Is security a fallacy?

How many times have you heard or read that the best course of action is to keep your computer up to date with security patches.  This is true for your computers operating systems, device drivers, computer BIOS, software applications including your smart phone.

Software is created by people and not everyone is perfect.  Programs can have a virtually any number of problems but these commons can be grouped into a small number of generic problems.

  • Incorrect calculations
  • Inconsistent processing
  • Inadequate security

It is possible for these types of errors to be hidden for years or crash the first time they are run.

Critical PGP and smime bugs

Thus the common position is to update your particular device with the most recent security patches.

It’s a matter of Trust

The grand assumption is that any software bugs are not malicious and your software vendor has your best interests in mind.  Well, they probably want your money but that seems to be a fair trade for reliable software – right?

The whole situation gets a bit sticky when asking you for your money isn’t enough and it is necessary to cut corners and sell your information to top up the company coffers. The information gleamed from your purchases, browsing history, or viewing habits help to build a profile which is also a valuable commodity.

It is this hidden wealth potential that helps make gathering information from ones customers all too enticing.  Thus it is not overly surprising to see smart-phone apps taking excessive amounts of permissions beyond what is needed by the application in order to gather this important personal information.

This problem was reported years ago, but this problem has not gone away. It is reported in Germany by the Technical University of Braunschweig but does not seem to be limited to either Android or IOS.

I have personally seen this first hand when a friend received an upgrade notice for this keyboard app.  The permissions went from nothing special to needing to access contact data – which is fairly suspicious for a keyboard app.

Tinfoil hat

It is really not possible for the the average person to verify that every smart phone app or patch is safe.  Who really knows if the mountain of upgrades that are being installed on your phone are are protecting you or watching what you are doing.  It comes down to a level of trust.

Seriously just how bad could it really be?

I used google to see what different apps are available and was completely blown away by what is possible.  Just put the following terms into your search engine.

“innovative features for remote spying on your phone”

The app that I looked at was able to do all of the following actions – well for a monthly fee.

  • Real Time Location Tracking
  • View Location History of the Phone
  • View Sent / Received SMS / iMessage
  • View Deleted SMS/iMessage
  • Call Tracking
  • View Call History
  • View Call Deleted History
  • View Photos
  • View Videos
  • Listen to Voice Recording
  • WhatsApp Chats
  • Facebook Messages
  • Viber Messages
  • Skype Messages

This allows you to know where someone is, was, when the camera used and for what, who was called and with whom did you exchange text messages.

Did I mention that this is all possible remotely?  I have no inside knowledge but this same level of spying used to also be possible but you had to be a government and have some serious resources to do so. Now it is possible to install your own spy on someone’s device.  Not only that they will make a concerted to ensure that little spy is with them at all times.

Patching your computers is still a really good idea but you still do need to have trust in the security of those supporting your eco-system.  Well, that and to remember another golden rule.

Anyone who has physical access to a device can take over that device!

Physical security is still king. These types of spy programs cannot be installed on your device unless someone has access to that device.  Use strong passwords and keep your hardware away from prying eyes.

This entry was posted in Soapbox and tagged , . Bookmark the permalink.