Off Means Off – Are Your Mobile Devices Listening?

Off Means Off – Are Your Mobile Devices Listening?

When speaking to our children, parents often use the term “listen” to mean obey. Is your phone obeying the commands to be off, or is it listening covertly and eavesdropping? Are you certain that off means truly and completely off? Such certainty is vital for many government users, considering the risks involved, as we wrote about in our blog, “Protect the Mobile Phone User – Not Just the Data.

Are your devices following your commands?
A good phone follows its owners commands

When Off is a Misleading Description of Your Phone’s Behavior

Many government employees rely on consumer smartphones coupled with a Mobile Device Management (MDM) system for communications during critical missions. It’s vital that these workers have complete control over location services, modems, and sensors. Unfortunately, actions such as turning off location services aren’t adequately effective in disabling the electronic signatures emitted by consumer mobile phones.

In August 2020, the NSA (National Security Agency) issued guidance to all military and intelligence-community personnel, urging service members to disable location tracking and other commercial data collection on their phones. The guidance acknowledges that, “Mitigations reduce, but do not eliminate, location tracking risks in mobile devices. Most users rely on features disabled by such mitigations, making such safeguards impractical.” The mitigations recommended by NSA include, “Disable advertising permissions to the greatest extent possible,” (emphasis mine).

Independent researchers and DISA analysis have determined that even when “location history” is disabled, Google continues to store location data on the mobile device. Additionally, internal research here at CIS Secure on Android shows that turning off camera, Bluetooth, and microphone doesn’t immediately take effect (e.g. it may require a device reboot). Finally, litigation in the state of Arizona asserts that Google Maps refuses to take “No” for an answer.

Users may think they’ve disabled access to certain capabilities on their mobile phones but too often the phone’s not listening to that command. The average consumer might learn about this and be concerned about privacy, but for military customers, phones waking up in the middle of a mission can endanger the mission, and even lives.

While it may be easy to blame Google and Apple for this, it’s not entirely unexpected due to the business model of the OEMs. We’ll dive deeper into this in our next post, “Mobile Device Security – The Problem with ‘Consumer Plus’”.


Beware a False Sense of Security

The National Information Assurance Partnership (NIAP) evaluates commercial IT products for conformance to the international Common Criteria, including developing and testing security requirements. These standards benefits industry product developers/vendors and government procurers alike.

Mobile Device Fundamentals Protection Profile (MDFPP) is one of numerous NIAP standards. This assurance standard specifies information security requirements for Mobile Devices for use in an enterprise.

“The Mobile Device provides essential services, such as cryptographic services, data-at-rest protection, and key storage services to support the secure operation of applications on the device.” For example, requirements for Samsung Galaxy Devices on Android 11 include:

  • The maximum password failure retry policy should be less than or equal to 30
  • Revocation checking must be enabled
  • External storage must be encrypted

However, NIAP-certification has no answer whatsoever to the issue of sending data back to the OEM and ad tracking networks. At this time, all the NIAP-certified devices still leak that information.

Eliminate the Phone-Home Problem by Eliminating the Phone

One common solution to this problem has been to eliminate the consumer-grade device entirely, and instead equip workers with custom-built government devices. This has consistently failed for several reasons:

  • User experience was an afterthought
  • Users couldn’t access their favorite apps, so they still carried personal devices (defeating the purpose of the gov device.)
  • Gov devices stand out in a sea of consumer smartphones, which makes it easy for a foreign adversary to identify government operatives
  • Long design and implementation cycles rendered the devices obsolete upon release
  • High cost

And no, unfortunately MDM applications don’t solve the problem either. We’ll take a deeper dive into MDMs in an upcoming blog.

The Prevailing False Dichotomy

Having observed the failure of the custom-built government phone experiment, many believe the remaining choice is between:

  1. Deny government workers use of these effective productivity tools
  2. Accept the security risks

Neither option is tenable. Fortunately, there’s a better way. The ideal approach is to take the tool and modify it as needed, while maintaining the attributes that make it great.

The right tool for the job
The right tool for the job

Stop the Data Leaks with altOS

The best-case scenario is to maintain the finest mobile device functionality while eliminating the security risks. And that’s exactly what the altOS mobile platform for Android-based smartphones accomplishes.

altOS enables the government to actually control the device, and not the other way around. The altOS difference:

  • Ensure “leaky apps” (Maps, Play Store, Facebook, etc.) don’t communicate when you don’t want them to
  • Verifiable control over access to device interfaces and location
  • Retain your apps and profiles and files on infrastructure that you control
  • Your organization manages and controls your devices 100%, including all containers, not just the work container

To learn how CIS Secure equips our customers with phones that are functional when on and off when needed, read about altOS Secure Mode.