Mobile Applications

Rant: The Trojan in Your Pocket

My first mobile phone was a Dancall DC1 in the mid-1990s. Deeply unimpressed with its performance, I wrote a sarcastic letter to Orange telling them I planned to throw it in the nearest river. They wrote an equally sarcastic letter back, which earned them my grudging respect but didn't change the fact that their black plastic brick was almost useless as a communications tool. As for Dancall, it was eventually sold to Bosch by its owner, the UK personal computer pioneer Amstrad, owned by Sir Alan Sugar who is now more famous for reality TV show The Apprentice.

Fast-forward a couple of decades and many people now own smartphones with more processing power than the laptop on which I'm typing this article. They aren't really phones any more: data takes precedence over voice these days. What we have now is an always-on, permanently-connected, globally-distributed network of powerful, portable computers. Or, to slip into the vernacular, a hacker's dream.

Even more so when you consider what people use their smartphones for. All their personal information goes into those tiny, glowing slabs. Credit card details, banking passwords, business emails, dodgy home photography, private messages to your partner, even more private messages to the person you hope your partner doesn't find out about… the list goes on. The smartphone is more than a device: it's an adjunct to the brain, a personal assistant and confidante rolled into one, a gateway to the myriad cultural and intellectual riches of the world and pictures of kittens.

So it's not surprising that newspaper 'studies' frequently crop up claiming that many people would give up sex, sleep, food, water and probably oxygen before they'd willingly part with their smartphones. That's OK though, because phones are password-protected. And the really swanky ones even have fingerprint recognition and the ability to wipe all data from afar if your phone is mislaid or stolen. Nobody could get in, could they?

But what if they're already in?

A recent report (PDF) by security company RSA found that some available smartphone apps were actually malware in disguise or had malware embedded inside them. With techniques ranging from SMS sniffing (to steal one-time banking passwords) to social engineering and phishing, these apps have been developed by skilled software developers, not script-kiddies. Ordinary users would have had no idea what lay beneath when they downloaded and installed them. Like vampires, you invite them into your domain with the best of intentions and then they bite you.

But it's worse than that. The report notes that some smartphones had malware installed in them even before they reached the store. So your new, shiny, shrink-wrapped smartphone might already be infected, ready to spy on you and steal your passwords, financial information and that embarrassing photo of you on the beach in Corfu.

Due to the less tightly-controlled supply chain, Android devices appear to be more at risk than iOS machines, a fact that may further raise Apple aficionados' already worryingly high levels of self-satisfaction. But no machine can be guaranteed secure, because no software can be guaranteed secure, as we found out recently with OpenSSL.

I'm agnostic here, since I own the bare minimum dumbphone capable of connecting to today's networks: a 10-year-old Nokia. With no data plan. That's not because I have no friends and nobody to connect to — honest — but because I have enough distractions in my life. If I don't write, I don't eat, so I can't afford to spend my time hunched over a smaller screen.

But many people need smartphones for their lifestyles and/or careers, and they're the ones at risk. Given the stats on smartphone ownership, if you're reading this you're probably vulnerable. What to do?

First, understand the dangers. Read the RSA PDF in full and do some background reading too. Learn what your smartphone is capable of doing. Get it checked for malware. Remove any apps you don't need. Yes, even that one. And especially that one.

Be extremely cautious about using your phone for anything money-related, whether it's banking, trading, shopping or storing credit card details. Don't give low-level access rights to any app without being very sure about what it is, where it came from and how it will use those rights.

In short, treat your phone like a powerful networked computer over which you have only partial control, because that's exactly what it is, even if it hasn't yet been infected. And while you may feel attached to it and deeply fond of it, there's a chance it has already fallen for someone new and its true allegiance now lies elsewhere. The same applies to tablets, which are similarly vulnerable.

And so it goes on. The battle between the tech security industry and malware makers is often likened to an arms race, but a better analogy can be found in the human body. This is bacterium versus antibiotic, virus versus vaccine. Like many infections, malware increasingly co-opts its host's resources to use against it. The more connected and mobile we become, the greater the risks.

If all this sounds far too terrifying to contemplate, you could just stop using your phone for anything personal, private or financial. Although I suppose that might negate the purpose of owning a smartphone the first place. In which case, can I interest you in a slightly damp but exceptionally secure Dancall DC1?


Freelance technology journalist Alex Cruickshank grew up in England and emigrated to New Zealand several years ago, where he runs his own writing business.



« News Roundup: Slave-Drivers, War & Peace, and Hackers on Weed


Cyberbullying: A Global Trend »
Alex Cruickshank

Alex Cruickshank has been writing about technology and business since 1994. He has lived in various far-flung places around the world and is now based in Berlin.  

  • Mail


Do you think your smartphone is making you a workaholic?