You may have seen news reports over the last two days detailing a major security flaw in virtually all smartphones. The devices that are at risk are not limited to either iPhone or Android — all of us are affected. If you want to make sure your smartphone and its data stay secure, there are a few steps you can take.
The two vulnerabilities at play here are called Meltdown and Spectre, and they're due to flaws in a very common mechanism used by processors. So a wide variety of electronic devices are at risk, and it doesn't matter what operating system you're running. What's important, however, is that you remain vigilant.
During speculative execution, which is a mechanism many processors use to anticipate upcoming actions and speed up performance, the chips access multiple memory points at once to retrieve the proper resources.
While this in itself is no cause for concern, researchers find that, occasionally, the act of speculative execution leaves data that should be protected open to potential access by intruders. In short, it's a hardware security issue, not software.
However, since the code from all of your apps is filtered through your phone's processor, software is at the core of this issue. While no actual hacks using Spectre or Meltdown are known to exist for either iOS or Android at this point, if and when one is eventually created, it will use software to exploit the weaknesses in your processor's speculative execution mechanism.
Since you can't update your device's hardware without buying a new phone, the best way to protect yourself against these threats is by keeping a tight rein on the apps and software that run on your phone.
Apple was quick to issue a statement on the issue, which goes over how Meltdown and Spectre function. While the company admits all iPhones are affected, it claims no known attacks or exploits exist at this time.
Still, the company warns users to be vigilant. They caution users to only download apps from the official App Store, as the biggest threat appears to come from malicious applications.
Android, unlike iOS, services many smartphones made by a variety of manufacturers. While Google develops Android, it's also up to each OEM to stay on top of updates.
Interestingly enough, it was Google who made the chip flaw discovery in the first place. The company planned to announce the security issue alongside Intel next week, but were forced to address it this week after reports surfaced.
We have updated our systems and affected products to protect against this new type of attack. We also collaborated with hardware and software manufacturers across the industry to help protect their users and the broader web. These efforts have included collaborative analysis and the development of novel mitigations.
Google claims that ARM-based Android devices with the latest security patches are protected. ARM released an official statement as well, which claims that the majority of ARM-designed processors are not at risk, only a handful are.
However, in the affected category is the Cortex A73. These cores power the Snapdragon 835, which is featured in many of 2017's Android flagships, including the Galaxy S8, S8+, Note 8, OnePlus 5 and 5T, Google Pixel 2 and Pixel 2 XL, and so many more. The same can be said for many of 2015's flagship Snapdragon 810 devices, which use Cortex A57 cores.
Now that you know where things stand with your phone and these speculative execution exploits, there are a few best practices you can use to keep yourself safe. True, these are mostly common sense, but as long as you follow these instructions, you'll be as safe as you can be.
The most important thing anyone with a smartphone can do right now is keep their device fully updated. Your phone's OEM will be rushing to issue security patches now that these vulnerabilities have been discovered, and, according to the U.S. Computer Emergency Readiness Team, updating your software is your best defense against these chip flaws.
Apple just released an update to the iOS 11.2.5 beta yesterday, while the company seeded the latest public update, 11.2.1, Dec. 13. While these updates do not explicitly address any of the discovered chip flaws, they do feature the latest security patches and bug fixes Apple has to offer.
While Android does not share the same uniformity as iOS, Google claims its latest security patch covers ARM-based processor vulnerabilities. OEMs and carriers regularly release security patches, such as Wednesday's AT&T's S7 and S7 Edge patch, or T-Mobile's Note 8 patch last month. However, neither of these updates contain fixes for Meltdown and Spectre — it's the January 2018 security patches you need to look out for.
Another issue here is that Spectre or Meltdown exploits aren't known to exist for mobile devices yet. This means that any security patches aiming to protect against these threats are mostly preemptive. Going forward, we may see mobile-targeted exploits using Spectre or Meltdown — if this happens, phone makers will likely need to issue another security patch to block that specific exploit.
Bottom line, make sure your device is running the latest firmware it can. It's the best way to protect yourself, so take some time each day to check for updates.
If a Spectre or Meltdown exploit is created that can actually hack a smartphone, chances are, it'll come in the form of an app. Since the security flaw is in your processor, and all apps are filtered through your processor as they run, it just takes one with the proper code to execute the exploit.
Apple has recommended that iPhone users do not sideload apps — in other words, only install apps from the App Store, where Apple has had a chance to review their code. Of course, you have to go out of your way to sideload an app on iOS, so most users shouldn't have a problem here.
The situation on Android is similar, but it's a lot easier to sideload apps on Google's OS, and there are a lot more unofficial app stores out there. No matter what you do, don't install random APKs you find on the internet — this is where most Android malware originates. Instead, only install apps from the Google Play Store, and even then, it would be a good idea to install an antivirus scanner to be extra safe.
On either operating system, you should still be cautious when installing apps from your phone's official app store. Take time to read reviews and check into the app's developer — if there's anything fishy, resist temptation and don't install the app.
The sad fact is OEMs abandon products after a certain amount of time. If you are using a smartphone that no longer receives updates, you are leaving yourself open to vulnerabilities, both with the chip flaws as well as any others discovered.
The best way to protect yourself is to buy a smartphone that is still supported by the manufacturer. Better yet, buy one designed with security in mind. Short of that, if you're running Android, you may want to look into installing a custom ROM, which is a community-built version of Android, typically with the latest security patches applied.
Another thing to consider when shopping for Android phones is the OEM's track record with updates. If you don't want to find yourself in a similar situation in the future where your fairly-new phone isn't getting important updates to block security threats like these, you'll want to buy from a manufacture that's known for keeping their devices updated. To get a good sense for this, we recommend reading our list of phones that are receiving the latest Android update this year.