Slashdot Mirror
Many Smartphone Owners Don't Take Steps To Secure Their Devices (pewresearch.org)
From Pew Research's new report: More than a quarter (28%) of smartphone owners say they do not use a screen lock or other security features to access their phone. And while a majority of smartphone users say they have updated their phone's apps or operating system, about 40% say they only update when it's convenient for them. Meanwhile, some users forgo updating their phones altogether: Around one-in-ten smartphone owners report they never update their phone's operating system (14%) or update the apps on their phone (10%).
Unfortunately that's down to the manufacturer and carrier, neither of which give a flying fuck after they sold you the contract. Probably take someone suing them until this changes in the UK.
And ramrodded updates down to the users for their own good!
Windows 10 is smrt!
At least for appity-apps on android, why would you bother updating once you get it to work? Each update is worse than the last - more features broken, less stable, additional ads crammed in everywhere. As far as updating OS is concerned, boy, that switch to N sure broke a lot of old apps huh! captcha: walnuts, as in nuts to this!
To be fair most android phones I've seen have auto app upgrade enabled. iPhone doesn't but it's possible to set and forget about it until it's updating while you're trying to do something net or process intensive.
With both Android and iOS, the device will ship encrypted, and all one has to do is set the PIN and fingerprint. Updates are generally done automatically, with OS updated being the only real thing that is prompted for, and that usually takes a click or two.
With updates being pretty much automatic, there isn't much to do as a user, for the most part, other than periodically checking that the iCloud or Titanium Backup image was successful.
I'd be surprised if more than 14% of smartphone owners are even offered the option to upgrade... Presumably the 40% that do take upgrades constitute 40% of those whose phones offer them OTA upgrades.
Posted from my Android phone. Oh, I can change this? There, that's better...
Don't have anything on their phones of any particular import. Nor do they care that the CIA is following their Candy Krush progress. It's just not something that occurs to many people.
OTOH, there ARE folks who, at the minimum, don't want their credit card details or chats with their surreptitous boyfriends splattered about. Those people need to step up to the plate.
The big problem is that security is a process that requires thinking, planning and continuous execution, i.e., a PITA.
Faster! Faster! Faster would be better!
Do you really blame the users for not updating? How many times have you updated an application and found the UI worse (such as filled with ads) or doesn't work as well? (I recently updated the BBC iPlayer and now find that it doesn't work as well - the only reason I updated is because the BBC app wouldn't play videos anymore - so it was a forced upgrade.)
Updating the OS can lead to slower operation, things that worked breaking (especially if you haven't updated your apps :-) ), etc..Even in the typical case, the application continues to work, the UI is somewhat better but nothing much changes.
Why take the time to update? We, as geeks, know why. But for the typical user it is often just a pain in the ass and the balance of risks is negative. Updating makes sense for most people only if something isn't actually working correctly.
Keep in mind that these unsecured phones carry not only information about you (your name, email, phone, address, photos, etc.); but also many contain deep info that allows a hacker to get deeper into other data.
Imagine your doctor's phone isn't secure. Also imagine your doctor stores passwords to her office system in her notes app. The result: your medical records are open to the world.
If 1 in 4 phones is insecure, that basically means all data about you that is out of your direct control... is quite insecure.
What's the point? Google & Apple and all of the app makers already have all of the data. The government can get to it whenever they'd like. Who would one be securing a phone from, exactly?
I don't respond to AC's.
New version of phone OS -> whoops, now my phone is painfully slow. Guess what users won't do next time an OS upgrade rolls by?
If you're worried about privacy, sure, you may want to lock your screen but this may also create other kind of issues, like trigger the mistrust of your significant other. If you're worried about theft then note that anyone can take your SIM card off the phone and plug in into another phone to make phone calls.
If you're an android user you can't really update the OS on your phone because for the vast majority of handsets there are no updates available.
For these surveys they really need to add some questions to determine if the respondent is just flat-out lying or just doesn't understand the difference between an app update and an OS update.
Plus, some answers make no sense. Who updates their OS when it isn't convenient for them? WTF does that even mean?
Simply add...their fingerprint. Mind...boggled.
Problem solved.
Does it shock anyone? Most folks just want to use their phones, use the email and SMS, and play a few games. They can't be bothered. Heck, a lot of folks have to have techy person setup their email other than a Gmail/Apple email, as they have no clue, and they have NO clue how to change their password either
-- 73 de KG2V For the Children - RKBA! "You are what you do when it counts" - the Masso
" about 40% say they only update when it's convenient for them"
Nobody does it when it's inconvenient, like during watching a movie, during a long phone call or when reading an eBook.
Ask any Windows user.
