Smartphones unstoppable but fears of attack still lurk

Given the poor profits in the smartphone market, there will be market turmoil

Given the poor profits in the smartphone market, there clearly will be market turmoil with mergers and acquisitions, and outright business failures. Photograph:  Philippe Wojazer/Reuters
Given the poor profits in the smartphone market, there clearly will be market turmoil with mergers and acquisitions, and outright business failures. Photograph: Philippe Wojazer/Reuters

Worldwide shipments of smartphones have just had a stellar quarter. According to research firm IDC, global shipments between April and June reached 337 million units, up nearly 12 per cent from the same quarter last year.

The market is led by Samsung at 22 per cent, and Apple at 14 per cent. Despite only 14 per cent of the global shipments, Apple captures a staggering 90 per cent or more of global smartphone profits, illustrating its strength as a premium brand.

In contrast, the quarterly profits at Samsung are now in their fifth consecutive decline, despite having two of the best Android phones on the market. Korea's LG has seen its profits drop 60 per cent in its most recent quarter, citing falling demand for its premium smartphones. Taiwan's HTC has just made a quarterly loss of -26 per cent (of revenues, after tax) and may have become an acquisition target.

The smartphone market now has two main themes. The first is that Apple’s brand is dominating the smartphone market financials, putting the remainder of the market under severe pressure. The second is that Apple in fact only has 14 per cent of the market by shipments, and the market leader Samsung likewise only just 22 per cent: the remaining 64 per cent of shipments are from over 200 other smartphone vendors worldwide, chiefly Android-based.

READ MORE

Market turmoil

There are now some 950 million Android devices in use worldwide. Given the poor profits in the smartphone market, there clearly will be market turmoil with mergers and acquisitions, and outright business failures.

In the last week, the global Android market has a new and extremely dangerous threat. What if a criminal hacker could interfere with everything on your phone – your contact list, calendar appointments(past and present), patterns of physical locations, private notes, internet browsing trails, apps usages, photos and so on – solely by knowing your mobile number?

The only trace of a fully weaponised attack will be a notification that you received a text message (actually a multimedia message – MMS – containing a video). Completely unlike other hacking attacks, you do not need to actually open the message or read or watch it: by the time you’ve seen just the notification on your screen, the damage will have already be done. In fact, the fraudulent message may already have deleted itself. If you just ignore the message notification as you might do for any other hacking attack, nevertheless the damage is done. You may even have been asleep overnight when the message arrived on your phone and silently did its work.

Joshua Drake, a VP at Zimperium zLabs, discovered a critical flaw in Google's Android software last April, in the "StageFright" subsystem of Android that displays media content such as videos. The flaw has been present since May 2010, when version 2.2 of Android was released (the most current version is now 5.1). As is industry practice, Drake offered a 90-day embargo with Google, and supplied Google with patch repairs to the code, so giving Google headway to ship fixes to customers.

He will release details of the code to the public at the industry Black Hat event on August 5th in Las Vegas, thus encouraging vendors to make repairs but also alerting hackers worldwide to the flaw.

Over 200 vendors, who have more than 950 million devices in active daily use, are highly suspect to StageFright – smartphones, tablets and other devices using Android. Typically, only the newer devices actively receive patches and updates: older devices, going way back to May 2010, may never be updated.

Each vendor has its own process to release patches to its products, and some vendors have to negotiate with mobile phone operators to push through patches to consumers. It is almost impossible for the myriad of vendors to synchronise their businesses to simultaneously repair broken products. However if any single vendor does release a patch before others, an opportunity then opens for hackers to reverse engineer the patch.

I wrote about the treacherous “HeartBleed” vulnerability in websites, and how it came about, in the May 12th, 2014, edition of this paper. The StageFright flaw is considerably more dangerous, given the nature of the highly fragmented Android market.

StageFright

In a different industry, vehicle manufacturer

Fiat

Chrysler

has just issued a recall of 1.4 million cars due to a flaw by which a hacker can wirelessly attack the driving control electronics, and received a $105 million fine from the US National Highway Traffic Safety Administration for its troubles. With 950 million devices in active daily use, from not just one but over 200 vendors worldwide, StageFright is altogether a different scale of challenge.

Google acquired Android Inc in July 2005 in a strategic move to compete in the mobile phone market. The first Android smartphone – the HTC Dream – was released in October 2008. Since then, Google has aggressively pursued a multiple-vendor strategy to promote Android to global consumers through as many channels as possible, and so try to place Apple under pressure. While this has been successful in market share and saturation, nevertheless Apple still owns the market profits. The vulnerability and fragility of the Google strategy to a single engineering flaw is now unfortunately apparent.

Google has rewarded Drake $1,337 for bringing the StageFright flaw to its attention.