
Smartphone Security: You'll Never Guess Who Just Messaged You - jordansmithnz
http://jordansmith.io/address-book-contact-security/
======
mirimir
I really don't get the security model for smartphones. It seems horribly
brittle. I mean, the fundamental protection is using apps from trusted
sources, basically Google or Apple. Anything not trusted can't install, unless
you've rooted the phone. And so old-school Windows-style malware is blocked.

However, when trusted apps are installed, they often demand all sorts of
privileged access. And if they're malicious, there's no way to protect against
them. Except that they get reported to Google/Apple and become unavailable.
But that doesn't help people who already got pwned.

What am I missing?

~~~
raise_throw
A variant of the 'single non-root user' problem on Unix systems.

A non-root user (hopefully) can't root the system or rm -rf /root.

But everything interesting is stored in that user's home folder with implicit
RW permissions anyway.

On Android apps just request everything. I imagine (without explicit
knowledge) that an app given permissions could rewrite, erase, or pull down
over the network contacts / photos / etc in the background.

~~~
duxup
I remember learning Unix on my school's big Unix system. Lots of talk about
how important root was. I understood it from a system standpoint sure.

Yet I was confused, because as a user all I cared about was my stuff that was
... right there in a non root account.

As you say all the stuff I was concerned about was right there, but nobody
talked about how important that was.

~~~
mikeryan
On a large multi user system there’s a big difference between “your stuff” and
“everyone’s stuff” on a single user system like a phone - not so much.

~~~
dredmorbius
The point is that your trust envelope extends to the authors of software,
which are frequently _not_ acting in the best interests of the user, and have
their own goals and incentives (including competing goals with other software
authors).

On my Linux systems, particularly under Debian, there's _some_ assurance
provided through the Debian Project, its guiding documents (social contract,
constitution, policy), and debian developers. _The project explicitly serves
the users._ This doesn't prevent bugs and occasional malice, but tends to
tremendously reduce incentives for it.

Smartphones ... are a mess, and Android rather particularly so. I've suggested
entirely rethinking how app development is performed, particularly for basic
utilities, closer to the Debian model. I have little hope of this occurring.

------
spydum
I feel like this is a really common problem for both mobile AND OAuth
authorization frameworks. The scopes and permissions are not quite fine-
grained enough - it's generally a read and WRITE for all of what they ask for,
instead of being read (most common use case).

~~~
niftich
I can imagine how this evolved -- somewhere at Apple HQ, a whiteboarding
session about classes of information and capabilities that the OS will
gatekeep, which got us to Contacts, Photos, Camera, Microphone, Location.
Presumably apps would be extensively curated, keeping out the scummiest of the
lot, and apps were envisioned as asking for permissions directly relevant to
their utility so having separate read/write permissions would be overkill.

When Android cloned the same model, they got much more granular with
permissions [1][2], but then completely undermined it by making it occur only
once at app install. As someone put it [3], they're not permissions because
you can't turn them off -- they're warnings about what the app does. Then they
further mucked this up, by eventually grouping them together into broad
categories within which apps could automagically gain all other permissions
without your approval [4].

Then, the following year, in 2015, they finally introduced iOS-style runtime-
granted permissions, if your device was lucky enough to be up-to-date and your
apps were gracious enough to target the new API level; otherwise you missed
out on this change.

In fairness, by this point, hoover-style request-everything permission
requests were extremely common among mainstream apps like Facebook, Messenger,
Snapchat... so reigning in on contact-harvesting flashlight apps was a bit of
a lost cause.

[1]
[https://developer.android.com/reference/android/Manifest.per...](https://developer.android.com/reference/android/Manifest.permission.html#READ_CONTACTS)
[2]
[https://developer.android.com/reference/android/Manifest.per...](https://developer.android.com/reference/android/Manifest.permission.html#WRITE_CONTACTS)
[3]
[https://news.ycombinator.com/item?id=7959925](https://news.ycombinator.com/item?id=7959925)
[4]
[https://news.ycombinator.com/item?id=7959660](https://news.ycombinator.com/item?id=7959660)

------
chis
This is scary. I always assumed that the "access contacts" permission was
read-only, but I guess it's not.

Just another thing to be paranoid about in modern life.

------
seba_dos1
Maemo maintains separate histories and conversation windows for separate phone
numbers/IM accounts and highlights the currently used one when you check the
contact details. I should be immune :P

~~~
lsh
Bring back Maemo/Meego/Tizen/Mer/Sailfish!