Film at 11
Manufacturers are responsible for their devices security, not users. Providing a secure functional device is what they get paid for after all.
Time is what keeps everything from happening all at once.
The fact is, there is an economic cost (not a financial one) for security measures. If a person needs to press a button or put in a code every time they use their phone, it's a little annoying, a little inconvenient. So people balance their desire for security against the annoyance of security.
My phone doesn't really have anything private on it. I've got contacts to family and friends (which is mostly public information) and some reminders for appointments, but nothing that would cause my issues if someone stole or found my phone. There are no naked pictures, no embarrassing messages, no credit card information, no apps logged into sensitive accounts. If someone steals my phone all I need to do is reset a password or two and get a new phone. That is a lot less hassle than typing in a code or fiddling with the finger print button twenty times a day.
Security is fine, but if you want people to use it, the security feature needs to be worth the effort. Most phone security features are not worth it for many people.
Upgrading phones is a similar situation. Many phone upgrades break or cause apps to stop working or introduce annoying changes. For most people doing through the pain of the upgrade is not worth the effort to hide their photos or contact information.
Your're going to change my UI because you feel like it and make me have to relearn how to do everything just because.
App *app name here* works great now but after updating erases all saved files and cuts off the name's of new files.
No old versions are available online in case the new version does not work as expected.
Backups (if you include restoring the same app version) are only practical with home made scripts or done by hand no other functional recovery options exist (at least not for iphone)
So why should I update?
Minimum threshold fixed. Thanks!
I don't believe I have a single app on the phone configured to spend money on my behalf. If I do I probably should fix that. Nothing in my phone would interest LE. No sexy texts to hide from an SO. No dick pics. If I lose the phone my biggest hope is that a good samaritan will go through my favorites and call one of my friends. If my phone is locked I'll probably never get it back.
I -should- be updating the OS more often. Problem is, updates stop being a no-brainer when your phone is too full to accept the new image. And there are always stories that new updates make old phones (more than 2 years because I think it's crazy to pay for a new phone that often) run slowly. I wait until I hear enough reports to convince me the update won't break everything, and then I clear out pictures and music so the new image will fit.
Those "security issues" are how people reclaim their devices.
Twitter supports and protects racists - by smearing their critics with the "Hate Speech" label.
...make whatever might be grabbed off my phone small time for hackers to be focused on. Why directly target me when they can just grab millions of accounts from Yahoo?
Security options presented to your lay-user are "feel goods" which a truly knowledgeable person can bypass with minimal effort. Sure folks who are hard-core security minded can root, encrypt, remote wipe, etc, but this is not the same user base that was polled.
I don't have the time, care or know-how to REALLY secure my phone. So I use it for meme photos, "candy crush" games and the browsing /. Nothing that I need security for.
And as another commenter pointed out above, updates are usually A) Inconveniently timed B) Break UI/UX features C) Add Bloat D) Give more invasive permissions to themselves E) Rarely fix issues (unless the issue being patched is a "show stopper" preventing them from collecting your IAP dollars). So what's my incentive to actively update my OS or apps (other than to stop nag-screens or they haven't already auto/passive updated)?
Yes, I do have a pin on my phone but I don't have it connected to any social media, email or banking sites. I have a contact list and that is it. I don't really even need to lock it.
love is just extroverted narcissism
Having a screen lock is stupid, unless you have a habit losing your phone or leaving it out and about where anyone can get to it. And if you are, then no manner of screen lock is going to stop someone gaining entry. They have your device, its already game over for you.
How many people avoid updates because some upper management jerks have decided to change the way people use their device?
How many people don't like apple because of this happening regularly?
Hint!
Some odd years ago I left my phone at my girlfriend's house. It was not locked. She is now my ex girlfriend and I now lock my phone. The texts she ran across were between me and an old lady friend. They were not serious but I see how they were interpreted as such. Live and learn.
Brought to you by Carl's Junior.
I can't. Windows phone*: no more updates; carrier stopped providing them at 8.1 Cyan. Android: without a Google Account, the manufacturer & carrier won't pass them through after the first year or so; WITH a Google Account, it still often won't work without a fair amount of hacking, and if it does work it only extends updates for maybe another year; Google abandons stuff (all kinds of stuff, not just phones) quickly. Apple? No experience, though reportedly they do support devices for up to a couple of years at least.
*Windows note: I *was* able to get more updates by joining "Windows Insider" which bypasses the carrier - but only to a point. The phone is running Win10 now, but stopped updating at 1511; no further update activity (even minor stuff) since that loaded about 9 months ago. No, I'm not going to get "preview builds" on a working phone. And btw as a phone/mobile OS 8.1 was better ... same functions and apps, but in a smaller footprint.
