A new analysis of SMS clients on the Android OS determined that native text clients are less secure than third-party solutions, according to We Live Security.
The report, written by Michael Aguilar, a business security specialist at ESET, studied various SMS (text) clients used on the Android platform to determine security characteristics. Ultimately, he found that third-party offerings proved better at security and privacy owing to the fact that some solutions, he found, employ "three very hardened cryptographic protocols into their applications to ensure that communications are secure."
With an examination of base settings and privacy policies of default Android SMS clients, Aguilar determined that functionality is prioritized over security. He couldn't find keywords like “encryption” and “security” in any of the listings. Worse, the privacy policy demands to know a user's location. Not only that, the policy lets you know that – in its partnership with ad programs – that the SMS client will obtain personal information, such as your geolocation, the websites you visit and other personally identifiable data. These default settings are embedded deep in the advanced application settings, an area to which few users bother to navigate.
Another characteristic of the default SMS client Aguilar finds problematic is the back-end database where messages are cached. If the user has Bluetooth enabled, attackers can enter the device's file system fairly easily and dig into the databases for the SMS clients housed, he believed, in a Sqlite database. Once inside there, messages are obtainable along with metadata that reveals times, dates and other information an interloper could use to see with who the device owner is communicating.
So, Aguilar said, there are benefits to upgrading to an app that offers privacy and security aspects. When installing one such tool, WhatsApp, he was impressed immediately that even the install offered enhanced security as it required the user's mobile phone number to link to the app. He also was pleased that messages were not stored on the servers of the app developer and that end-to-end encryption was used. And, not only that, an alert can signal that data is being transmitted in an encrypted state.
One minor drawback, he admitted, was that a second party must also have WhatsApp installed. A more pressing concern, though, was the 2016 purchase of WhatsApp by Facebook. The social media platform, he said, is collecting personal info to enhance ad popups. Rather than allow that, he opted out to another SMS app, Signal, which, similar to WhatsApp, does not garner charges with a device's data plan for SMS and MMS (text and data) message usage, only data. Plus, it does not require others to have the client to receive a message.
Aguilar concluded his study understanding that many users are not concerned with security, they just want functionality. But, for those more concerned with security, those who would rather not see their data on the open internet, the choice is clear, he said.
"An attacker could possibly get sensitive information about a target that would allow them to utilize their identity, know whom you are contacting, possibly spoof your identity to take advantage of contacts you know, and possibly steal media from your phone if local access was gained," Aguilar told SC Media on Friday. "The threat is very real as data transmission interception is getting easier to conduct."
And the threat is likely to only grow due to the shrinking of form factors, Aguilar said, particularly the Raspberry Pi and other small-form PCs. "Attacks targeting all data transmission from a cell phone will be upcoming in the future," he told SC. Currently, police and government use Stingray devices, he said. "However, projects are being created to convert innocuous items, like printers and street lamps, into items that can steal data from a phone."
