Root of Trust in Smartphones

by Courtney Cavness

Just last week, I finally got my first smartphone. I’d been one of those who pooh-poohed the idea of needing to be online at all times. “I just need a phone to make a call, a camera to take a picture, a computer to compute,” said I.

But all that changed in mid-December when I won an iPad in a raffle. I hardly knew how to work it, and so spent a few days playing with it to understand all the capabilities and features of my new toy. I was amazed at how light and fast it was. I could read on this thing! Download books instantly! Install games for my kids to play while they waited in the doctor’s office! If wifi was handy, I could check email and browse online. Sure, I could do all those things on my laptop…but that machine now seemed so cumbersome, so heavy, so slow. Heck, it had a top I had to open, for goodness sakes! Who’s got that kind of time?

And so, without realizing it, I was mentally readying myself to discard my trusty, old, beat-up, $19 phone on a pay-as-you-go plan and obtain mobile nirvana in the form of a shiny new smartphone.

From my personal market research (full disclosure: this simply consisted of some internet searches and asking friends about their smartphones), I learned which one was known as the best “phone” for a smartphone, which had “dying” vs. the newest technology, which was most secure (one online article comparing smartphones mentioned that one was so secure, it was what the president of the United States uses). But, what they all had in common was apps.

Apps: a term that was bandied about so ubiquitously that I could only diffidently nod as everyone spoke with loyalty of the apps available on their brand. I assumed I could worry about that later.

I boiled down my search to a few potential candidates, went into my chosen carrier’s store and told the salesperson what features were important to me in a smartphone. Turns out, everything I needed was available in all of them. All the choices started to look so much alike that I asked the salesman which phone he recommended. Without hesitation, he led me to one that he openly acknowledged was the “least secure” of them all. He described himself as a "techie" and said it was his personal favorite because it was based on open source. Ergo, he said, the maker expected its users to play with the internal controls of the phone - to “hack” it.

That didn’t sound like a good idea to me. So, I did more online searching and indeed found forum discussions devoted to “rooting” a smartphone to give yourself admin access to change read-only files and customize it. Other discussions were dedicated to the various ways to tether smartphones to other devices and share the wifi connection among them.

It was clear I had a lot to learn. And the best way was to jump in, buy a smartphone, and play with it. Now, a week later, I too can toss about smartphone terms like an expert. But, one thing has niggled away at my enjoyment of my smartphone. The apps.

Where did these apps come from? Who verified there was no malicious code in the widget I just installed that helpfully displays an analog clock on my main screen? Could I install a virus scanner on my phone? I looked for, and found, a security app. But how do I know the vendor of that security app is reputable and has protected their code? I can see reviews from happy users, but who is vouching for the security of any of this? Where is the root of trust?

There are two types of apps: those you pay for, and those that are free. Since the cost of apps are typically low ($1 - $6 range), I tend to go with the apps that cost money. I am taking a gamble with each app I download, and it is my thought that if the author of the app is charging money, hopefully they are worried about their integrity and reputation; knowing that if those are damaged, others won't be willing to pay a fee for their services in the future.

That’s my thought, anyway. But, it's no real form of protection.

One thing I learned about two of the frontrunners in the smartphone arena is their different approaches to development. One has an “open” policy, meaning the apps can be decompiled and their source code reviewed – assuming that you can read code. (And, even if not, you might gain some reassurance that there are others who can and do, and would warn the community if there was a problem.) The other runs a tight ship, and has a fiercely-controlled environment where, one would hope, the available apps are somehow vetted.

To get the most from my smartphone, I accepted a certain trade-off wherein I decided to assume a limited risk to my personal security. I won’t do my banking with my phone, nor will I store business-related information on it, but my smartphone is now chock full of my personal information. It’s got a link to an online calendar of personal dates, uploaded photographs, social networking sites, a history of my text and voice messages, and the ability to track my location. Everything is ostensibly there for my convenience, but it's worrisome in its totalitarianism.

Which smartphone is the best? I would say that is purely a personal preference, and brand loyalty abounds. Which smartphone is the most secure? That’s the question you should be asking. And the answer is not definitive. Not until it becomes a standard practice for smartphones and their associated apps to undergo some type of known security evaluation by an independent, third party.