Site icon

When good intentions facilitate the really bad guys

I’ve worked on many different mobile phone security projects over the years including spending a lot of time trying to help people with everything from mobile phone theft to dealing with spyware. I established the product security function at Pansaonic Mobile a long, long time ago. I’ve taught many students how to secure mobile networks, devices, hardware, firmware and applications of all varieties. I setup the GSMA’s Device Security Group and led its main industry Fraud and Security Group for three terms. I have literally seen it all and most of it has been pretty crazy. However, I’ve understood over that long period of coming up… 28 years(!) that you can actually fix stuff and prevent the bad guys – it’s hard, but it can be done. When it’s done well, bad things don’t happen and users don’t notice (which is what we want). Designing things securely while at the same time safeguarding cool innovation, all the time protecting people from the bad guys has been at the heart of what has driven my work over the years and it has mostly been fulfilling, although often frustrating.

This is one of the frustrating times. A few weeks ago the European Commission published a ‘Consultation on the proposed measures for Alphabet to ensure interoperability with Android under Article 6(7) of the DMA’. It was only open for a very short period, but I was absolutely horrified when I read the contents. Essentially the very short version is – in the process of trying to further open up Android to other developers (particularly in relation to AI), the Commission had started to try and re-engineer the architecture of a private company’s product. This in itself sounds barking mad when I write it, but it was the security and privacy mess that it opens up that truly concerned me. Apple has also pointed out that it is a security and privacy disaster. As an industry we’re constantly playing cat and mouse with a whole host of threat actors from nation states down to individual users, with a ridiculous number of threat vectors to deal with. The advent of agentic AI and the speed of vulnerability discovery through to execution is something that everyone is trying to address right now. So imagine that a third party comes in and rips open that security design which has been architected through years of pain and on-the-ground security reality? It doesn’t sound right does it? That is exactly what has happened here and motivated me to respond to the public consultation (also with an offer of help). You can find my full response and submission to the European Commission below. They have not responded to me.

What triggered me to write this now was this other blog by George Colville, a Policy Analyst at the Open Markets Institute Europe. In it he argues that the issues that Google, Apple (and now myself above and below) raise are “weakly substantiated”. In my opinion this is so far from the truth that it is downright dangerous. This person is not an engineer, he seemingly has no knowledge of the number of people who have been tortured and murdered just because of spyware alone, never mind a whole host of other user-targeted frauds etc, yet tries to pass off these issues essentially as the industry trying to protect themselves by using a FUD (Fear Uncertainty and Doubt) strategy to scare people. Frankly, and forgive me for my language – he is talking bollocks. I can state with both knowledge and certainty that the European Commission’s technical proposals (or draft measures) are dangerous for the security of every citizen of this world and they represent gross overreach. What starts here could also end up with all other connected devices and IoT. Cyber security is a complex and difficult subject that is already hard enough, but interfering at this level just makes it ten times harder.

Draft technical measures facilitating bad actors

Why I’m extremely nervous is the tactics that particularly spyware actors have used are facilitated by the draft technical measures the EU wants to open up to third parties here. One of the easiest of the proposed measures to explain is the “always-on hotword detection”. From the draft measures: “Hotwords allow users to invoke and interact, hands free, with their favourite assistant. The feature is implemented in a power-saving manner that allows always-on hotword detection to run continuously, even when the phone screen is turned off and when the phone is in battery saver mode.” This is a particularly dangerous permission – it is not difficult to imagine why this might be of interest to bad actors and how it could be subverted. There is a very long list of issues with the proposal. You can have a look at the draft measures yourselves in the Annex (draft measures) link below, as well as some of my concerns in my submission text.

The reference documents they provided for the Consultation were as follows:
Case summary – DMA.100220 – interoperability with Google Android and Annex (draft measures) – DMA.100220 – interoperability with Google Android.

