Limiting the potential abuse of smartphone sensors

With the increasing attention being paid to the internet of things security concerns  by legislators at both the state and federal levels, it’s worth considering the implications of the connected sensors that we carry with us everywhere we go -- those in our smartphones. Whether an agency has government-issued devices, official bring-your-own-device policies or a shadow BYOD system resulting from onerous smartphone restrictions, it’s vital IT managers understand the potential hazards associated with these most personal of sensors.

Smartphones are jam-packed with a variety of sensors that provide real-time data collection about everything from a device’s movement to its environment. Consider the collection of sensors in the iPhone Xs, for example.

• Face ID (facial recognition): Scans the user’s face as part of the authentication process.
• Barometer: Measures the device’s altitude based on ambient pressure.
• Motion sensors (gyroscope, accelerometer and digital compass): Measure the device’s motion, including rotation, acceleration and direction.
• Proximity sensor: Measures the distance of an object (like a user’s ear during a phone call) from the touchscreen.
• Ambient light sensor: Measures the light level in the device’s environment for adjusting screen brightness.
• Two cameras: Enable photo/video capture and streaming video.
• Four microphones: Enable phone calls, Siri usage, audio memos and more.
• GPS: Calculates the device’s location.
• NFC: Enables Apple Pay (contactless payment) and more.
• 3D Touch (pressure-sensitive display): Enables different options based on varying degrees of touchscreen force.

To combat the abuse of smartphone sensors, both iOS and Android have implemented permission models. In theory, it’s up to the user to explicitly approve access to certain sensors by an app or mobile website. In practice, however, permissions often obfuscate -- maliciously or unintentionally -- the requested access. Other issues related to permissions include:

• Some forms of malware Trojanize legitimate apps and websites, prompting the user to accept seemingly innocuous permission requests, while root-level malware bypasses the permission model entirely.
• In trying to reduce friction for users, explanations for permission requests are often minimal and may not fully capture the scope of the sensor activity requested.
• There’s little to stop a developer from requesting more permissions than are actually needed for the app to function properly.
• It’s not always clear to the user which permissions are required and which can be denied without breaking functionality.
• Most users have been conditioned to accept all permissions, regardless of consequences.
• Permissions requested may not be a direct mapping to the actual methods exposed by the operating system, resulting in excessive access.
• The use of certain sensors -- like motion, lighting and proximity -- may not require any permissions at all.

The potential for abuse of smartphone sensors is enormous, whether for surveillance capitalism (data collection and user tracking for the purposes of targeted advertising) or just outright surveillance. We’ve already seen hackers remotely hijack smartphone cameras and microphones as a surveillance technique. We’ve seen location data captured by apps beyond users’ reasonable expectations. And we’ve seen websites use a device’s motion sensors as a means of browser fingerprinting. It’s entirely possible that apps in the wild may be abusing microphone permissions to capture snippets of conversations. In the future, we may see novel techniques like keylogging via the device’s gyroscope and microphone, tracking movements through the device’s motion sensors and mapping environments with the device’s ambient light sensor.

The Department of Defense has long recognized the problems associated with compromised smartphone sensors, which is why it has banned personal mobile devices from secure spaces. But for government agencies not regularly dealing with classified information, outright bans ignore the productivity gains associated with having a 24/7 mobile companion. In addition to the usual practices for defending against mobile threats  -- such as purchasing only vetted mobile devices and software --  here are three recommendations for managing smartphone sensors without resorting to a ban:

1. Use mobile device management or enterprise mobility management tools to safeguard smartphone sensors. Depending on an agency's needs, IT managers may restrict camera/microphone access for certain roles or within geofenced areas, enforce policies regarding sensor usage and restrict sensor-based permissions assigned to any given app.
2. Educate users on the surveillance risks associated with the latest spyware. Employees should be aware that conversations made in the vicinity of an off-the-shelf smartphone can be intercepted by threat actors and leveraged against the user or the organization.
3. Adopt anti-surveillance technologies -- like those that provide real-time audio masking or block radio frequency signals -- to prevent the capture of actionable information.

It’s no secret that government employees are a top target for threat actors or that smartphones are especially attractive vector because of the huge amount of information their sensors capture. But through proactive defense, user education and policy enforcement, smartphones can continue to be vital tools for conducting government business.