The differences between Android and iPhone used to be stark, but those dividing lines are diminishing. And Google’s latest updates just narrowed that gap further…
Updated 04/08; originally published 04/05.
Google’s mission to make Android more like iPhone continues—nowhere more so than over privacy and security, whether fully encrypted WhatsApp calls integrated into its dialer or enhanced Play Store defenses. The latest Android updates have just been revealed, and these have very different security and privacy considerations.
The first is surprisingly only just going live now, having been announced almost a year ago. As reported by GApps Flags & Leaks on Telegram, “Google has started rolling the Find My Network with Google Play Service beta version 24.12.14. It’s enabled for me without turning on any kind of flags.”
MORE FROM FORBESGoogle Reveals Huge Gmail Update-But With A Warning For UsersBy Zak Doffman
Android’s new shadow, bluetooth-powered network mirrors Apple’s equivalent on a vast scale. Billions of devices, potentially. But it has been held up for security and privacy reasons—fears that it might unleash a new wave of electronic stalking.
The delay has enabled Google and Apple to collaborate on industry standard protections against FindMy networks being used to secretly track users without their knowledge. That is now done and expected to go live with Apple’s iOS 17.5, clearing the way for Google to launch its own network.
Tracking has been a major concern for these shadow networks, built by crowd-linking smartphones to enable a lost device or tracked tag to find its way home without its own cellular network access. This is done through Bluetooth, and so enables a wide array of device types to join the shadow network.
This update will enable Apple’s iOS FindMy to warn that a non-Apple certified device might be tracking its user, and one assumes vice versa. This ability to alert cross-platform deals with a serious privacy issue that has emerged, especially with the popularity of AirTag and AirTag-like devices that make tracking so simple.
Just like Apple, Google assures that “the Find My Device network was built with user privacy as a key priority. Location data crowdsourced from the network is end-to-end encrypted, which ensures Google can’t see or use it for any other purposes.”
All that said, there will remain privacy concerns and with any new offering at this scale, bad actors will be out to probe for vulnerabilities and then exploit those they find. On balance, it’s worth using given the lost device benefits, but keep any eye on reports as to teething issues as this rolls out at scale.
The second Android networking update has security and privacy concerns of its own. As I’ve reported before, Google is outdoing Apple’s SOS satellite feature with an Android update that lets users message anyone, not just emergency services, as long as they have a satellite connectivity add-on to their cell plan.
Satellite connectivity is not well known amongst cellphone users; it has relied on expensive devices and expensive call plans. This has confined it to specialist use cases—remote exploration, dangerous off-grid locations, sailing and spooks.
Compared to the complex matrix of cellular radios, the concept of a direct to satellite link is relatively crude and therefore easier to attack. We have seen this with Starlink looking to address denial of service—or jamming—at times when it has been used in conflict zones. Such attacks and counter-attacks are business as usual in the world of defense communications, but not in mainstream cellular.
One former special forces operative with plenty of first-hand experience told me “there are several factors attaining to the reduced security of satellite systems and more so for low earth orbit systems. Unlike 5G, the attack surface is much more extensive as it’s like attacking an enterprise network where the landscape for attack becomes the actual terminals, the ground stations or the satellites themselves. Other vulnerabilities should also be considered such as denial of service and interception.”
Clearly, while this is not a major issue for the niche use of satellite for emergency messaging or comms back home from very remote locations, expectations are that this could become more widespread. It won’t impact occasional users in mundane locations, but were for example there are multiple satellite users in a single location relying on such comms, then the equation changes.
“Geo stationary and low earth orbit satellite handsets are often issued to troops for emergency communications. Unfortunately, many organizations have come to rely on these and it presents numerous security challenges, not only are they more susceptible to cyber-attacks and denial of service attacks, but given these handsets rely on GPS to function, they present real a risk to those using them.”
MORE FROM FORBESGoogle Issues Critical Update For Millions Of Pixel UsersBy Zak Doffman
From a content perspective, anything properly encrypted is safe as long as you can attest to the integrity of the connection. “If the data is encrypted during transit do we really care about the communication?” CISO Ian Thornton-Trump says. But the wrap around the data is vulnerable. The ability to derive device IDs, locations and any unencrypted traffic—basic messaging being an example—remains a risk.