I wish I had more time and patience for smart phone development and that the
heroic efforts of those unlocking these devices, writing OS drivers for
proprietary (and adversarial) hardware and making alternative operating
systems possible were more widely acknowledged. It just feels hopeless out of
the box.

------
jackson1way
I just checked on iPhone (Settings-Privacy-Contacts): Threema, Google Voice,
Hangouts, WhatsApp, Telegram. Google Voice and Hangouts have my contacts
anyway since I'm on gmail. There is a few other apps where I denied contacts
access, like Uber, Skype, Twitter. There isn't really much more here.

So for me that's a non-story.

While I agree that access to contacts should be read-only, and write access
should be a special permission, for me it appears to be not a problem. While I
have a few other apps installed, most didn't ask for contacts permission (i.e.
all games), and from those that did ask, I denied in some cases where it
didn't make much sense (why should twitter access my contacts? to find my
friends on twitter? I don't need that.)

I actually like the way iOS handling the permissions. The privacy overview in
the settings is very easy to understand and maintain. Permissions are only
asked once when access to them is actually required in that moment (like when
you tap on "take photo" in some app). Permission is not asked for while the
app is launching (aside of push notifications and location).

So on iOS usually what happens is this:

    
    
        - I install some app, lets say WhatsApp
        - I launch it, it asks for push notifications and contacts permission
        - i use the app
        - if i dont share my location, i'll never get asked for the permission to GPS
        - if i use "send photo" - it will ask for access to photos, but not to the camera
        - sometimes, months or years after usage, it will ask me for a permission, i.e. microphone, because I have never used that feature before and only now want to use it
        - etc.

------
throw2016
Android is extremely broken and is designed to leak information like a sieve.
Not surprising given the incentives of Google.

Don't expect goodwill or good behavior when the fundamental incentives are
surveillance and hoovering user data. The multi billion dollar ad economy is
based on this.

A system designed with user privacy would be designed to lock down hard on
contacts, sms, location, and other personally identifying information access.
But the android permission system for instance is so involved it's not
surprising lay people are not able to understand the implications, read
between the lines of actual motivations and take proper actions.

Facebook does not need your location, contact or sms information. Neither does
Google. Yet Google insists on creepily telling you your location on every
Google search. This itself is sinister and attempts to normalize stalking
behavior.

Uber and others don't strictly need location access, you can type it in, and
if required it should be used for the convenience it offers - you are paying
for the service - without the possibility of Uber and others collecting
historical location and ride information to build invasive files on their
users.

~~~
netsharc
Location is useful if you're searching for things like restaurants though.

But Google is stupid, yesterday I read this commentary about a movie about a
plane hijacking in the 70's that landed the plane in Entebbe, Uganda:

[https://www.theguardian.com/commentisfree/2018/apr/07/entebb...](https://www.theguardian.com/commentisfree/2018/apr/07/entebbe-
film-annoy-left-and-right-thank-heavens)

Being interested in the historical context, I googled the name of the city.
Later on Google showed me as one of its results "Flights to Entebbe". Gee, how
clever.

------
flashman
I've previously seen this done with SMS gateways, which allow you to
specify/spoof the sender number (it's how you get a text addressed from
'COMCAST' for instance). Your phone will trust that the spoofed number is
genuine, so if I send you a message with Bob's details, your phone will tell
you it's from Bob.

Unlike the OP, the attacker can't receive replies from the recipient.

~~~
azinman2
That also wouldn’t work over iMessage.

I’d like to know if this is actually being done in the wild. Certainly once
caught would be banned from the App Store and possibly a lawsuit or two filed.

The author didn’t note that a new thread would have started on iOS, which
would provide some visual feedback that something was different. You could
click for further info and see the different number. I know it would foil most
but it’s something.

~~~
Rjevski
> once caught would be banned from the App Store

But the issue is that it's impossible to detect. An app could've added the
extra number months ago, and you've deleted the app since then. There is no
way to find out which app did it.

