Who controls your smartphone?

Someone once said, “The first step to receiving an answer is being brave enough to ask a question.” There are many things about today’s world that warrant us asking that question.

Do you or the mobile vendor control your smartphones?

If you are a consumer, small or medium business (SMB) -- the answer is the vendor. It should come as no surprise since these groups typically don’t have the business needs or resources to customize beyond Consumer-off-the-Shelf (COTS) options. Factory mobile builds – from major mobile vendors – offer a strong User Experience (UX) and a good baseline for security.

What if you are a large enterprise or a government agency?

The answer is still the vendor. Are you surprised? Groups such as these have specific business needs and security postures. They routinely add significant customizations to the hardware, operating system (OS), and services around all IT devices – PC laptops, desktops, and servers – including smartphones.

Why are mobile devices less customizable than PCs?

There are two reasons for this: The Bundling of Options and the Monetization of Personal Data. Let’s dive deeper to understand both motivations.

Mobile vendors tightly bundle the hardware, OS, update services, and offer many factory apps. This makes for a better UX but at the cost of higher prices, customer lock-in, limited choices, and limited customizability. They do allow light customization via device settings, and Application Programming Interface (API) requests to the OS. These settings and APIs support mobile enrollment, vetted app stores, Mobile Device Management (MDM), and Mobile Threat Defense (MTD) within the vendors’ walled gardens.

However, with device settings and API calls, the phrase “request to the OS” is key since the vendor chooses the extent to which settings are implemented. For example, does “airplane mode” mean all modems are off or that they are “selectively” off? Would key data like IMEI, IMSI, GPS, sensor, and personal data “only” be shared to the vendor, or is their distribution much broader?

If there is no setting for what you want to do, then you are out of luck. It is much more profitable for mobile vendors to sell the same factory builds to everyone. Flagship devices cost $1,000 and are bootloader locked to prevent actual OS customization short of rooting or jailbreaking that present their own issues. Customization requests are routinely refused. Sometimes they can be subtly re-framed as not a request for customization but instead a requirement for added “OS requests” via new settings or API calls. Such an architecture preserves vendor control allowing them to ask for large Minimum Order Quantities (MOQ) and Non-Recurring Engineering (NRE) payments only to quickly reach End of Life (EOL) since such builds are outside of routine upgrade and update processes.

On the other hand, PCs have more open architectures that allow competition at all levels – from the hardware to the OS, maintenance services, and app ecosystems – which means consumers and organizations can highly customize devices and build best of breed solutions. They still leverage bundles, where that makes sense.

Mobile vendors discovered they could be paid once for products and services and a second time by monetizing personal information, location, and sensor data, whether for their use or in sharing with partners. Therefore, the mobile device serves two genies – the need to preserve their own proprietary product and services revenue stream and monetizing the data themselves or with business partners.

Nothing new under the sun

Neither bundling nor monetizing user data are novel ideas from IT vendors.

Before PCs, bundling was standard practice for vendors like IBM, DEC, and Wang. Bundling was likely necessary at the beginning to kick-off each new “S-curve of innovation” from mainframes to minicomputers to dedicated workstations.

Technologies matured, and more components became commoditized; users demanded more choices, customizability, and affordability. A particular gripe was having to beg vendors for customizations to their walled gardens. Ultimately newer vendors embraced open standards that unlocked devices to allow customer control.

Early PCs and dial-up network connections were notorious for spyware and bloatware that tried to be paid once for the service and then a second time in data monetization. Consumers and businesses were quick to remove these.

How can you regain control?

Not all vendors have locked devices and walled gardens. Google’s line of Pixel hardware, for example, is a mid-market solution whose bootloader allows locking and re-locking.

Pixels support two versions of Android. Google Mobile Services (GMS), where free services are tied to data monetization and a UX like Apple and Samsung devices. Secondly, Pixels can run Android Open-Source Project (AOSP) code that shares the same strengths as the GMS build, but the customer controls the code base and updates. 

Always be brave enough and ask the questions.

#MobileSecurity #Cybersecurity #Privacy #OpenSourceSoftware