A security researcher recently discovered a problem in many (but not all) Android phones and tablets that can allow bad guys to bypass the Android’s encryption features. While the issue is one that needs to be addressed right now, it is also one that can be fixed.
Remember that this is simply a report on an important vulnerability, and that we work with vulnerability every day. :)
Why Do I Care About This Flaw?
If you already know why this is important and just want the solution, skip down to “How Do We Fix It? Isn’t There a Security Update?”
In short, full disk encryption of devices can provide insurance against having to report a security breach to the Feds if your Android device goes missing. It’s a powerful measure for stopping security breaches, keeping clients safe, and preventing liability under HIPAA. See our article on full disk encryption here→
The discovered flaw would allow someone who manages to get ahold of your Android device, with some effort, to unlock the device’s encryption and access all the information on it. So long as this flaw remains, you won’t be able to lean on the Android’s encryption to protect your clients or yourself from HIPAA-based liability issues. Once the flaw is fixed, you will be able to lean on it again.
Which Android Devices Are Affected?
Only Androids that use chips made by a company called Qualcomm are affected. Because Android devices come in a variety of forms and from a variety of makers, not every one is the same. Only the phones with Qualcomm hardware inside them are prone to this bug.
At the end of the article, we have instructions for determining if your Android gear uses Qualcomm chips. Experts estimate that at least half of Android devices out there use Qualcomm chips.
How Do We Fix It? Isn’t There a Security Update?
Google has already released an update to fix this flaw. But this is where we run into the downside of the fact that Android devices come in a variety of forms from a variety of makers (this is often an upside — but everything has its disadvantages.)
Google created a fix for this problem all the way back in May. Security researchers have discovered that many Android phone makers still haven’t incorporated Google’s fix into their updates, however. So even though a fix exists, many Android device owners still haven’t received it and their phones and tablets remain vulnerable at this time.
So here’s what you can do in the meantime:
- Check if your Android devices are still vulnerable. Instructions are below. If they’re not vulnerable, then simply pass this notice on to colleagues who also have Android devices that might be vulnerable right now.
- If you know who manufactures your Android device, send them an email pushing them to get that fix from Google out to their customers. We can’t help you attain the proper email address to send to because there are so many makers of Android devices. Someone who is familiar with your devices may be able to help you do that. Once you discover how to contact the maker of your Android device, here’s something you can write to them:
Health care professionals who use Android devices in our practices depend on the manufacturers of those devices to keep us up to date on the latest security patches. The encryption-related vulnerability in Qualcomm’s mobile processor, labeled CVE-2016-2431, is a significant threat to our ability to protect our clients from harm and to protect ourselves from liability under HIPAA. We need you to push Google’s May 2016 security update to our devices as soon as possible.
- Make sure your Android devices have a good security app that provides remote tracking, remote locking, and remote wipe. Make sure you know how to use those features. They can be an important part of protecting mobile devices that have been lost or stolen. There are a variety of security apps available for download from Google. We have no specific recommendation for a best one.
- Have a nice cup of tea or a bath. Even though this issue is important, it is not immediately threatening. Like all security issues, it requires action but not anxiety. :)
How Do I Know If My Device Is Still Vulnerable?
There are two things to check:
- Does my device use chips from Qualcomm?
- Do I have the security patch from Google yet?
To find out if you use Qualcomm chips:
According to Digital Trends, there is a free app called CPU-Z that can be used to find out what company manufactures your Android’s processor. If it says your processor is made by Qualcomm, your Android could be vulnerable. If it does not say Qualcomm, then your Android isn’t vulnerable. Get CPU-Z here (free)→
To find out if you have the security fix from Google:
On the majority of Androids, you can follow these steps. If your specific Android seems to be formatted differently, find a tech-savvy helper who can help you follow these directions for your particular Android:
- Find and tap the app called “Settings.” Make sure you find the one called “Settings” and not “Google Settings.” The two look similar.
- In your settings, find something like “About Phone” or “About Tablet” or “About Device.” Tap whichever one you find.
- You should see a list of info about your Android. Look for the entry called “Android Security Patch Level.” There should be a date listed next to it.
- If the date is previous to May of 2016, then your Android is still vulnerable to the flaw. If it is May 2016 or later, then you have the fix in your Android already!
Special thanks to private practice guru and all-round good guy, Rob Reinhardt, for tips on finding the right settings in Android. If you’re in private practice, you should be following Rob, too. He’s at Tame Your Practice→
What Are You Talking About? “Encryption?” “Remote Tracking?”
Most of us use our mobile devices to handle client information in one way or another. Some say that this is not secure, but in fact mobile devices have a great set of security features that it make it completely feasible to use them in our practices!
If you’re not familiar with these security features, we offer you two helpful resources:
- Our Digital Confidentiality course series. Level II of the series gets into the details of keeping mobile devices secure, including the essential encryption issue that we discussed in this update. See the course catalog here→
- The smartphone security guide. This guide walks you through the various security features of smartphones and how they do and don’t help you. Get the guide here→
Are Android Devices Unsecure? Should I Get Apple Instead?
Actually, Android devices can be very secure! Even with this bug to deal with, Android is a solid platform for health care professionals. Everything in this world has flaws, and we deal with them all the time.
This flaw, like most security issues, will find a fix and will become an issue of the past eventually. The reason I am announcing it is that:
- There is a hitch in getting it fixed in a timely manner. I needed to make sure you know about it so that you aren’t leaning on your Android device’s encryption without knowledge that there is currently a flaw.
- You can help get it fixed by turning up the pressure on Android device makers.
In the mean time, there is no reason to fret or to ruminate on throwing out your Android gizmos. There are people out there who need your helpful energy and you should spend just as much as you need on this and no more. Have a great week!