devices are unencrypted, and that’s only counting devices sold outside of China, where Android phones don’t include any Google services. (Android install base data comes from devices that access Google’s Play Store.) Some Chinese Android devices sold outside of China cannot be securely encrypted, and the situation could be even more widespread within China.
Even if your Android is encrypted, the SD card inside it most likely isn’t, because SD card encryption is almost always turned off by default. SD cards usually store all kinds of content, such as photos and music, and sometimes include backups of your address book, texts, or anything that you might have moved to it in order to free up internal space. Even though some say the convenience of an unencrypted SD card is worth the security risk, we disagree. Learn how to encrypt your Android system and SD card here.
iOS
iPhones have included hardware-backed encryption since the 3GS (released in 2009), and if you are using any sort of passcode or password to lock your device, its contents are encrypted by default. In addition, since iOS 9 (released in 2015), Apple has been encouraging and enforcing the use of HTTPS (an encrypted internet connection protocol) on apps through a developer feature called App Transport Security, which forces app creators to manually add exceptions to secure connections if they absolutely need to use them in their apps.
In no uncertain terms, iOS is a strongly-encrypted platform.
Malware
One might think of malware as viruses on a Windows PC, and while “viruses” are very much still around (particularly on Android), on the mobile world, malware can also refer to a seemingly innocuous app that’s abusing the permissions you’ve granted it.
Android
Almost all malware comes from a user unknowingly installing it. This is true on any platform, and is always a risk on Windows or macOS, but on phones, it’s only possible on Android. This platform allows installation of apps from any source, not just Google Play, and because Google Play almost doesn’t vet the apps it advertises, a lot of malware is distributed through it as well. Malware can come packaged as a free version of a legitimate app, and some could even come pre-loaded with your phone. Backdoors that actively spy on you have been found embedded into millions of Android phones coming from China, and carriers and manufacturers have been bundling everything from more spyware to adware and other bloatware on new Androids since the beginning of the platform. And since it’s easy to install apps to an Android device via USB (aka ‘sideloading’), there’s been cases where Windows viruses have infected connected Android phones. Oh, and some malware can even grant itself administration privileges, making it harder for you to remove them. That’s the state of Android malware: it truly is the new Windows.
iOS
For the overwhelming majority of users, iOS only enables apps to be installed through the App Store. For enterprise users, special permissions and setups enable them to distribute apps within their organizations for internal use, and developers can compile and run apps on their own devices. But for you and me, the only way for an app to get into your iPhone is through the App Store, which has a strict review process involving automated and manual testing, making it it harder for malware to come through. It has happened though, when developers in China downloaded and used a modified version of Xcode (the software used to build iOS apps) from a Chinese server in order to save download time. Apple’s tight control over the process has allowed it to quickly respond to the breach, and there hasn’t been any other reported cases after 2015.
What can and has happened is that apps abuse the permissions you’ve granted them. AccuWeather, for example, bundled “analytics” code from an external company that specializes in monetizing user location data, which is why you should always keep an eye on what you’ve enabled apps to access by going into the Settings app and choosing Privacy. Under Location Services, check whether the enabled apps actually need your location, and if they need it while you’re using them or always.
The Most Secure
The only operating system that has enough control over itself to ensure a reasonable degree of data security is iOS on the iPhone and iPad. Because it was originally conceived as an “open” platform, Android, with all its patched-on security measures, just isn’t up to it yet. But there is no perfect system, and at the end of the day, it is you who needs to keep a watchful eye on the way you use your devices.
This post is part of a series on phone security. Also check out: How Secure is Your Chat App? and How Secure Is Your Phone’s Lock?
