Mobile Security Is An Oxymoron

:date: 2016-11-30 08:27

Ok, so I'm a very weird guy, I can see that. Mobile phones can be very handy, I can see that too. Combining those things it turns out that mobile phones are still pretty useless to me personally. That fact, I concede, is strange. I participate in less than a dozen actual telephone conversations a year even when including the hardwired telephone sitting in front of me on my desk at work. I can not remember a telephone call that would not have been better served in an email. Many of my telephone calls involve waiting on hold for dozens of minutes. Today, the fundamental advantage of telephones isn't the frequency-clipped disembodied voice you can hear, it is that the rudeness and imposition of interrupting someone are usually overlooked. But not by me.

Ok, so unless you just like hearing the sound of other people's voices nattering away while you're in the grocery store, and I understand there are many such people, the whole 19th century telephony thing is not extremely compelling. But what about all the other great stuff? Throwing enraged birds into pigs? Everyone loves that, right? Nobody knows how to use a paper map any more so it's not like it's even optional, right? Everyone wants to know what their friends' lunch looked like and gleefully stalks Pintergramerbook to find out, right? I could go on and on, but, folks, I'm sorry, I'm as aware of the benefits of technology as anyone and I do not find smartphones compelling. Sorry.

I can confidently surmise that I had my Sharp Zaurus SL 6000 before you had a smart phone. That brilliant pocket computer highlights exactly why I find modern small computers so uninteresting. On the Zaurus I could easily open a terminal. It ran a proper Linux kernel and I had full root permissions. I could run a Python interpreter in the normal Linux way. I could install any Linux software, Vim for example, and write my own. I could tape it to my Roomba and steer with it over wifi SSH. I felt like I was in control. But Android revoked almost all of that control. Don't talk to me about the nightmare of warranty-voiding freakish rooting hacks. The necessity of such tricks is exactly the problem.


Now we come to the elephant in the room. What happens to security when you use a networked system which is controllable by clever hacks and back door tricks, but impossible to control by authorized users using ordinary methods? It sucks. When I look at almost any security measure taken by the computing systems that I feel are safe enough to use, they are almost all invalid with modern phone operating systems. For example, why do package maintainers provide MD5 hashes of packages? So you can verify things came from a trusted source. With Android, you can't verify anything of the kind, and you have no idea who is a trusted source. Or take a simple thing like user accounts. These are designed to restrict privileges so that if some software is acting in bad faith, it can be contained. Android has a disgustingly perverse privilege model that just mocks proper security. The only thing that user accounts seem to restrict with Android is the device's legitimate owner.

Blah, blah, blah. Ok, ok. There are zillions of Windows users out there who obviously don't care about terrible security and bizarre conflict-of-interest turf wars in their computers. Fine, fine. What is blowing my mind in the smartphone era are the Linux people. The acquiescence of the people who should know better is what really freaks me out.

The first iPhone I ever saw was being proudly shown off by a sysnet (systems and networking) professor, a guy who studies computer security at the highest level for a living. I remember the thought I had at the time which remains the same to this day, "Hmmm...and you're ok with that?"

[quote,Benjamin Franklin]

Distrust and caution are the parents of security.

Security is hard. In the Linux world at least 50% of knowing roughly what you're doing involves various security measures. With the advent of smartphones it seems like everyone took the opportunity to make a clean break with the truly onerous task of secure computing. By relinquishing control, even technical people seemed relieved to relinquish responsibility too. Another quick example  —  I asked the head computer security analyst at my university (largest employer in the 8th largest city in the USA) what he thought about phone security. His answer was, essentially, it's bad. Very bad. Ridiculous bad. Sure. Whatever. So what does he do about it? Well, nothing special really. He mostly just assumes it's insecure and behaves accordingly (lucky for him he's a professional at that). And yet, he believes that his smartphone was responsible for his Amazon account being hacked (and if anyone should know that, it is he). How did that then change his behavior? Amazingly, not much! This is typical! People who know better stop caring for some reason. I don't understand this. I haven't been able to stop worrying and love this bomb. I have never been interested in using a computer as a computer that I can't control with the full force of computer science. I don't care what magic services it provides. If I don't have at least theoretical control and it knows who I am, it creeps me out and I want nothing to do with it.

