Good News: Mobile Devices Now Competing To Be Much More Secure Against Prying Eyes
from the very-good-to-see dept
While the more cynical folks out there have insisted that the tech industry is a happy partner with the intelligence community, the reality has been quite different. If anything, in the past many companies were simply… complacent about the situation, not realizing how important these issues were. That’s problematic, but the Snowden revelations have woken up those firms and enabled the privacy and security gurus who work there to finally get the message across that they absolutely need to do more to protect the privacy and security of their users. That’s why you see things like Apple’s new local encryption by default on iOS8, meaning that even if law enforcement or the intelligence community comes knocking, Apple can’t get much of your data off of your device.
?Unlike our competitors, Apple cannot bypass your passcode and therefore cannot access this data,? Apple said on its Web site. ?So it?s not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8.?
Within hours, it was reported that the next update to Android would also have the same default encryption.
?For over three years Android has offered encryption, and keys are not stored off of the device, so they cannot be shared with law enforcement,? said company spokeswoman Niki Christoff. ?As part of our next Android release, encryption will be enabled by default out of the box, so you won’t even have to think about turning it on.?
Of course, you can expect to see the DOJ pushing for new laws to somehow block this or get backdoor access. It may create a future fight worth watching. In the meantime, though, it’s great to see tech companies actually competing on how well they can protect the privacy of their users’ data from the prying eyes of law enforcement and intelligence agencies.
Filed Under: android, competition, devices, encryption, ios8, privacy, security
Companies: apple, google
Comments on “Good News: Mobile Devices Now Competing To Be Much More Secure Against Prying Eyes”
They say that. Now let’s see if that’s actually the case.
It's security theater
1. The app markets for these devices are completely overrun with malware of all descriptions. All that’s necessary is to get someone to install one of those myriad malicious apps, and poof! keystroke logger, game over.
2. This doesn’t protect all the metadata that’s generated during the use of the device — and as has been frequently pointed out on this site, metadata is enormously revealing.
3. This also does nothing to protect against all the data (and metadata) that’s stored at or transits the service provider. Backdooring those — legally or illegally — will yield a rich stream of information even if the device is “completely” secure.
4. Is the source code for this encryption published and open-source? If not, then it’s worthless snake-oil and nobody should trust that it actually does what the vendor says it does.
Re: It's security theater
1) True, but the only way to protect against a user being stupid is to not let them use the device.
2/3) Absolutely. Carrier support for protecting our data would be really nice, but at least preventing them from getting data stored on devices would be nice. Cloud storage makes this all a little fuzzy though – they may not be able to decrypt the device, but everything is on my skydrive anyway
4) Neither appears to be at this time, but that is one of the great things about innovation and competition – if open-source options are more secure, you will see these become prevalent pretty quickly.
Re: It's security theater
I agree. Apple proved that they have a clear backdoor to put anything they want on your device without your permission (thanks for the U2, idiots!), and if they have that sort of access it’s only a matter of time before hackers have the same access. Then your device isn’t safe at all.
Reads way more like Apple wisely choose the current arm waving about security to look good – while proving they have backdoors in every device.
Re: Re: It's security theater
I was under the impression that Apple put the U2 in user cloud space and it got their phone because they had auto d/l enabled. Is this incorrect?
Re: Re: Re: It's security theater
You are completely correct.
Re: Re: Re: It's security theater
Yup and as soon as you say “put in the user space” you have identified a backdoor that could be used for a VERY widescale hack if anyone got near it.
Re: It's security theater
Malware which monitors everything that’s done on device? it’s not that easy.
if device is rooted – user WILL be asked by SuperSU for permission
if device is not rooted to get something remotely resembling keystroke logger require either:manually activating newly installed custom keyboard or newly installed accessibility app. in both cases android will tell in plain English what this means.
Re: Re: It's security theater
You’ve got to be kidding.
I suggest doing some remedial reading on the topics of (a) mobile malware capabilities (b) user susceptibility to social engineering and (c) low-level vulnerabilities in the device software and firmware. The mobile device ecosystem is incredibly insecure on all levels and it’s going to get better any time soon because users will install anything that’s shiny and cute and promises an “experience” or a discount or gratifies their egos.
While I cited a keystroke logger as one type of particularly pernicious malware, it’s of course not the only one, nor is it the only one capable of completely compromising user security/privacy at the device level. Moreover, as we’ve seen too many times to count by now, OS-level safeguards are routinely overridden by users who will click “YES” to anything and everything because they are foolish and careless. So even if the malware du jour is limited in its scope, it will provide a foothold for tomorrow’s. The end result of this progression is inevitable, which is why the average mobile device is no more than portable contagion.
Slapping encryption on top of that seething mess is nothing more and nothing less than a PR stunt. If the vendors were actually serious about security, not only would they make their entire software stack open-source — and thus subject to peer-review — but they would require that all third-party apps also be open-source AND they would build those apps in-house from source code. (Not that all of this is a panacea: of course it’s not. But it’s a marked improvement from the status quo.)
This won’t happen. Neither will any of the alternatives which might provide equivalent improvements. The vendors aren’t interested in security or privacy: they’re only interested in the appearance of security and privacy.
