For smartphone makers, security is a matter of economics

Featured eBooks
Changes in State and Local Government Workforces
NASCIO Special Report 2024
A New Era of Social Media Regulation
Insights & Reports
Unlocking digital potential: Strategies for modernizing government services
Presented By Adobe
Download Now
Unlocking public sector potential
Presented By NTT DATA
Download Now
By Mike Fong
 

Connecting state and local government leaders

By Mike Fong

|

Only when average smartphone users start to value security as much as they do the new bells and whistles will manufacturers be forced to treat security like the life-or-death issue it currently is for many targets of Pegasus.

The Pegasus Project, a recent reporting effort to go behind the scenes of NSO Group’s infamous mobile spyware, has opened many peoples’ eyes to the potential for smartphones to be compromised and weaponized against their users. Reports have confirmed that individuals within government, from heads of state to diplomats, are particularly vulnerable to this threat given the value they represent to spies. In the wake of the Pegasus Project, much of the attention has turned to Apple, whose sterling security reputation is seemingly at odds with the ability of Pegasus operators to remotely and surreptitiously take total control of a targeted individual’s iPhone -- in many cases without any interaction required from the victim.

To understand why smartphone makers provide adequate security for the majority of users but struggle to contain the latest and greatest threats facing government users and other high-risk individuals at the hands of nation-state actors and cyber-arms dealers like NSO Group, it’s important to realize that smartphones are primarily commercial products. With any commercial device, manufacturers weigh security decisions against factors like usability, user preferences, implementation costs and reputational risk. In other words, security is viewed through an economic lens.  

This tension can be illustrated by considering how smartphones frustrate common security practices.

Limiting smartphone features

An axiom of software development is that more features mean more code, and more code means a greater likelihood of vulnerabilities. If security were the prime consideration, smartphone makers like Apple and Samsung would limit the number of features and focus more on system stability and security.

In the real world, proprietary new features and services not only attract new customers but increase customer lock-in within the vendor’s ecosystem. Apple’s iMessage service, for example, was originally designed to share text messages and photos, but over the years it has come to offer features like GIFs, emojis and third-party app integrations. Each of these extensions and interconnections increases the chances that skilled hackers will find and exploit a security gap. Yet, to many iPhone users, these features make iMessage an indispensable tool.

Slowing down the release schedule

Properly vetting code before it’s released is tedious and time-consuming, but critical for maintaining system security. In the push to release features to market as quickly as possible, this process tends to get shortchanged.

At Apple’s annual Worldwide Developers Conference, a litany of new capabilities are introduced to both maximize user interest and attract development efforts around these features. Such feature-heavy iOS releases create a harrowing schedule that leaves Apple developers with little time to vet new features for security flaws. Importantly, each new iOS release must be tested on each supported iPhone model (iOS 14 supports a whopping 19 models). It’s no surprise that Apple has come under fire in recent years for the multitude of bugs that accompany each major iOS release. So far this year, the company has already had to patch 13 zero-day vulnerabilities.

Developing a security-first architecture

If Android or iPhone were engineered for security above all else, the user experience would be drastically different. Since many of the exploit chains affecting smartphones result from the challenges of parsing complex data, smartphone makers could abandon this practice altogether. Imagine iMessage with just text -- no links, no images, no app integrations -- it’s clear why this option is a nonstarter.

Developing a security-first architecture also requires the use of specialized, isolated hardware, which is difficult and expensive to implement. And, given the space and power constraints of modern phones, focusing on hardware security may mean compromising on other areas such as camera size/quality and battery life, which happen to be two of the most important user considerations in purchasing a new smartphone.

Offering deep analysis to users

With an advanced threat like Pegasus, victims have no idea that they’ve been attacked. This situation is exacerbated by the fact that smartphones only offer limited security analysis tools to users. To effectively combat Pegasus, users would require greater visibility into their device’s filesystem, processes and system logs.

It’s understandable why, in addition to legitimate security reasons, Apple would want to limit such deep analysis. The company’s focus on the customer experience (“It just works”) is an incredibly valuable brand asset, and forcing users to deal with security notifications could be an unnerving and distracting experience that would go against this philosophy. Apple also doesn’t want any of the bad press or social media buzz that would result from users broadcasting that they suspect they’ve been hacked based on such analysis.

Increasing the size of the security team

Apple, for its part, has attracted some of the most skilled security talent on the planet and has increased its investment in its security team over the years. To match the offensive hacking skills of intelligence agencies and commercial surveillance providers, however, the company would need to effectively subsidize its own offensive hacking unit. Consider that NSO Group alone reported $243 million in revenue in 2020, and it becomes clear how much Apple would have to invest to credibly defend against Pegasus and other advanced mobile threats.

According Apple Security Engineering and Architecture head Ivan Krstić: “Attacks like [Pegasus] are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals.” This quote provides a good window into the cost-benefit analysis Apple uses to prioritize securing the iPhone against threats that the vast majority of users can expect to encounter versus threats faced by government users and other individuals targeted by nation-state threats.

Beefing up the bug bounty program

While Apple has made strides in recent years in both opening up its bug bounty program and increasing the bounties paid for each type of exploit, the company has nonetheless received criticism for being overly stingy with its payouts and for not publicly championing researchers who have brought exploits forward. Though Apple wants to downplay the severity of any bugs that are found lest they tarnish the company’s security reputation, doing so limits the motivation of those who may otherwise be inclined to find and report vulnerabilities.

Bug hunters may instead choose to sell to an exploit broker like Zerodium (who will then sell it to the highest bidder), a commercial hacking company like NSO Group (who will leverage it in its hacking tools) or even a government buyer. Because many of the end customers have virtually unlimited budgets for surveillance, a bug hunter can make more money by selling an exploit than reporting it to Apple. Apple must offer significantly more money or other perks to swing the balance back in its favor.

The economics of the smartphone market aren’t changing any time soon. At the same time, as smartphones grow increasingly important in our day-to-day lives, malicious actors will be even more motivated to look for and exploit security gaps. Only when average smartphone users start to value security as much as they do the new bells and whistles will manufacturers be forced to treat security like the life-or-death issue it currently is for many targets of Pegasus.

NEXT STORY: How hackers can use message mirroring apps to see all your SMS texts -- and bypass 2FA security

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.