Obviously I have a lot to say about modern telephones, but at the same time, I don't. I wish I could point to the smoking gun and say, ah, here is why you shouldn't use this. But I am not an expert in these systems which are designed to prevent me from properly understanding them. I just know what I appreciate and trust about the Linux systems I do use, and I can't see any similarity to the way smartphones are controlled. For the same reasons I (and people like Richard Stallman) boycotted Microsoft operating systems for almost 20 years now, I can't accept Android. I feel vindicated that my 1999 assertion that the Linux kernel could be made usable by normal people was true, but at this point Android is worse than Windows. (Do I even need to point out that IOS is worse than Android?)

Ok, I don't like telephones. I don't like proprietary operating systems that exclude you from control, destroy your privacy, and prey on you at every opportunity. With all that baggage, in comes a new topic that is of particular importance to fancy computer people taking care with security: multi-factor authentication. Abbreviated as MFA or 2FA, this basically is about using your phone to add another layer of security to unrelated services. I think you can guess by now how I feel about that. I'm not impressed. I'm horrified.

But again, I'm not the head of some nation state's hacking agency. Although I take a serious and diligent interest in security concepts, I don't make a career of studying the dark corners of proprietary software. When I step out of the light of the non-proprietary, free software world, I am overwhelmed and terrified.

This post is just a starting point, a way to dump my rough misgivings along with some links to why someone might feel this way. Make of it what you will.

Phone Insecurity

[quote,Philip K. Dick]

Strange how paranoia can link up with reality now and then.

MFA With Phones Is Bad


Cell Network Attacks

SIM Card Attacks

Client OS/App Vulnerabilities/Malware

In this paper, we will demonstrate how to quietly mount practical, context-aware clickjacking attacks, perform (unconstrained) keystroke recording, steal user’s credentials, security PINs, and two factor authentication tokens, and silently install a God-mode app with all permissions enabled. We note that this behaviour seems to appear to be a deliberate decision by Google, and not an oversight. To the best of our understanding, Google’s rationale behind this decision is that an explicit security prompt would interfere too much with the user experience, especially because it is requested by apps used by hundreds of millions of users. ...none of the users actually managed to understand what happened even after we told them the app they played with was malicious... ...the majority of presented attacks are possible due to inherent design issues... Thus, it is challenging to develop and deploy security patches as they would require modifications of several core Android components.

My Absurd Telephone

$ cat /proc/version
Linux version (jinyoung.chon@Sprint14) (gcc version 4.4.1
(Sourcery G++ Lite 2009q3-67) ) #1 Mon Mar 7 11:55:10 KST 2011

Hover text: "If they're getting valuable stuff from you, at least the organized crime folks have an incentive to issue regular updates to keep the appliance working after the manufacturer discontinues support."

Phones Done Right

UPDATE 2019-04-17 - I just came across the existence of which provides many clues to what is wrong with normal phones. Interestingly I found this as I was embarking on my own solution to have a Raspberry Pi "telephone" solution where I was in control.

UPDATE 2019-07-22 - Here's a strange post by Bruce Schneier. What's strange about it is not the fact that backdoors were found built into the firmware of Android devices. No, I've been saying that for years, haven't I? Not a bit surprising. What's odd is that this was apparently done in 2017. Why was the post now? Just being discovered? Ah, just being admitted to by Google now. But is your telephone compromised by malware? In my opinion it is wise to believe the answer is yes.

And xkcd right on target as always.


UPDATE 2020-12-06 - Edward Snowden describes the problem pretty well. He mostly covers the creepy side of smartphones which is completely legal. Probably in a way that should be reconsidered. Oh and here's a cheery story of some police state hijinks featuring some political dissidents who thought their phones were not being watched by Big Brother's thugs who could and would torture them. Fun!

UPDATE 2022-04-11 - A lot of people don't really care if surveillance capitalism is constantly creeping on them. Or at least they think that. John Oliver has an extremely excellent piece on data brokers that should make it clear why modern telephone insecurity is actually an important topic.