Good News: Mobile Devices Now Competing To Be Much More Secure Against Prying Eyes

from the very-good-to-see dept

While the more cynical folks out there have insisted that the tech industry is a happy partner with the intelligence community, the reality has been quite different. If anything, in the past many companies were simply… complacent about the situation, not realizing how important these issues were. That’s problematic, but the Snowden revelations have woken up those firms and enabled the privacy and security gurus who work there to finally get the message across that they absolutely need to do more to protect the privacy and security of their users. That’s why you see things like Apple’s new local encryption by default on iOS8, meaning that even if law enforcement or the intelligence community comes knocking, Apple can’t get much of your data off of your device.

?Unlike our competitors, Apple cannot bypass your passcode and therefore cannot access this data,? Apple said on its Web site. ?So it?s not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8.?

Within hours, it was reported that the next update to Android would also have the same default encryption.

?For over three years Android has offered encryption, and keys are not stored off of the device, so they cannot be shared with law enforcement,? said company spokeswoman Niki Christoff. ?As part of our next Android release, encryption will be enabled by default out of the box, so you won’t even have to think about turning it on.?

Of course, you can expect to see the DOJ pushing for new laws to somehow block this or get backdoor access. It may create a future fight worth watching. In the meantime, though, it’s great to see tech companies actually competing on how well they can protect the privacy of their users’ data from the prying eyes of law enforcement and intelligence agencies.

Filed Under: , , , , , ,
Companies: apple, google

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Good News: Mobile Devices Now Competing To Be Much More Secure Against Prying Eyes”

Subscribe: RSS Leave a comment
Anonymous Coward says:

It's security theater

1. The app markets for these devices are completely overrun with malware of all descriptions. All that’s necessary is to get someone to install one of those myriad malicious apps, and poof! keystroke logger, game over.

2. This doesn’t protect all the metadata that’s generated during the use of the device — and as has been frequently pointed out on this site, metadata is enormously revealing.

3. This also does nothing to protect against all the data (and metadata) that’s stored at or transits the service provider. Backdooring those — legally or illegally — will yield a rich stream of information even if the device is “completely” secure.

4. Is the source code for this encryption published and open-source? If not, then it’s worthless snake-oil and nobody should trust that it actually does what the vendor says it does.

Michael (profile) says:

Re: It's security theater

1) True, but the only way to protect against a user being stupid is to not let them use the device.

2/3) Absolutely. Carrier support for protecting our data would be really nice, but at least preventing them from getting data stored on devices would be nice. Cloud storage makes this all a little fuzzy though – they may not be able to decrypt the device, but everything is on my skydrive anyway

4) Neither appears to be at this time, but that is one of the great things about innovation and competition – if open-source options are more secure, you will see these become prevalent pretty quickly.

Whatever (profile) says:

Re: It's security theater

I agree. Apple proved that they have a clear backdoor to put anything they want on your device without your permission (thanks for the U2, idiots!), and if they have that sort of access it’s only a matter of time before hackers have the same access. Then your device isn’t safe at all.

Reads way more like Apple wisely choose the current arm waving about security to look good – while proving they have backdoors in every device.

Vikarti Anatra (profile) says:

Re: It's security theater

Malware which monitors everything that’s done on device? it’s not that easy.
if device is rooted – user WILL be asked by SuperSU for permission
if device is not rooted to get something remotely resembling keystroke logger require either:manually activating newly installed custom keyboard or newly installed accessibility app. in both cases android will tell in plain English what this means.

Anonymous Coward says:

Re: Re: It's security theater

You’ve got to be kidding.

I suggest doing some remedial reading on the topics of (a) mobile malware capabilities (b) user susceptibility to social engineering and (c) low-level vulnerabilities in the device software and firmware. The mobile device ecosystem is incredibly insecure on all levels and it’s going to get better any time soon because users will install anything that’s shiny and cute and promises an “experience” or a discount or gratifies their egos.

While I cited a keystroke logger as one type of particularly pernicious malware, it’s of course not the only one, nor is it the only one capable of completely compromising user security/privacy at the device level. Moreover, as we’ve seen too many times to count by now, OS-level safeguards are routinely overridden by users who will click “YES” to anything and everything because they are foolish and careless. So even if the malware du jour is limited in its scope, it will provide a foothold for tomorrow’s. The end result of this progression is inevitable, which is why the average mobile device is no more than portable contagion.