Submission

Here’s the full original text of what I submitted, apologies for some of the typos as I was trying to meet their submission deadline! I’ve also uploaded a pdf of the submission:

“I am a mobile phone security specialist and have been involved in mobile security for around 27 years. I am the former Chairman of both the GSMA Device Security Group and its parent group the Fraud and Security Group. I have and continue to conduct research into the cyber security of future technologies. This includes the defence of future AI security systems and have extensive experience in embedded mobile security technologies. I wrote and taught the Mobile Systems Security for MSc students at the University of Oxford as a part-time lecturer and served as a visiting Professor at York St John University, also teaching Cyber Security and Digital Forensics to undergraduates.

My concerns relate to all technical aspects of the draft measures including the effectiveness and completeness elements.

Whilst the intent of the work of the Commission is admirable, it cannot be taken on its own, without the context of the severe, hostile threat that all mobile devices and connected technologies face. In the two reference documents, there is only one mention of the word security, in the context of updates and only four mentions of the word privacy.

The market reality is that the mobile industry is under severe daily attack from a wide array of threat actors from the users themselves, to fraudsters, malware authors all the way up to private spyware companies and nation state actors. The mobile device is a hard target, but that is not an accident. It has been hard fought over many decades, with a continual cat and mouse game of malicious attacks and defence by the industry. This has led to the situation we have today, where the mobile device is a very secure object, with regular updates, industry reporting processes for discovering and resolving vulnerabilities and a robust ecosystem around application security including app ingestion and inspection. The industry is however still under continual attack and malicious actors are always seeking new ways to get into device and abuse legitimate features in order to achieve their aims.

One of the most pernicious types of attack that I spent a lot of time trying to disrupt in my time volunteering as chair at the GSMA, was that of private spyware. This involved many different aspects, both network and device / operating system related. Many different actions have been taken to tackle this problem across the world, including by industry, governments, the European Commission and journalist organisations. Some of my general observations and opinions from my experience in this area are relevant to this response:

1) Private spyware companies acquire and discover vulnerabilities through various means.
2) These organisations will stop at nothing to achieve their aims, including subverting companies, buying off individuals, setting up front companies, falsifying documentation etc.
3) They will target low-hanging fruit such as smaller third-party companies in the mobile industry supply chain that may have access relevant to their needs. Sometimes they will setup legitimate contracts with companies who don’t realise what they are really doing.
4) The individuals involved will read lots of technical material, go to security conferences and work out where they can potentially create new exploitation of the technologies involved.
5) They will subvert technologies that are aimed at supporting disabled users (accessibility features) because they provide access to functions that normally wouldn’t be provided – such as screen-reading, clicking and so on.


Many of these observations also apply to criminals involved in other areas where different types of malware are created, or where defrauding the user is the aim. Other abuse of the handset I have seen in the past has been targeted at creating mobile ransomware, abusing premium rate services or for data stealing purposes (which is then used as part of other crimes). The list is very long.

As an industry, we have seen the supply chain compromised time and time again, because it is a weak link and can be an easier target in some cases, because smaller organisations simply don’t have the resources to face down, or even to detect the serious attacks that they will face when it comes to very serious threat actors.

Opening up sensitive user data to third-party organisations has to be done in a controlled and sensible manner. There are certainly some functions that are confined to the vendor of the operating system or to the manufacturer, simply because the risk of opening up would be so severe. That is not about a lack of interoperability, it just makes sound security sense.

In my view, the proposed measures open up the mobile attack surface considerably.

I had intended to go through line-by-line and give examples of where each draft measure could be abused, however this would be a very lengthy response! I am willing to speak to you and go through these in detail if you wish.

AI Attacks
I briefly also want to address the issue of the situation we find ourselves in, in 2026. There has been a recent increase in autonomous AI systems which can go further than most human attackers would and more persistently. It is therefore now more important than ever to be a be able to control third party”

J’espère…

So that’s the issues in a nutshell. For full disclosure – I do work with Google and many other companies as you can imagine in the mobile industry, but my motivation to write this was not based on any of our customers – it’s just that I hope that we see common sense prevail here and users not unnecessarily exposed to pretty severe security and privacy issues. I await a response from the Commission.

Exit mobile version