3 minute readThe Threat in your Pant (Pocket)

Apple’s latest and greatest iPhone will be announced later today. Google and Samsung will launch their newest Nexus phone next week. These are wonderful, powerful devices. They extend our capabilities as human beings, allowing us to remember more, know more, stay in touch more, capture more … oh, and make phone calls as well.

So, should you be worried?

Well, yes.

Just yesterday, Android Police — a popular website that tracks the Android ecosystem — discovered a serious security hole in HTC’s phones. Basically, as a result of a recent software update, any app that accesses the internet can also gain access to a bunch of user data that it shouldn’t:

  • the list of user accounts, including email addresses and sync status for each
  • last known network and GPS locations and a limited previous history of locations
  • phone numbers from the phone log
  • SMS data, including phone numbers and encoded text (not sure yet if it’s possible to decode it, but very likely)
  • system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info

The Guardian‘s years long investigation into how Rupert Murdoch owned News of the World (NoW) used people’s cellphones as a news gathering tool may well be an indicator of things to come. NoW intercepted messages, hacked into the voice mail accounts of various people and happily listened into, and read, private conversations.

Closer home, the Radia tapes have set back (if not ruined) the careers of several high profile journalists, lobbyists, politicians and power brokers.

But both of these are examples of interceptions of network data — they are more taps than hacks.

A hack is when you start to take over a system, when you compromise it in a manner that allows you access to a wealth of information. And a hack (or crack for the more politically correct readers here), almost always takes advantage of a vulnerability in the software that runs a system. A vulnerability like the one that the guys at Android Police just found.

Incidentally, this isn’t the first time a security hole has been found in a mobile operating system.

The thing is, these devices that are being passed off as phones aren’t phones at all. A phone used to be a mix of a speaker, a microphone, a dialer, and an antenna or wire to connect to a network. That’s it.

Today’s handheld devices are computers, and very powerful ones at that. They have a processor, an operating system, and an ecosystem of apps being created by third party developers. They also have inbuilt payment systems allowing us to purchase software and services online. Newer devices also have a Near Field Communication or NFC chip, that device manufacturers hope will allow their phones to become debit/credit cards.

For most of us, the phone has become incredibly important — an extension of ourselves, a veritable hand that we can feel lost without. Not surprisingly, they know far too much about us — the names and contact details of family and friends, our emails, our usernames and passwords for a number of online services, our credit card details, where we’ve been, what we’re saying … the list goes on. And that’s just the data on the phone.

These phones allow us to become James Bond if we want to — taking photographs, scanning documents, downloading files from the office network … just think of every cheesy espionage scene and you will realize that you can do the things in those scenes, using your phone.

So where does that leave you, the paranoid phone user — may I recommend an old phone, that doesn’t have bluetooth, or a camera or anything else? And if you can do without mobility, then get yourself a landline, and a wired phone, and little encryption terminals on both ends 🙂 Or you could just use Google Chat over a secure HTTP connection. I can’t remember the last time anyone tapped into a Google Chat/Skype video conversation.

Disclosure: I own an iPhone 4, and advise Sony Ericsson on Social/Digital strategy.

So what do you think?