Slapping encryption on top of that seething mess is nothing more and nothing less than a PR stunt. If the vendors were actually serious about security, not only would they make their entire software stack open-source — and thus subject to peer-review — but they would require that all third-party apps also be open-source AND they would build those apps in-house from source code. (Not that all of this is a panacea: of course it’s not. But it’s a marked improvement from the status quo.)

This won’t happen. Neither will any of the alternatives which might provide equivalent improvements. The vendors aren’t interested in security or privacy: they’re only interested in the appearance of security and privacy.

Anonymous Coward says:

Re: Re: Re:2 It's security theater

Apparently these and the thousands of similar articles have escaped your attention:–of-mobile-malware-targets-android-platform.html

But even those aren’t the full story. For one thing, estimates of malware infection rates require effective detection of malware infection, and current methodologies are quite clearly very poor, leading to severe underestimates. Moreover, and I invite you to review the historical growth curve of botnets in this regard, sensible extrapolation of observed infection rates indicates continued acceleration — all the countermeasures notwithstanding. And of course none of this is going to get any better given that app stores are loaded with malware, very little of which has been or is going to reviewed by anyone — and some of which is pretty nasty stuff.

Bottom line: the mobile device ecosystem is a shithole and it’s getting steadily worse despite token attempts to improve it — like the one we’re discussing here. The fundamental problem — actually, the fundamental insoluble problem — is that the entire technology space, from devices to software to firmware to infrastructure, was designed to be usable and cheap. Security wasn’t a primary design concern and now it’s doomed to an endless series of retrofits — which ARE failing and which WILL fail. This entire process is like trying to randomly slap band-aids on a victim who’s been shot 37 times. It’s a token gesture, not an effective treatment.

John Fenderson (profile) says:

Re: Re: Re:3 It's security theater

Pure FUD.

I’ve seen no actual evidence that there’s some kind of malware plague in the mobile space, neither anecdotal nor backed by real studies.

The links you provide actually prove this point rather than the one you’re trying to make. First, you need to ignore the articles based on the press releases from companies likes McAfee who are trying to sell you a security solution for your devices.

The rest of the links all seem to be based on the same study (or are at least using numbers that are very, very similar to each other). And those numbers make Android look like the exact opposite of a shithole. From the article, for instance:

Mobile infections increased by 17 percent in the first half of 2014, raising the overall infection rate to 0.65 percent.

That’s 0.65%. Otherwise known as almost nothing. This compares rather well to the infection rate for Windows 7 (2.5%), OSX (2.7%), and iOS (0.5%).

Anonymous Coward says:

Re: Re: Re:4 It's security theater

Those numbers are all MASSIVE underestimates — by, at minimum, an order of magnitude. This is old news to all of us who actually work in the security field: heck, Vint Cerf talked about this 7 years ago:

At that time, he estimated that one-quarter of all (Internet-connected) computers were part of a botnet. I thought that was a bit high (the estimate that I came with in cooperation with various colleagues was more like one-fifth to one-sixth) but plausible. Today? It’s a minimum. At least one quarter of all Internet-connected computers are part of a botnet.

This isn’t an exaggeration or an extrapolation. It’s common knowledge among all practicioners in the field.

And it’s not the worse news. The worse news is that there are many more systems which are also compromised, but for one reason or another, aren’t part of a botnet at the moment. In other words, the system infection rate necessarily exceeds the botnet participation rate.

Given that some detectors have noted more than 200,000 new such systems in a single day this isn’t surprising. In fact, it’s consistent with everything else that we’ve observed over the past decade, since the release of malware like SoBig and the earliest attempts at botnet construction and operation.

Mobile devices running IOS and Android are not exempt from this, doubly so given that the “system administrators” of these devices are end users, and end users are stupid, lazy, ignorant, and careless. Of course they’re compromised in enormous numbers, what would you expect to happen when you hand extremely powerful computing devices to people with zero security clue and then ask them to administer those devices, including downloading and installing applications?

Try running passive OS fingerprinting in conjunction with the logging on your perimeter firewalls. I do. And even though the topological locations where I’m doing this are not particularly important or busy, I’m seeing a couple million unique systems a day exhibiting bot activity. Laptops, tablets, servers, phones, desktops, it doesn’t matter: the entire Windows/MacOS/IOS/Android ecosystem is a disaster and even some of the Linux environment is now deteriorating. Really the only things I don’t see very often are Unix-based, either commercial offerings like Solaris or any of the BSD family.

