Ever heard of the “Master Key,” or know how your “weblogin Token” can be stolen? Both are serious issues that demand the question: “Is your Android device secure?” As an attorney, it’s likely that you use your phone or tablet to conduct business, including storing or discussing confidential client information. If any of the devices you use operate on the Android OS, you had better have the security of that information in mind, and know how to minimize your risks. In this three-part article, I hope to help you do just that.
Finally, the story of the HTC One S and how you can protect yourself and your clients…
(In Part 1, I will discuss the “Master Key” vulnerability, in Part 2, I will discuss the recently revealed security problem with Google’s “weblogin Token,” and in Part 3, I will talk about how Google’s piecemeal update system makes these vulnerabilities particularly worrisome, and what attorneys can do to protect themselves and their clients’ confidential information.)
The final section of this article deals primarily with how attorneys can protect themselves and their clients from attacks through these particular vulnerabilities. Some of you may be saying to yourselves: “As long as I pay close attention to what I put on my Android device, I should be just fine.” To those of you who say that, I give you this:
The HTC One S
Recently, phone manufacturer HTC announced that they would no longer provide any updates for the HTC One S, a smartphone that operates on Google’s Android OS. The announcement serves as the perfect example of how Android’s manufacturer-based update system creates a security risk: users of any Android OS-based device are dependent on their device’s manufacturer for updates to the firmware, but device manufacturers are free to release those updates when (and if) they choose.
Here’s the kicker: the HTC One S is ONLY ONE YEAR OLD! Since most phone plans now require a two-year contract, most One S users must now stick with their current OS (it’s capable of running version 4.2) unless they’re able and willing to install third-party firmware such as CyanogenMOD.
So How Do I Keep Secure?
Since most of you that have been reading up to this point are not in a position to just go out and purchase a non-Android OS device in order to avoid these security issues, the biggest question is how can you limit your exposure. Fortunately, there are ways.
First, you should ALWAYS update your device as soon as a new version of the Android OS is available. Each new update contains fixes to any problems or vulnerabilities that have been found in the previous versions. In the unlucky event that your phone’s manufacturer has discontinued support for your device (such as with the HTC One S), you should invest in third-party firmware, but only after extensive research to make sure the software comes from a reputable source and is without its own security issues.
Next, make sure only to purchase new Apps for your Android device through the Google Play center, rather than from third-party sources. Even though this is not necessarily fool-proof, it’s better than nothing. Whenever a new program allows access to accounts added onto the device, decline allowing access. When dealing with devices owned by employees, make sure they know not to access ANY Google accounts from their business phones, or vice-versa, to prevent any malicious programs from linking from a downloaded app to other Google programs.
Most importantly, never allow a program to have access to your “weblogin” or “ID.” If prompted to allow permission, always say no.
For additional steps users of Android devices can take to minimize their risks, click here, but be prepared for a somewhat strange discussion about comparing use of an Android phone to being in prison.