Since mobile app developers all seem to be obsessed with ripping out functionality and making the UI worse and worse, hell yes I stopped updating my apps. As long as they work fine and do what I need, why would I want to? "Newer" doesn't equate to "better".
I don't update for a very specific reason - it's difficult to rollback system and app updates on phones. I've run into the issue a couple times where I updated an app and the interface completely changed or features that I used were removed. So my policy now is that I only update if there's a critical security issue or an app no longer works because of a change in a web API it's using.
No banking or credit card info. No passwords. No email.
Why would I lock it? To prevent some ner-do-well from changing my zip code in Gas Buddy?
...Period. Just don't put anythingâon them that you can't afford to lose, e.g. banking info and email.
Use a separate email account for your phone that doesn't have banking and personal info on it.
Have a Nexus4 and Google dropped support!
The phone is fine. No issues, except that Google won't security patch the OS. They seem to think that $450 devices are good for 3 yrs.
I disagree.
There should be a law.
I know people who have actively taken steps to un-secure their phone, for performance reasons. Since encryption was enabled by default on some Android devices, people have turned off the option (which required flashing the phone) in order to give it a performance boost.
I don't set a lock password/pattern for many reasons:
1. Doing so leads to butt dialing of 911 courtesy of emergency dialer's complete and total lack of digitizer or UI debounce.
2. After realizing keeping up with stagefrieght vulns was impossible without buying a new device I removed the only ounce of mildly important VPN configuration and disabled MMS.
3. It is annoying to keep entering patterns and passwords and shit whenever you want to do something while knowing full well it is technically pointless. No useful entropy to stave off brute force compromise and Android does not even pretend to have the perpetually compromised TPM crap iPhones do. Android is simply not secure.
Coupled with the fact all mobile messaging and voice conversations are insecure unless you install third party software it is much easier and more productive to assume smartphones are untrustworthy and act accordingly. I don't have a need to keep anything "valuable" on my phone.
What guarantee do you have that the phone is actually secure. Do the on/off sliders really turn off my microphone, or my location information?
While I generally run the latest stable AOSP/CM/LineageOS build available for my devices from the day I buy them, I don't routinely use a secure lock screen.
It may sound risky, but I'm one of those all-eggs-in-one-basket types. I keep my birth certificate and SIN card in my wallet, and I keep my phone unlocked. Neither leave my side, ever. Not for a second. Not anywhere.
If I check my coat, my wallet and phone stay with me. If I'm asked to check my phone, I leave the venue and write a negative review. Every time I stand up, I tap my pockets (subtly) - cell phone, keys, wallet. Check!
Because the cost of losing control over my wallet or phone is so high, I take no chances, and to date, have never had it happen. Knock wood, right? :)
Same goes for other items we tend to lose; I buy wickedly overpriced but quality pens, scarves, hats, gloves, etc., so that they're always on the back of my mind.
That said, if I'm at a party or bar, or out camping, I do throw on at least a pin lock.
A government is a body of people notably ungoverned - AC
My house has a front door, with a dead-bolt, that can be easily picked in a matter of minutes. But the window next to the door can be smashed in seconds. My car has locks and an alarm, neither of which stop the locksmith from opening it with an airbag. My windshield wipers can easily be removed. Nothing stops anyone from key-ing my car, throwing eggs at my house, or toilet paper in my tree.
I've left a ten-dollar bill under my wiper for two years.
On-coming traffic, at 250kph collisions, is separated by a yellow line of paint.
I don't wear a helmet when I walk the dog, anyone could swing a baseball bat at my head, and kill me in an instant.
I don't even know how I would stop someone from dropping a handful of dandelion seeds onto my green lawn.
Really, I don't care about my phone, nor anything in it. Between, insurance, accountability, and having chosen a safe place to live, I don't expect anyone is actually worried that their life and family would be disrupted by anything in their phone.
I keep mine up my ass, so unless Peter Thiel shows up, I'm pretty safe!
Google and Apple don't care about you as an individual. To the extent they care about your data, it is as an aggregate, for statistics and optimization and advertising. They aren't interested in trying to get your bank account number and steal your money, for example, the amount of money you have is fuck-all on their scale. They would not be interested in committing a crime with very real consequences for a totally inconsequential amount of money.
However a random thief that steals your smartphone? Ya they are absolutely interested in something like that. They are interested in getting as much money from you in any way they know how. That is how they operate.
While we certainly do need to consider information security and privacy with regards to big companies, the risks and reasons are very different with relation to individuals and it doesn't mean that we just ignore the problems of individuals. They are the bigger issue.
