Who Controls Your Smartphone? And How to Leverage Open Source to Prevent it from Spying on You

Simon HartleySomeone once said, “The first step to receiving an answer is being brave enough to ask a question.” There are many things about today’s world that warrant us asking that question.

Do you or the mobile vendor control your smartphones?

If you are a consumer, small or medium business (SMB) -- the answer is the vendor. It should come as no surprise since these groups typically don’t have the business needs or resources to customize beyond Commercial-off-the-Shelf (COTS) options. Factory mobile builds — from major mobile vendors — offer a strong User Experience (UX) and a good baseline for security.

What if you are a large enterprise or a government agency?

The answer is still the vendor. Are you surprised? Groups such as these have specific business needs and security postures. They routinely add significant customizations to the hardware, operating system (OS), and services around all IT devices — PC laptops, desktops, and servers — including smartphones.

Why are mobile devices less customizable than PCs?

There are two reasons for this: The bundling of Options and the monetization of Personal Data. Let’s dive deeper to understand both motivations.

Mobile vendors tightly bundle the hardware, the operating system (OS), update services, as well as many factory apps. This makes for a better UX but at the cost of higher prices, customer lock-in, limited choices, and limited customizability. They do allow light customization via device settings, and Application Programming Interface (API) requests to the OS.

These settings and APIs support enterprise mobile fleet management best practices such as automated mobile enrollment, vetted apps in app stores, Mobile Device Management (MDM) for management of the fleets, and Mobile Threat Defense (MTD) for Continuous Diagnostics and Monitoring (CDM) within the vendors’ walled gardens.

However, with device settings and API calls, the phrase “request to the OS” is key since the vendor chooses the extent to which settings are implemented. For example, does “airplane mode” mean all modems are off or that they are “selectively” off? Would key data like your device’s fingerprint or International Mobile Equipment Identity (IMEI), network fingerprint or International mobile Subscriber Identity (IMSI), GPS, sensor, and personal data “only” be shared to the vendor, or is their distribution much broader?  Such data can be used to identify, monitor, and target entire staffs by criminals, and other bad actors.

Vanderbilt University published a study detailing just how large the issue of data exhaust from smartphones is. Health fitness apps on soldiers’ smartphones were found to reveal the location of secret bases.  Journalists were able to track the President and military staff at the Pentagon.  More recently American troops were asked to leave personal BYOAD (Bring Your Own Authorized Device) at home over security concerns. The National Security Agency (NSA) just issued a warning over national security implications of smartphone tracking.

If there is no setting for what you want to do, then you are out of luck. It is much more profitable for mobile vendors to sell the same factory builds to everyone. Flagship devices cost $1,000 and are bootloader locked to prevent actual OS customization short of hacking by “rooting” or “jailbreaking: that bypass rather than adding to existing “defense in depth” security measures..

Customization requests are routinely refused by vendors. Sometimes they can be subtly re-framed as not a request for customization but instead a requirement for added “OS requests” via new settings or API calls. Such an architecture preserves vendor control allowing them to ask for large upfront orders for “Minimum Order Quantities” (MOQ) or inflated professional services fees for “Non-Recurring Engineering” (NRE) payments only to quickly have the subsequent custom-builds reach End of Life (EOL) since such builds are outside routine upgrade and update processes.

On the other hand, personal computers (PCs) have more open architectures that allow competition at all levels — from the hardware to the OS, maintenance services, and app ecosystems — which means consumers and organizations can highly customize devices and build best of breed solutions. They still leverage bundles, where that makes sense.

Mobile vendors discovered they could be paid once for products and services and a second time by monetizing personal information, location, and sensor data. This data can be monetized through their own use or by selling it to advertisers, data brokers, adversaries, and unintentionally making it available to malware Therefore, the mobile device serves two genies — the need to preserve their own proprietary product and services revenue stream and monetizing the data themselves or with business partners.

Nothing new under the sun

Neither bundling nor monetizing user data are novel ideas from information technology (IT) vendors.

Before PCs, bundling was standard practice for vendors like IBM, DEC, and Wang. Bundling was likely necessary at the beginning to kick-off each new “S-curve of innovation” from mainframes to minicomputers to dedicated workstations.

Technologies matured, and more components became commoditized; users demanded more choices, customizability, and affordability. A particular gripe was having to beg vendors for customizations to their walled gardens. Ultimately newer vendors embraced open standards that unlocked devices to allow customer control.

Early PCs and dial-up network connections were notorious for spyware and bloatware that tried to be paid once for the service and then a second time in data monetization. Consumers and businesses were quick to remove these from PCs but that is much more challenging with mobile devices where data exfiltration is at the OS layer.

How can the user regain control?

Not all vendors have locked devices and walled gardens. Google’s line of Pixel hardware, for example, is a mid-market solution whose bootloader allows locking and re-locking.

Pixels support two versions of Android. Google Mobile Services (GMS), where free services are tied to data monetization and a UX like Apple and Samsung devices. Secondly, Pixels can run Android Open-Source Project (AOSP) code that shares the same strengths as the GMS build, but the customer controls the code base and updates.

CIS Mobile

There are several companies that are selling AOSP operating system builds for Pixel and other unlockable/lockable mobile phones and tablets. I work for CIS Mobile which offers a made in the USA OS build for Google Pixel 4a or a tactical Sonim XP8.

CIS focuses on government organizations that are the target of cybercriminals. We deliver the OS, monthly updates, and allow devices and policies to be easily managed for fleets of tens to thousands of devices.  Customization of the OS is not an afterthought but the focus of the work that we do.

Key customizations include:

  • Preventing data exhaust (i.e. data loss) and sharing of GPS and general sensor data (cameras, microphones, and modems) around office buildings as well as staff working at remote locations/home offices, by removing bloatware and spyware from the devices.
  • Allowing staff to carry one rather than many mobile devices by using secure containers representing personal and various work profiles.
  • Supporting an "easy button" fleet management approach and lightweight desktop replacement.

Such a secure smartphone puts the government rather than the vendors in control of the device and its lifecycle. Users of these smartphones report excellent experiences on a mobile open device that sells for $300 to $400 rather than the now standard $1,000 or more for proprietary ones. The fact is that there is no valid technical reason why companies and consumers have to buy hardware, software, and services from one company.

AltOS maintains compatibility with the Android hardware, software, and services ecosystem. Some significant problems of the earlier secure smartphones have been the combination of:

  • Bad user experience
  • High prices
  • Difficulty in setup and ongoing maintenance
  • An inability to keep pace with innovation in new networks, hardware, OS updates, apps, mobile enterprise management tools, security tools, and cloud services.

AltOS isn’t designed to be a replacement for all the existing security features of the device and the existing ecosystem, rather a compliment to all of them.  Its Open Source model simply allows for customization and control as an alternative to existing proprietary bundles -- hence the name alternative OS, or altOS.

There are parallels between this model and the use of open source solutions data centers and the Cloud. With tight bundling, organizations historically had to accept bundles from mainframe, minicomputer, or workstation vendors at extremely high cost. Now thanks to Linux and cloud standards, there is competition and a myriad of options. It is more like drinking by the glass rather than by the barrel or having to buy the brewery to make a change.

About the author

Simon is leading the US introduction of the altOS mobile security platform with a startup company, CIS Mobile. He previously worked with Apple and Samsung in hardening their platforms to meet the needs of the US Government marketplace. He is an advisor and investor in a number of cybersecurity startups in the Washington, DC area. More...

Link references