Monday, July 4, 2016

Lookout security for Android devices

Perhaps two weeks after activating a new phone with T-Mobile, an app called "Lookout" prompted me with a cell screen to subscribe to their service. The pop-up included a correct email address for me, pre-entered.

I found that odd since, although the email address Lookout suggested for me was correct, it was different than the email address attached to my T-Mobile account. Where did it come from? Typically these come from phone "permissions" (access privileges) to one's phone information (eg, email accounts), but we all know they are rarely "permitted" in the sense of a user wittingly authorizing information to the software. Rather, they are often pre-configured and difficult to unravel. That is, in such cases, one has to dig to determine, and still may never determine (or revoke), privileges granted by: a provider (eg. T-Mobile) service update, the phone manufacturer (eg. Samsung), the Android (OS) installation process, or the app (eg, Lookout). These iniquities become more galling when one's data security is supposedly being looked-after, particularly for a fee. One reasonably expects transparency.

A much smaller issue: beneath the email address was a blank for a password, without specifying if it was for the email address offered, or for a new Lookout account password.


Before entering any password, I navigated to the Lookout website . As I write today, I could find no information about the password sign-in or Lookout's information access on devices. The potential billing tiers for Lookout appeared to have two options - Personal Premium ($3/$30) and Personal Free: both were buried in the site's "Contacts" pages. A difficult to find FAQ finally referenced T-Mobile accounts, $4, but nothing directly about partnerships, phone access privileges, etc. A third service,"Jump!", was referenced on the page, but without explanation or links.

Trying next the T-Mobile site, nothing about Lookout phone permissions, but there was billing information for a "Premium" Lookout account, $4, that is, more than accounts directly established with Lookout. Meanwhile, Jump! is a T-Mobile phone insurance or upgrade plan, I could not be sure.

I'm supposed to feel secure about what again?

Inside the phone

Voila. The permissions somehow granted to Lookout (never wittingly given by me), were as follows:
  • Your personal information
    Add or modify calendar events and send email to guests without owners' knowledge. Modify your contacts. Read call log. Read terms you added to the dictionary. Read your contacts. Read your web bookmarks and history. Write call log. Write web bookmarks and history.
  • Your location
    Approximate (network-based) location, Precise (GPS) location.
  • Your messages
    Edit your text messages (SMS or MMS), Read your text messages (SMS or MMS). Receive text messages (SMS).
  • Network communication
    Full network access
  • Your accounts
    Add or remove accounts
  • Storage
    Modify or delete the contents of your SD card
  • Hardware controls
    Change your audio settings, Take pictures and videos
  • Phone calls
    Read phone status and identity
  • System tools
    Change network connectivity, Delete all app cache data, Disable your screen lock, Make app always run, Modify system settings, Prevent phone from sleeping, Retrieve running apps, Toggle sync on and off
In short, I'd never use a smart phone if it weren't for the fact that T-Mobile can't enable MMS on simple feature phones: I need MMS to communicate in the workplace. Obviously, Lookout smart phone permissions are not as comprehensive as what government agencies can gather or accomplish with one's phone (and other records), but it gives a person a thumbnail sketch. It might be easier if smart phones were directly issued by the government via some portion of our income tax revenue -- they've become little less than moving ID cards, with contact and quotidian information embedded.

No comments: