Photo by Tom Sodoge on Unsplash
These last few days, a phone hacking video clip has been doing the rounds on India’s social media. This guy, Saket Modi, is giving a live talk onstage. While talking, he borrows a phone from a man in the audience, and casually hacks it, in just 20 seconds. Saket was able to see the list of phone calls, read all the SMS messages, view the contacts, access the GPS to figure out where the phone is at the moment, and even turn on the phone’s microphone to listen to what was being spoken in the phone’s vicinity.
Since Saket had access to the phone’s browser, he could view the owner’s email, see his OTPs, reset his email password, take over his email, and repeat the process to take over all his social media. The only catch was the phone had to be connected to the internet, and which phone isn’t these days?
I was a bit shocked at how easily Saket hacked the phone, a Samsung S8, one of the world’s most expensive and advanced phones. There was nothing on the phone’s screen to alert the owner that it had been hacked. I had heard of this a year ago, but it was the first time I had seen the clip. See below.
The hack is possible because a phone’s operating system currently easily gives any app easy access to your messages, microphone, location and so on. The apps do ask for permission when they are being installed but most people grant this permission as the app says it will not work otherwise. Unlike Androids, Apple restricts such permissions so it’s relatively harder to hack an iPhone. Google is aware of this shortcoming, which is why the latest version of Android, Oreo, reduces such easy access.
This particular hack is worrisome in India because we customarily hand over our phones to anyone who requests it to make a call. Like my kid’s school does not allow phones so whenever I go to pick her up from school, a kid or two will invariably ask to borrow my phone, and I usually lend it. You can’t say no to a kid, can you?
I needed to figure out a solution.
Basically, I should be able to lock down the phone in a jiffy. So that when I hand it over to a stranger, it will only allow him to access the phone’s dial function, and nothing else.
The equivalent in PC terms would be a second user profile or login for the phone, which has limited access to the phone and its apps. I don’t even know if this is possible. Besides, I carry two phones currently, an Android and an iPhone, so I needed to do this on both.
Surprisingly enough, I was able to set up a simple, one-touch solution in just a few minutes on my Android. That speaks a lot for the easy customisation of Androids. Having said that, my Android, Xiaomi’s Redmi Note 4, has its own customised version of Android called the MIUI, which simplified my task. But I’m sure most Android phones will have similar solutions.
Anyway, I knew that MIUI has a feature called ‘Second Space.’ It’s like a second independent phone (software) on the same handset, with its own set of apps, but with no access to the main phone’s data. MIUI allows you to set up a different fingerprint to open up your Second Space. It also allows you to lock any app. So all I had to do was set up the Second Space, set up a new fingerprint to unlock the second space on the phone, and then lock all apps, except the phone app.
Accordingly, I set up Second Space. My First Space has my forefinger as the access fingerprint. So I used my middle finger to access the Second Space. And that was it.
If I want to use my phone, I use my forefinger to unlock the phone, and it automatically opens up into my first space, giving me access to all apps on my phone.
If a stranger wishes to use my phone, I use my middle finger to unlock the phone, and then hand it over. The stranger can only use the phone app to make calls, as all other apps are locked in this Second Space.
That was a pretty slick solution to my phone hacking worry.
Restricting existing apps Now that people who borrow my phone can’t misuse it, I also needed to make sure the existing apps on the phone were not misbehaving.
The more savvy know Android now allows you to revoke the permissions but few bother, and I must admit I was one of those few. On my Android (Redmi Note 4), I just have to click on the Security icon, and go to Permissions to see what apps were using what features (this will differ in other Androids).
After viewing permissions, disabling an app is just a matter of a couple of clicks. For instance, 36 of the 76 apps on my Android had access to my contacts. I went through each of the permissions, and revoked them wherever it seemed unnecessary. I mean why should Facebook have access to my contacts?
And that was that. My Android is now a bit more secure, though I doubt if any of the above will keep out a professional phone hacker.
iPhones also have a simple built-in solution to restrict access to any one app. You do this by enabling the Guided Access feature. Once that’s done, all you have to do before handing over the phone to a stranger is open the phone app, and triple click the ‘Home’ button. The iPhone is then restricted to just that one app. To exit the app, a password is required.
There’s even a feature to deactivate ‘touch’ on parts of the screen. That’s essential in this case as it’s possible to access the tabs in the bottom bar of the phone app like contacts, favourites, recents… Deactivating the touchscreen in this area also, means the only part of the phone that is active is the keypad area. In short, your smart iPhone is temporarily turned into an old style phone with just a dial pad, and nothing else. It will look like the image below, and to unlock the phone from this screen, you have to have access to the app lock code or Touch ID.
My iPhone screen after it has been ‘locked’ to dial keypad screen. Buttons at bottom are also inactive.
I know ‘Guided Access' has been around for a while but it was only when I saw the phone hacking that I felt the need to use it. Anyway, to use this feature, you go to Settings->General->Accessibility->Guided Access, and turn it on. Oh, never mind, it’s easier to use iOS 11’s screen recording feature to demo how Guided Access works. Keep in mind you can’t see the part where I triple click the home button to pop up the app lock screen.
In general, Apple seems to restrict access to apps better than Android. Anyway I checked to see if Facebook was accessing my contacts. It wasn’t. But Snapdeal, an Amazon competitor was. So I disabled it.
I found the iPhone solution to be more secure than the Android as the phone is locked to just one app screen which you can’t exit without a password.
The Android solution still exposes the call record. You can also exit the app, and open some of the other apps (like Settings, Security, Weather, etc) though I had locked all the apps visible in the Settings. However you can’t really do much within those apps. Maybe there’s a better way to do this on an Android, but it has to be simple or most people won’t bother.
Warning: Before I wrap up this post, I must warn you about a mistake I made on the iPhone. Don’t take the obvious route of enabling ‘Restrictions’ in Settings to lock apps in the iPhone. It’s pretty pointless as most of the apps and functions work even after enabling this.
But the real disaster happened when I disabled ‘Restrictions.’ I discovered to my horror that all my home pages had been destroyed. My apps which were tidily grouped in folders, had been pulled out and strewn all over the phone in no particular order. The neatness freak in me nearly had a heart attack! To add insult to injury, the empty folders still remained on the phone.
Fortunately, my phone is set to automatically back itself up whenever I connect to my Mac, which I had done a couple a days ago. So I was able to restore my iPhone. It took nearly an hour as I had to go through the painful process of entering passwords for my wi-fi, iCloud accounts. I even had to scan my credit card for Apple Pay, though the system does not work in India. The phone kept insisting I do it and I felt sorry for it, I guess.
What I had forgotten is that restoring a phone meant that all existing apps which have logins, would require me to re-enter username and passwords. Quite a painful affair! I should have just dragged the apps back into the folder instead of restoring the phone. Apple seriously needs to have a warning built in whenever someone enables ‘Restrictions.’
Stay away from ‘Restrictions’ if you value your time.