As ESET’s Jame Moore explains, “if used purely as a backup service, it could be vital for those in remote areas or in times of need. However, as satellite communication is usually more vulnerable to security threats, it should not be relied upon as a default messaging service when other more privacy focused and secure services exist.”
Again not an issue if this stays emergency only—but with the surge in LEO-based Wi-Fi and tie-ups with movie network operators, this is only going to become more extensive. And so that catching up needs to happen if enterprises are planning to rely on such devices and networks as an extension of business as usual.
Apple handles the security of its satcom offering by limited it to a managed service, whereby it encrypts the messages from the iPhone and then decrypted them and provides them to the emergency services. The user’s location is also shared.
Clearly, Android is offering a wider messaging service over satellite and so the equivalent, curated security wrap is unlikely to be there. Ultimately, if satcom from an Android expands to offer more versatile usage, then all the usual security and privacy considerations will need to apply.
As cybersecurity analyst Mike Thompson warns, “how many cyber people know its nuances enough to have a sensible opinion on it? Users being in the dark is one thing, the security industry another. Not that there won’t be expertise out there, but I’d question how mainstream it is.”
And that’s the key. In industries with remote locations or the requirement to centralize mobile connectivity rather than roam on various flavors of host networks will drive new policies and optionality. If mobile devices extend corporate networks, additional security will need to be put in place.
MORE FROM FORBESWhy You Should Change Your iPhone Settings To Secure Your PhotosBy Zak Doffman
04/08 update: Not all Google’s efforts to match iPhone involve it following Apple’s lead for Android feature releases, the tech giant has also shown some very welcome market leadership on the security and privacy front in recent weeks.
I reported last month on the pre-release leaks of Android defenses against IMSI-catching and network location pings, both of which push Android beyond iPhone’s current capabilities, with IMSI-catching alerts being a particular game-changer.
And now, again, we have seen something similar with the pre-release leak of a “call lookup” function in Google’s phone dialer. This gives users a means to search an unknown number with a single click. As so often recently, the software tip comes from AssembleDebug and has been published courtesy of PiunikaWeb:
“The ‘Lookup’ button appears when you tap on an unknown number in the ‘Recents’ tab of the Phone app… Upon tapping the button, you’ll see a list of apps on the device that can handle ‘Web search intent.’ The Google Search app is one of them and thus it showed up. This initiated a search for the number on Google Search.”
This is clearly just a web search, and so won’t identify individuals. But in addition to potentially pulling the number from published lists of scam caller IDs, it will also quickly verify if the number is associated with a legitimate business.
This is the real point here. Voice call specialists Hiya has just published their “State of the Call” report for 2024. “Threats to the security and trustworthiness of voice calls also remain as prevalent as ever–and have only grown worse over the past year. In the last 12 months, more than 14 percent of all calls continue to be unwanted, while the average financial loss reported by consumers who fall victim to fraud calls reached $2,257. Meanwhile, businesses continue to lose revenue and incur higher operational costs due to challenges reaching customers who are wary of answering unidentified calls or calls flagged with spam or fraud labels—negatively impacting their brand reputation.”
Hiya analyzed 221 billion calls and surveyed a wide range of consumers and businesses, finding that while “unwanted calls are sometimes labeled as spam or fraud on consumers’ mobile devices… many of the calls that consumers deem unwanted are not labeled at all… 92 percent of consumers believe unidentified calls are fraudulent. Nearly half—46 percent—of such calls go unanswered. In the case of the other half of unidentified calls—those that consumers pick up—recipients typically only answer reluctantly, due to concerns it may be a call they can’t miss.”
Which is interesting, because while Google’s new Call Lookup feature will be billed as a spam defense, it also allows consumers or business users to easily check an unknown number after the call and then dial back where it was a call they expected or at least from an organization they recognize and can identify with.
Hiya unsurprisingly pushes calls as the preferred medium for consumers over texts and emails, and with this report coming just ahead of Google’s latest leak, this new feature might be more important than people immediately think for the regular consumer in the street who is now being hammered with phishing emails, smishing texts and unwanted, often AI-driven phone calls.
Granted, this is nothing more than a copy and paste of a number into a search query, but its single click makes it much more likely to be used. The feature is already live in Japan, and so the chances of it making into a fuller Android release in the near future seems high. Over to iPhone for something similar…