Risk Analysis at the AT&T Store

CISO-in-a-Box CISO-in-a-Box

Smartphone shopping. More fun than a root canal, isn't it?

I needed a new phone to bring to my employer's BYOD program. I decided not to use my personal phone number with that, so my existing device was not under consideration.Alsoour BYOD program puts the device I bring onto the AT&T network, and my existing account with Google Fi would have to be dropped. For a wide variety of reasons, including my ability to have text-message conversations from a browser on a laptop, I do not want this to happen.

So this shopping occasion and conversations with some folks about it made me think through the risk assessment involved when we buy a smartphone. We are getting ready to take an on-body surveillance device with us everywhere we go. We're taking on quite a bit of risk to our privacy, at least. It's smart to minimize it where we can and make sure that whatever's left is worth the benefit.

My main criterion was to find a model that came with as little software as possible pre-installed - especially software that can't be uninstalled without rooting or jailbreaking the phone. A rooted or jailbroken phone won't be accepted into our BYOD program.

I am especially concerned that social media applications Facebook, Twitter, and Instagram, not be on the phone out of the box. Recent analyses have shown that the Facebook app on a phone is reporting data about the phone's user back to Facebook regardless of whether it's in use. Regardless of whether the phone's owner has logged in or not! The phone itself is enough of a unique identifier to make logging into Facebook almost superfluous. As someone who has otherwise deleted Facebook, purchasing a new phone with a back channel to Facebook on it is simply not on my agenda.

I wish I could say it surprised me to find that every Android phone in the store had Facebook pre-installed, and not removable. This took all the Android phones out of contention. While I am well aware of the many ways to clean this garbage off a phone, I need to be sure I can keep this phone compatible with that BYOD program. This constrains what I can do to make an Android phone usable.

So that turned my attention to iPhones. Happily, none of them comes pre-installed with any social media applications. Unhappily, the current models cost $800 and up. This reminds me of the fact that while a 70 inch "smart TV" is $900, a70 inchmonitor is $4500. This is because the maker of the monitor is not planning on spying on you through the device and selling the data taken to all comers.

The story has a happy ending; the store had some "obsolete" iPhone 6s units on sale, and I escaped with a bill of less than $200 and a safer phone.

 

This article was updated on 2023-08-05 04:35:29

CISO-in-a-Box

Infosec geekosaurus.  All opinions my own.

Information security since 2005.  IT... well into my second millenium.