Like at work, we get people who manage to get their accounts compromised all the time. It has never, near as we or the FBI can tell, been a big company doing it. Google has never Phished someone's password and used it to spam, Apple has never used someone's information to get in the employee system and change their direct deposit target. That has always been an individual, or small group of hackers: A criminal (or criminals) dedicated to criminal activity. That is the real risk that our users really face, and the one we need to be far more concerned about than analytics Google gathers on them.
A few problems come up with securing my device.
1. I want to actually own the device I paid for. That means rooting. Until the manufacturers support a way to turn on root without reservation or gotchas, I'm not letting them take ownership of my device away from me. I consider THAT insecure. Note that I don't care what discount they may have given me on my plan - they gave me the phone itself with it, even if it is at a reduced cost. It isn't a theirs anymore.
2. I want to be able to use my device for a long while. When updates peter out after 2 to 3 years - at most - relying on updates makes that difficult to impossible. The hardware is perfectly good, and I am not going to blindly follow the manufacturer into their planned obsolescence time table, just as I am not handing over device control to them for their convenience.
3. Updates don't just patch holes, they put on whatever software my carrier wants and push the OS version up in many cases. This can have seriously undesirable results, including crippling your apps and slowing down the device to a crawl, and with no way to reinstall the OS, I'm stuck with it.
4. On my main device, the last I heard, the OS update basically ruined the updated device with chronic overheating, battery drainage, crashes, and other problems. I don't think that was ever corrected. This was some time ago. Suffice it to say that I have very little faith in updates actually benefitting me.
All in all, my device is in more danger from vendor distributed malware than third-party malware. I have this experience with Windows, too, albeit in different ways. This should give you pause for a moment to consider this, and to consider who's best interests they have in mind for these updates - yours or theirs, and what they have in mind for the future with the control they seem to want so badly now.
After I upgraded my phone from Android 6.0 to 7.0, I discovered that feature of being able to set trusted spaces where the phone would remain unlocked if it had been unlocked in a configurable number of hours. I have my phone set to lock when put to standby, and I don't let it sit running if I'm not actively doing something with it, so I found myself having to unlock it often at home when I was picking it up frequently while doing short tasks. That setting is great. Much more convenient when I'm in my own home and I wont be losing my phone, but once I leave home it goes back into its normal locked down mode.
When you update pretty much anything now you get unwanted crap. Case in point:
Windows 10 = forced updates & ads
DirecTV - Watching TV at a friends last nite and the receiver HAD to do a 30 minute update so I couldn't watch TV at 10pm.
KDE4/Gnome3 - Completely new interfaces that people either loved or hated.
Linux/SystemD - It's the future - get with it they say.
Wellsfargo app - Updated and now won't work on Android 4.0.4(whereas my AmEx app works just fine......)
Wellsfargo website - new updated site design sucks, slow, messy. Basically unusable on mobile browsers. (What idiot decided that the title bar needs to expand to fill the screen when you try to zoom the page????).
I still use a Qwerty/Slider phone, which they don't make anymore(but its LTE and does what I need). Newest one I can find is an LG Enact on Verizon(4.4). And I DESPISE Verizon. Plus LG locks down the devices so they usually aren't ROMs available. My Photon Q was rooted and Sprint swore that was why it quit making calls(took an FCC complaint to get rid of them). I root my phone to get rid of the Malware they preload and try to force you to use. Just like I use NoScript and Blocksite and other stuff to secure my browser.
IF they had "security fixes" that I could install that actually FIXED issues, then it would be useful. However, most "updates" are full of "new features". My son hated it when his S3 updated and changed the system to a newer android. Things were completely different and then he had a learning curve that wasn't needed).
Look at Windows. They change shit because they can - Add or remove programs from XP changed going to Programs & Features in Vista/7 - WHY??????
Developers don't care about Fixing their code, the care about Adding to it. KDE4 was going for the "Semantic Desktop" WTF is that???? And WHY do I need Facebook/Twitter(which are BANNED from my devices) integrated into my desktop??? Because someone Thinks I need it.
Wha'?
I clicked through to the detailed report (which was about lots of other things), and they didn't classify the results by at least iOS/Android/Windows Phone, or even better by manufacturer.
It's very possible 99% of Google and Apple device users update the OS as quick as possible, and 0% of Samsung/HTC/etc. users update (because there are none), and so this doesn't tell us anything.
Plus, I would answer "when it's convenient for me", meaning always within a day or so.
It's like they phrased questions to get results to give the most click-baity headlines. This is my shocked face.
As if I would do something with my smart phone that required any type of security. I may be dumb, but I'm not stupid.
Seriously, if it's a burner phone, why care?