~~~
dannyw
Apple’s security team can always collaboratively filter on reports and find
out what is the intersection app.

~~~
Rjevski
Assuming this is used widely for there to be enough reports. I expect this to
only be used sparingly so I'd be surprised if there is even a single report of
this; as the targeted people will mostly have no idea this is even possible.

~~~
azinman2
So you’re telling me that someone went to all the trouble of building an app,
getting people to download it, and then only used its main purpose
(phishing/malware) for a couple people?

------
caf
_For even greater effect, the app could apply heuristics when selecting target
contacts, preferring names such as ‘Dad’ and ‘Mom’, or contacts that have
nicknames._

The best heuristic would probably be the contact that has messaged you
{first|second|third} most frequently in the last week.

~~~
mafagafogigante
The malicious app may not have a way to get these statistics.

~~~
mirkules
An app could look in the "favorites" list to get the same info, which probably
is available.

------
EGreg
How about the OS log all the actions taken by an app with respect to contacts
and other system data, and allow you to reverse them?

And make an indicator in the status bar similar to how an app recently checked
your location.

They might even highlight (in red) new changes in the Contacts app. Or when
you get such a message from a new user, the Messages app would do the
highlight the first time.

Seems that would mitigate this particular thing.

------
jknz
The current Android approach of granting all permissions the app need at
installation time leads to a lot of abuse like this. Just ask for everything
because the user just wants to install it and does not read the permission
dialog anyway.

The current Apple system is slightly better: when the app asks to use one
capability (camera, smartphone, contacts) the user is prompted to Grant
permission the first time this capability is requeated by the app.

This approach should be further developed with prompt dialogs to continue
allowing the app to use the requested capabilities.

Examples:

The App XYZ is requesting read and write access to your contacts. It was
granted access on {date} and has read 224 phone numbers, 121 names and 56
addresses and modified two contacts.

Continue allow access? Disallow? Report?

App XYZ is requesting access to microphone. In the last month it accessed and
recorded 342 hours of microphone.

Continue allow access?Disallow? Report?

App XYZ is accessing your geolocation in the background. Permission was
granted on XXX. During the last month it accessed to your geolocation
approximately 461 times every day.

Continue allow access?Disallow? Report?

Apple Goole and others don't have to get on the way of every users all the
time with these prompts. They can identify at which time to show this prompt
based on analytics (how many users already reported this app etc). They can
also identify users who are more privacy aware and that will be glad to read
carefully these dialogs and report wrongdoing, and send more prompts to these
users.

~~~
jchw
Android no longer always grants all permissions upon install and in fact
offers something more like the Apple model. This is as of Android 6 and I
believe it is more or less required nowadays for new apps to use certain
permissions.

[https://developer.android.com/training/permissions/requestin...](https://developer.android.com/training/permissions/requesting.html)

~~~
akavel
I remember recently reading somewhere, that apparently if you build an app
targeting an old enough version of Android, you get the old behavior as a
"backwards compatibility" feature — reportedly kept even in the newest
versions of Android. I don't have time to search for the link to the article
now however, sorry.

~~~
UncleMeat
Targeting very old versions is soon going to be banned from the play store.

------
ghaydarov
I just checked my contacts privacy settings and none of the apps have access
to my contacts. really why should they have access to my contacts anyways? I
would pass that convenience.

~~~
ernesth
I just checked my contacts privacy settings and 10 apps have permission while
29 do not.

Contacts, Mail, Agenda, Messages legitimately want contacts.

All google apps ask for contacts (Photos, Keyboard, Maps, Docs, Keep, Play
Store...), all (undeactivable) samsung doppelgangers also (Browser, Gallery,
AppStore, Music), as well as all (deactivated) microsoft apps (Powerpoint,
Onenote, Excel)...

------
sriram_iyengar
Wow ! This is simple and a very powerful technique. Thanks for sharing

~~~
saagarjha
> This is simple and a very powerful technique.

I do hope you don't mean that you're going to be using it in your own
software…

------
pxeboot
Hopefully it has been fixed, but last time I used iOS, the phone/messages app
seemed to mix up contact info from identical numbers with different area
codes. So if I had 206-555-5555 in my address book, and got a call or message
from 503-555-5555, it would show the contact info from the 206 entry.

