Will Amazon’s Fire Phone “Burn” Users?
Symantec security expert, Candid Wueest, investigates the security implications of Amazon’s new Fire Phone. For the original article, and to catch the latest security intelligence information.
Everyone has heard stories about smartphones with malfunctioning battery packs bursting into flames, but the new Amazon Fire Phone, despite its name, could pose a different kind of danger. Amazon’s recently announced device is due to be released in July and may present some potential security concerns for users.
Amazon’s Fire Phone runs on Fire OS 3.5, which is based on Android 4.2 (Jelly Bean) and Amazon says they are working on upgrading to Android 4.4 (KitKat). Since the Fire OS is a fork of the Android OS, it is unclear how Amazon will react to major Android updates or patches in the future. Even with updates and patches, most users never consider upgrading the OS on their mobile device anyway, which can increase the attack surface of the device.
The phone has a focus on multimedia and comes with integrated with various Amazon services. One interesting feature is dynamic perspective, which uses a parallax effect to create a 3D effect in certain applications. In order to achieve this, the phone’s motion sensors are used in combination with four special cameras on the front of the phone that track the user’s head movements to adapt the graphic to the current viewing angle. This may sound a bit creepy because it means that the phone is constantly taking pictures of your head, and with the infrared lights, this even works in the dark. However, it does not appear that the phone stores these pictures, so they should not be at risk of falling into the wrong hands.
The Fire Phone’s Firefly technology raises some privacy and security concerns. The Firefly service can recognize products, phone numbers, QR codes, URLs, and TV series after a user takes a picture of one of them. Once the object is identified, it is added to a list and can later be processed in several different ways. The most obvious way is the chance to buy the recognized product on Amazon, but technology can integrate with streaming services and social media as well. Fortunately, there is not an option to buy a product automatically after taking a picture, so users will not accidentally buy something after taking a random picture.
The Firefly service is available through a dedicated button on the lock screen, which also starts the camera. This is an excellent reason to not leave your phone unattended anywhere. Anyone could add useless items to your history list by taking pictures. Hopefully there are no errors in the processing algorithm. It would be a shame if a picture taken of an overly long URL crashes your phone or an innocently placed QR code in the background reconfigures your mobile.
The images taken for the Firefly service are pre-processed on the phone and then transmitted to the cloud for final processing with audio files and location information. Third-party developers can create their own plug-ins, which means they can also access the images and process them themselves. This presents some privacy concerns and as always users should be careful when deciding which services to trust. In any case, it’s probably better not to take pictures of top secret documents just to save a phone number.
No Google Play market
Many people have noticed that the Amazon Fire Phone does not use the Google Play market. Instead, the phone supports Amazon’s own app store which has many apps, but is still missing a few user favorites such as YouTube and Google Maps for instance. Users who cannot live without their favorite app could choose to install applications from untrusted third-party locations. Applications from these sources may contain malware that can lead to a compromised device. Even if an app from a third-party location is clean, it might not work because Fire OS uses a different framework than Google’s Android OS. As with the Kindle Fire, this could lead to users rooting their Fire Phones to install the Google Play store. The increased security on Amazon’s devices means that there is no guarantee of rooting a Fire Phone.
The Fire Phone uses the Amazon Silk Web browser, a custom built browser based on Chromium, that takes advantage of the Amazon cloud to process some content and decrease website load times. Privacy concerns regarding this feature have been noted(link is external), but there is an option to disable the Web proxy.
The use of a custom browser does not inherently mean that it has more vulnerabilities than other browsers. It remains to be seen if attackers will focus on the Amazon Silk browser to find any vulnerabilities in the software. The market distribution of the Fire Phone could affect this. Widespread distribution of the phone could offer a profitable opportunity to attackers and entice them to put in the effort to find vulnerabilities.
There are still a few things that would be beneficial in the next Fire Phone update. Features like integrated VPN or single-sign-on are on the wish list for the next Fire OS update and could help with any security issues.
As with any mobile device we recommend that users be careful when installing apps from third-party markets and verify the privacy settings of their device.
Source and Copyright: Norton blogs.