As part of a broader look at President Donald Trump’s acclimation to the White House, the New York Times noted on Wednesday that Trump still uses his personal, consumer-grade Android smartphone in the White House. That’s worrying.
Even if you’re not a security expert, some potential dangers of keeping an insecure device in the White House probably come to mind right away. There’s a reason President Obama had to make do with a heavily modified BlackBerry for most of his time in office, and why security officials reportedly issued Trump a locked-down device when he took office. One that he apparently doesn’t always use. If Trump does use his old Android smartphone in his spare time—which recent @realDonaldTrump tweets sent from Android seems to support—he’s leaving himself exposed to all manner of unsavory outcomes.
The headlining concern around Trump using Android is that he’s likely not protected against phishing attacks or malware. All it takes is clicking on one malicious link or opening one untoward attachment—either of which can appear as though it were sent from a trusted source—to compromise the device. From there, the phone could be infected with malware that spies on the network the device is connected to, logs keystrokes, takes over the camera and microphone for surreptitious recording, and more.
The attack may not even be so direct. Many apps request permission to track a phone’s location for legitimate purposes, and a hacker could compromise one of these accounts to determine where the phone, and potentially Trump himself, is at any given time.
Attempts to reach the White House to confirm that Trump is still using his personal Android phone were unsuccessful, and if there’s a silver lining it’s that Trump famously does not use email, which should reduce his digital exposure. But the mere fact of using an open Android device should still cause some serious alarm.
“What we know from looking at public information about disclosure of vulnerabilities and exploits on hardware and software is that Android devices have a very high volume of vulnerabilities. There’s a high level of exploitability of an Android phone,” says Sam Kassoumeh, chief operations officer at the security intelligence firm SecurityScorecard. Especially given the Android phone Trump likely uses.
Google is diligent about Android security, releasing monthly updates that patch known flaws. The problem, though, is that those updates are only available to a handful of devices at first, including those in Google’s own Nexus line.
Android phones have notoriously uneven security because the operating system is open source, allowing manufacturers and third-parties to put modified versions, or “forks,” of Android onto devices before selling them. This often makes it more difficult for phones to receive updates, patches, and full OS upgrades as they come out. As a result, phones that run stock Android can get regular security updates pushed from Google, but millions of devices will only have those improvements available on a delay, if ever. For some context, less than one percent of Android devices currently run the most recent major update, Android 7.0, which Google released late last summer.
Based on some photo analysis, Android Central thinks Trump may use a Samsung Galaxy S3, a model that was first released in 2012. Another report pegged it as a slightly more recent Galaxy S4. Regardless of specifics, any mainstream Android device would be problematic, even with some precautions in place.
“Hopefully the Secret Service is treating his device as already compromised and restricting that phone from having any connections to secret or official government materials, resources, networks, and documents,” says Greg Linares, a security researcher who specializes in threats intelligence and reverse engineering. “Exploitation of Android devices, for the most part, is not as trivial as it was even a few years ago. Attackers would still need to develop a reliable exploit and deliver it to the President. But since it is a non-hardened device, the level of threat is rather high.”
The smartphone revelation joins a number of recent concerns about the Trump administration’s cyber hygiene. The hacker known as “WauchulaGhost” told CNN this week that the @POTUS, @FLOTUS, and @VP Twitter accounts are all prime targets for attack because they use easily guessed email addresses and don’t take advantage of two-factor authentication. Meanwhile, some White House staffers, including Sean Spicer and Jared Kushner, still maintain email accounts through the Republican National Committee. The practice is legal, but dicey given controversy over George W. Bush’s use of the same system and Hillary Clinton’s use of a private email server, not to mention that Russian hackers breached the RNC email system during the 2016 presidential campaign season.
Ultimately, whether Trump uses his old Android device is his own choice. The intelligence community can’t dictate what devices he does and doesn’t use; presidents are not legally required to abide by anyone’s technology recommendations. And Trump may see his Android as a net good. “In theory you want them to have the most productive tools to make sure that they’re using their time the most efficiently,” says SecurityScorecard’s Kassoumeh. “On the flip side, there’s a risk. If they have tools that can potentially be used against them or misappropriated, it can introduce some pretty dire scenarios.”
There’s hope that the Secret Service has taken extensive precautions to keep the leader of the free world’s Android device from jeopardizing national security. But as long as it has the mainstream access and connectivity that Trump reportedly feared losing in the first place, it’s a risk. As researcher Linares notes, “A device’s security ultimately comes down to the user operating it.”