Smartphone hacking is easier than you may think

A healthy dose of skepticism and some technical know-how are your best defence

Graphic by Aldo Rios.

Smartphones evolved from cell phones by acquiring the capabilities of personal computers. For those who own smartphones, the surrounding environment needs to compete with access to limitless games, social media, and the entirety of the Internet. Beyond these recreational features, smartphones also provide a way to access private accounts for banking, course registrations and grades, and professional e-mail. According to a report from the Canadian Radio-Television and Telecommunications Commission, 66 per cent of Canadians aged 18 and older owned smartphones in 2014.

Although smartphones can be helpful personal assistants, their loyalty is not guaranteed. Smartphones, like any computer, obey the commands of whoever gives them instructions. Put simply, hackers can tell smartphones to betray their owners. Fortunately, there are some simple ways for smartphone users to minimize this risk.

While a passcode can seem tedious at times, it remains the most prominent security tool any smartphone owner can use. As people entrust their smartphones with more private information, losing a phone becomes more costly. If the owner of a lost phone has installed “find and wipe” software, which allows users to remotely locate and erase data from a lost device, the loss can be at worst inconvenient and expensive.

For smartphones without the “find and wipe” program, a strong passcode (i.e., not 1234) is a final wall of defense between personal data and whoever stumbles upon a lost phone. The owner can easily remember a four-digit code, whereas there is a lot more technical know-how required to unlock a passcode-enforced phone.

Researchers at Symantec, a cybersecurity firm, studied how the absence of a passcode endangers the information on smartphones. Across major Canadian cities, Symantec left 60 unlocked phones in public spaces, monitoring what information strangers accessed after finding them. The results show that both personal and professional information was vulnerable. In the case of personal information, the finders tried to access online banking on 35 percent of the phones. On 52 percent of the phones, they accessed a passwords app.

While these results are disappointing, and should be cause for concern for anyone with sensitive data on their smartphone, it is apparent that much of the snooping by the phone finders went well beyond innocent curiosity.

The report also addressed how the loss of an individual’s phone can be damaging to an entire organization. On 63 per cent of the phones in the Symantec study, the finders who chose to look through the phones accessed confidential information about the owner’s employer. For instance, finders attempted to access professional files called “HR Salaries” on 42 per cent of the phones and “HR Cases” on 32 per cent of them. Even the good Samaritans who tried returning the phone (which amounted to just over half of the cases) peeked at more than what was necessary to identify the owner. If these lost phones actually belonged to a real person, using software to erase the personal data or simply having a passcode could have prevented these invasions.

Even when a smartphone is in the possession of its owner, there are still ways to access the private information stored there. From a distance, hackers can manipulate the owner into giving them access. This strategy is called social engineering. Hackers who employ this tactic craft texts or e-mails to disguise malicious code as seemingly innocent links or attachments. In other cases, hackers will use e-mail or text messages to trick their victims into disclosing confidential information.

For example, the Canadian Revenue Agency (CRA) has warned that some Canadians have been receiving fraudulent texts and emails from people who claim to be representatives of the CRA. These messages are designed to persuade people either through the promise of a tax refund or through misleading people into believing that they have unpaid and overdue taxes. If convinced, victims of these scams end up providing sensitive personal information. These include social insurance numbers, banking information, and passport numbers. Avoiding these scams depends on always verifying the source of an electronic message and avoiding the impulse to provide private information.

Hackers apply similar psychological strategies in convincing smartphone users to download malicious apps. In contrast to previous examples where hackers could only access information on smartphones, downloading the wrong app can allow hackers to change how a phone functions. The easiest way to reduce this risk is to download apps only from official online stores, such as Apple’s App Store. The App Store requires all app developers to undergo a rigorous screening process before their software becomes available to the public.

Despite this advantage of purchasing from official stores, there are some smartphone users who still accept the risks of downloading apps from less regulated sources. Some eager fans of Pokémon GO became familiar with these risks when they found a way to access the popular game before it was released in their country. In the code for an unofficial (but internationally available) version of Pokémon GO, cybersecurity researchers at Proofpoint discovered a form of malicious software that enabled the developer to remotely control the installer’s smartphone. After taking control of a victim’s smartphone, hackers could anonymously commit identity theft by stealing personal data or sending messages from the owner’s number. As with text and e-mail scams, skepticism is the best defense against this kind of attack. Before downloading any app, smartphone users should carefully evaluate the source.

One challenge in cybersecurity is that the threats are often not visible and can be cloaked by sources that seem safe and official. To protect ourselves, we are all going to have to get a lot more jaded and cautious.