Every operating system and mobile platform is vulnerable to attack

I initially wrote this in a conversation on the OzTech email list where the original question asked whether Android is more susceptible to viruses or hacking (than other platforms). The whole issue of security and privacy has been in the spotlight lately as well though due to certain settings which not everyone is happy about in Windows 10 (https://fix10.isleaked.com/ ) – and if you haven’t been following along, Windows 10 has otherwise received quite a positive reception and there are lots of things to like about it – if you are interested in it, you may also like to check out my book on Windows 10 which is available now and already helping people make it much easier for them to use: http://www.22point.com.au/publications.html

So back to the issue of security, I thought I would take a step back from concentrating on any specific operating system and examine some of the ways that users of any operating system and mobile platform are potentially vulnerable.

Danger sign

Danger sign

In direct response to the question about Android question I would say that the short answer is, you should be fine as long as you only download apps from Google Play.

The longer answer is that Android is the most “open” mobile platform, which means that users and developers have more control over what you can do with it and how you can customise it than other mobile platforms (ie, iOS and Windows Mobile) – for instance, on Android you can install a custom home screen (a launcher) which completely changes the look from the standard “grid” of 1cm icons, to something like say Big Launcher where you can have one giant icon or a 2×2 grid etc, or you can change the app you send text messages with.

The flipside of that is that is that if you do give a malicious app access to your system, it may be able to hook into more information, but then a specially crafted iOS attack aimed at an obscure vulnerability might as well. The most common way vulnerabilities are exploited is by malicious apps which are distributed through shady websites, so if you stick to the official ones you are much less at risk.

Probably a bigger threat these days is phishing attacks – those emails you get that look like they are from your bank saying there has been suspicious activity and asking you to log in and update your details – yet they come from a Gmail account and direct you to a site which appears similar to your bank but the address will be http://www.somethingshady.com.ru or something. That or a service you use being hacked (Ashley Madison being the latest one) – either way that’s not specific to any particular type of device.

All in all, whatever you use and whatever you do, it pays to be vigilant and careful and try to stay up to date with security patches etc (in good news, many of the major Android manufacturers have announced they will start rolling out security patches monthly now).

To the issue of security in general on any modern system, these days I think it would be naive to say that any platform is completely secure and impenetrable. Microsoft have found security holes in Windows which have been there for nearly 20 years (http://www.theverge.com/2014/11/12/7202801/microsoft-patches-critical-19-year-old-windows-bug) , last year the “heartbleed” bug was found in the Open SSL protocols which many banking and shopping websites use (http://heartbleed.com/ ), just recently we had the Android Stagefright MMS vulnerability (http://www.androidcentral.com/stagefright ) and about the same time one on Mac was publicised as well http://arstechnica.com/security/2015/06/new-remote-exploit-leaves-most-macs-vulnerable-to-permanent-backdooring/ and finally, GHOST, a security vulnerability affecting many older and some current distributions of Linux was uncovered earlier this year (http://www.zdnet.com/article/critical-linux-security-hole-found/ ) – Did I miss any major platforms? If I did, type “platform security vulnerability” into Google (replace “platform” with the name) and I’m sure you’ll find something!

Can running security software help? Sure, with some of these things, but importantly not until AFTER they have been identified by security researchers, which may not be before the bad guys find them.

In general, the more complex a platform is, the more likely there will be undiscovered vulnerabilities, but any modern OS is very complex.

In general, the more popular a platform is, the more the bad guys will look for vulnerabilities (part of the reason Mac owners have traditionally been smug about security over Windows IS because they are that bit more secure, but partly, it’s just because Windows has traditionally held over 90% of the desktop computer market – as a bad guy looking to exploit vulnerabilities, are you first going to try and find one in the system used by less than 10% of users, or in the one used by 90% of users?

On the flipside, popularity can also act protection of a sort in that IF a vulnerability starts to be exploited, there will be more people monitoring things and looking out for that on the more popular and active platform so it may be picked up quicker and there are likely to be more resources available to address it (either officially from the platform manufacturer, or by third party security companies or developers) than it would be on a smaller platform,

The other danger with security apps, is not to assume they will keep you safe. Firstly you need to know how to use whichever security app you use, that means having it setup to protect what you think it’s protecting, and secondly being able to understand and correctly respond to any messages it (or your operating system) gives you.

So what should you do? In general:

Being aware of what access is available to your device is critically important:
– knowing what apps have access to which permissions,
– which websites are automatically signed in,
– using a password or code to restrict physical access.
– Know what data your operating system collects and what it does with it (eg, each of the major voice assistants – Siri on iOS, Google Now on Android and Cortana on Windows transmits each query or instruction to their parent company over the internet, ostensibly to provide you with a more accurate and contextual response).

Being vigilant to new requests for information or access:
– Knowing how to identify genuine correspondence (eg from your financial institutions).
– Not activating links in emails, but typing them manually into your browser (or using favourites).
– Not opening attachments, MMS messages or visiting unknown websites from unsolicited correspondence.

Educate yourself around known vulnerabilities:
– EG disable MMS auto preview if you have an Android device which has not been patched for Stagefright
– Be aware of current and recent hacks, vulnerabilities and the recommended actions to take.

Take reasonable precautions yourself:
– Don’t downloading apps from unknown webistes
– Use a regular account rather than administrator account on your computer
– Make regular backups of your data
– If you use security software, then take the time to learn how it works but don’t let it make you complacent.