John Fenderson (profile) says:

Re: Re: Re:5 It's security theater

“This isn’t an exaggeration or an extrapolation. It’s common knowledge among all practicioners in the field.”

This is 100% exaggeration. And I do work in the field, so your assertion of consensus is demonstrably incorrect as well.

Are the industry-accepted numbers that I cited too low? It’s possible, but almost certainly not by an order of magnitude. Nonetheless, even if they are that far off it doesn’t debunk my point (any measurement error will be roughly the same for all platforms, making relative comparisons valid):that Android is a “cesspool” on part with iOS and a much cleaner one than OSx or Windows.

Anonymous Coward says:

Re: It's security theater

As for item 4 – yes, the source code for Android’s encryption is published and open-source, as part of AOSP, and has been so for a long time.

They even have a detailed description of how it works:

As can be seen there, the encryption actually comes from the Linux kernel, and is the same kind of encryption you get when you tell a Linux distribution installer to do full-disk encryption.

Mr. Oizo says:

All theater.

What else did you expect I would say ? What else were you going to say about all this ?

Get it in your head: no hardware is secure. The more you implement security the more they will suspect you, and your passcodes, secrets will still be cracked.

The only solution is to educate young people on how the government should work and teach them how to take up arms against oppressors. There is no other way out.

John Fenderson (profile) says:

Re: All theater.

“no hardware is secure”

As a blanket statement, of course not. Nor is any software secure, nor is anything that exists in the world secure.

But security isn’t a back and white kindof thing. All security is a matter of degree — you can’t stop anyone who is both determined enough and has access to enough resources from subverting your security. The goal of security is to make accessing whatever has been secured expensive and difficult enough to accomplish one of two things: make breaking the security more costly than it’s worth, or to increase the amount of time it takes to break security.

“The only solution is to educate young people on how the government should work and teach them how to take up arms against oppressors. “

Which isn’t a complete solution at all. It assumes that the only bad actor is the government, for one thing, which isn’t the case at all. For another thing, once arms have been taken up against the government, all security is pretty much out the window.

Coyne Tibbets (profile) says:

Re Cloud

The last couple of weeks has established that all the data on the device is backed up to the Cloud. Law enforcement no longer needs to access the device; they can get it all from Apple, possibly from a web page download.

That seems to me to make accessing the device completely unnecessary. Even better from LEO perspective, having the physical device itself–and making the owner suspicious–isn’t needed either. Perfect for warrantless secret investigations.

It seems to me that all the hoopla is just and only smoke.

John Fenderson (profile) says:

Re: Re: Re:3 Re Cloud

It sounds like you’re interpreting the page to say something, but you aren’t explaining your interpretation. You might do better to actually say what you mean.

“I can see the writing on the wall. Can you?”

Not on that page, no. You’ll have to actually explain. In general, yes, it was obvious from the introduction of the very first iDevice (and it was strongly hinted at from the introduction of the first Macintosh). Which is precisely why I don’t own any Apple products.

Anonymous Coward says:

Re: Re: Re:4 Re Cloud

Here’s what I see (via that page as well as Apple’s other pronouncements):

Apple is trying to do what Microsoft and IBM and other vendors who’ve achieved significant market share have done: force lock-in to their product family. That includes not just all the i-devices but their cloud service: Apple wants total control of every user’s bytes from cradle to grave.

It starts as an option or a suggestion of course, but then it becomes a recommendation or best practice, and then it becomes mandatory. All the while, it’s painted as “good for consumers” and “secure” and “private” while of course it’s anything but. The cloud is not only insecure, but insecurable by its very nature and yet Apple is nudging, cajoling and occasionally forcing its customers in that direction.

Device security is worthless if all the content (and/or metadata about the content) is available in the cloud.

I recommend reading both and for further perspective.

C.S. (user link) says:

Encryption Updates

Let’s hope they hold their promises and that these updates are actually worth their salt!

I think the privacy of these company’s users will become even more of a priority in the future with hackers becoming even more clever with their methods.

Competition sure is a good thing for us consumers with these companies trying to beat each other to protect us better!

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...