Doing all these things you are much less likely to fall victim to malware / ransomware / viruses / phishing scams etc, but it’s still possible, so finally:
– Be aware of how to regain control of any critical accounts
– Don’t reuse passwords, DO use complex passwords and have a secure system for recording them.
– Know how to remotely wipe any systems which you may physically lose control over (eg any mobile devices).
– Keep backups of all your important data! Did I mention that twice? Good, you should keep at least two backups, ideally at separate locations!

Finally, while it’s important to take precautions and be vigilant, it’s also important to not let it overwhelm you. In fact particularly if you take most of the advice above (which is fairly standard advice you can find repeated in many places on the net) then you are MUCH less likely to run into any trouble, so have even less reason to overly worry.

Did I miss any important security tips or advice? Let us know in the comments!


Android housekeeping pt 1: Staying safe using Android


I wanted to step away from pure accessibility for a moment to cover a very important we all need to be aware of – security.  The key to staying safe on Android (or indeed any platform), is primarily about having the knowledge and common sense to take reasonable precautions.  In this first of a three part series I’m going to introduce some of the key aspects to mobile safety Android users should be aware of and some tips to hopefully keep you one step ahead of the bad guys.

Anti-virus / Anti-malware.

Anti-virus was the buzzword for PCs – for Android, it’s not so much viruses but malware – for instance apps which try to steal your banking information or text premium SMS numbers without your knowledge (Technically a virus tries to replicate itself into other programs, which isn’t generally possible on Android – see: https://www.lookout.com/resources/know-your-mobile/android-virus )

Are anti-malware apps worthwhile?  There are arguments on both sides of the fence.  Personally I err on the side of caution and use one, however it’s important not to be complacent and rely solely on it to protect you.  I’m currently using the paid version of AVG which does come with additional features of warning about intrusive adware, tracking a lost phone and a task killer.

More info: http://www.extremetech.com/computing/104827-android-antivirus-apps-are-useless-heres-what-to-do-instead

Downloading apps.

One of the biggest ways malware infects devices is through malicious apps – often apps which may appear legitimate but from a strange website rather than the official Play store, and asking for unusual permissions (like the ability to make phone calls).  The first recommendation here is to stick to official channels for downloading apps.  Personally I only download things from the Google Play store.  There is a setting under security called “Unknown sources” to allow installation of apps from sources other than the play store.  I highly recommend leaving this option unchecked.


Probably the single most important point around Android security, is app permissions.  When you download an app you are presented with the permissions it wants and you can either accept them all and download the app, or not download the app.  It is vital to at least browse this list before hitting accept as this is often the biggest clue to an app which may not be what it seems.  The three things you really want to check are:

–          Does the description explain why the app needs the permissions it does?  A dialer replacement like Big Dialer needs to be able to directly call phone numbers, but if you are downloading a card game, this permission would be unexpected to say the least.

–          Do I trust the developer?  This can be hard to answer, but look for things like how old the app is (a malicious app uploaded in 2011 would almost certainly have been detected and removed by now, but one uploaded yesterday may have slipped through), how many times it’s been downloaded and what else the developer has been involved in.

–          What are the potential consequences of these permissions?  A voice-memo app legitimately needs the ability to record audio, however paired with internet access, a malicious app could record your phone calls and upload them to the internet.  A malicious app trying to remain undetected might do both.

There are a number of apps which will scan your phone and look at what permissions all your apps want and can highlight potential concerns.  I’m currently using App Permission Watcher by Eric Strusse – (https://play.google.com/store/apps/details?id=de.struse.apewatch ) which not only lists which permissions apps have, but also lists suspicious apps and has a list of all permissions and what they are.  There are a number of similar apps (which often don’t require any permissions at all).

Life Hacker has a good article on app permissions: http://lifehacker.com/5991099/why-does-this-android-app-need-so-many-permissions which links to lots of other great reading material on the subject.  Android Pit has a page with some of the most requested and potentially dangerous permissions at: http://www.androidpit.com/app-permissions-explained

Locking your device.

While the biggest and most widespread threats come from having your data or money stolen remotely, it’s important not to forget the physical safety of your device.  Think of all the things you can access on your phone and the information that someone would have access to if they stole or found your device.  Even if you don’t buy things or access internet banking from your phone, you still have your email, your social media accounts, maybe GPS apps with your home address or even just your browsing history.

The first step to ensuring your device’s safety, is a screen lock password.  Yes it’s annoying, but if you use your device regularly like me, then entering it soon becomes habit and much less of a chore, and suddenly your device is protected from at least casual snooping by others – just don’t use 0000 or 1234 ok?

Apps and features which will track or even wipe your phone if you lose it are great, but if you are going to use one, then make sure you do know how to use it BEFORE you lose your phone.  Test out the device location or remote ringing features and make sure they work how you think they will work.

Finally be aware of which apps and websites you use on your phone, and particularly which ones auto log in (eg your email, facebook, eBay or any shopping sites and any other web sites you let the browser remember your password for) – if someone does get access to your phone and can unlock it, they will instantly have access to all that information, not to mention any photos you have taken, notes or information kept only on the phone.  If you ever do lose your phone, it may be wise to reset the passwords for any of those services (and from many of them, such as facebook, you will also need to revoke access to your phone)


The best ways to protect yourself and your device are:

–          Consider using an anti-malware app but remember they are not infallible.

–          Only download apps from the Google Play store.

–          Always double check the permissions before installing an app – do you know why the app needs them?  Do you trust the developer?  And do you know what those permissions do?

–          Always lock your device.

–          Be aware of what services can be accessed automatically from the phone and therefore what steps you will need to take if you ever do lose your phone

Next post I will cover keeping your phone running smoothly, and as well as detecting invasive or system draining apps and features.