Re: Re: Re: It's security theater
Absolutely ridiculous. The android infection rate is one-quarter of a percent. Take your fact-free scaremongering elsewhere.
Re: Re: Re:2 It's security theater
Apparently these and the thousands of similar articles have escaped your attention:
http://www.forbes.com/sites/katevinton/2014/06/24/mobile-malware-is-on-the-rise-mcafee-report-reveals/
http://www.computerworld.com/article/2475964/mobile-security/98–of-mobile-malware-targets-android-platform.html
http://www.darkreading.com/study-15-million-devices-infected-with-mobile-malware/d/d-id/1315477
http://www.infosecurity-magazine.com/news/mobile-malware-infects-millions-lte-spurs-growth/
But even those aren’t the full story. For one thing, estimates of malware infection rates require effective detection of malware infection, and current methodologies are quite clearly very poor, leading to severe underestimates. Moreover, and I invite you to review the historical growth curve of botnets in this regard, sensible extrapolation of observed infection rates indicates continued acceleration — all the countermeasures notwithstanding. And of course none of this is going to get any better given that app stores are loaded with malware, very little of which has been or is going to reviewed by anyone — and some of which is pretty nasty stuff.
Bottom line: the mobile device ecosystem is a shithole and it’s getting steadily worse despite token attempts to improve it — like the one we’re discussing here. The fundamental problem — actually, the fundamental insoluble problem — is that the entire technology space, from devices to software to firmware to infrastructure, was designed to be usable and cheap. Security wasn’t a primary design concern and now it’s doomed to an endless series of retrofits — which ARE failing and which WILL fail. This entire process is like trying to randomly slap band-aids on a victim who’s been shot 37 times. It’s a token gesture, not an effective treatment.
Re: Re: Re:3 It's security theater
Pure FUD.
I’ve seen no actual evidence that there’s some kind of malware plague in the mobile space, neither anecdotal nor backed by real studies.
The links you provide actually prove this point rather than the one you’re trying to make. First, you need to ignore the articles based on the press releases from companies likes McAfee who are trying to sell you a security solution for your devices.
The rest of the links all seem to be based on the same study (or are at least using numbers that are very, very similar to each other). And those numbers make Android look like the exact opposite of a shithole. From the darkreading.com article, for instance:
That’s 0.65%. Otherwise known as almost nothing. This compares rather well to the infection rate for Windows 7 (2.5%), OSX (2.7%), and iOS (0.5%).
Re: Re: Re:4 It's security theater
Those numbers are all MASSIVE underestimates — by, at minimum, an order of magnitude. This is old news to all of us who actually work in the security field: heck, Vint Cerf talked about this 7 years ago:
http://arstechnica.com/news.ars/post/20070125-8707.html
At that time, he estimated that one-quarter of all (Internet-connected) computers were part of a botnet. I thought that was a bit high (the estimate that I came with in cooperation with various colleagues was more like one-fifth to one-sixth) but plausible. Today? It’s a minimum. At least one quarter of all Internet-connected computers are part of a botnet.
This isn’t an exaggeration or an extrapolation. It’s common knowledge among all practicioners in the field.
And it’s not the worse news. The worse news is that there are many more systems which are also compromised, but for one reason or another, aren’t part of a botnet at the moment. In other words, the system infection rate necessarily exceeds the botnet participation rate.
Given that some detectors have noted more than 200,000 new such systems in a single day this isn’t surprising. In fact, it’s consistent with everything else that we’ve observed over the past decade, since the release of malware like SoBig and the earliest attempts at botnet construction and operation.
Mobile devices running IOS and Android are not exempt from this, doubly so given that the “system administrators” of these devices are end users, and end users are stupid, lazy, ignorant, and careless. Of course they’re compromised in enormous numbers, what would you expect to happen when you hand extremely powerful computing devices to people with zero security clue and then ask them to administer those devices, including downloading and installing applications?
Try running passive OS fingerprinting in conjunction with the logging on your perimeter firewalls. I do. And even though the topological locations where I’m doing this are not particularly important or busy, I’m seeing a couple million unique systems a day exhibiting bot activity. Laptops, tablets, servers, phones, desktops, it doesn’t matter: the entire Windows/MacOS/IOS/Android ecosystem is a disaster and even some of the Linux environment is now deteriorating. Really the only things I don’t see very often are Unix-based, either commercial offerings like Solaris or any of the BSD family.
Re: Re: Re:5 It's security theater
“This isn’t an exaggeration or an extrapolation. It’s common knowledge among all practicioners in the field.”
This is 100% exaggeration. And I do work in the field, so your assertion of consensus is demonstrably incorrect as well.
Are the industry-accepted numbers that I cited too low? It’s possible, but almost certainly not by an order of magnitude. Nonetheless, even if they are that far off it doesn’t debunk my point (any measurement error will be roughly the same for all platforms, making relative comparisons valid):that Android is a “cesspool” on part with iOS and a much cleaner one than OSx or Windows.
Re: It's security theater
Just as a note for #1, the passcode check there is pre-boot so it can’t be keylogged since no apps are running yet (they’re still encrypted after all). As for #4, I don’t know about iOS but Android’s device encryption is open source.
Re: It's security theater
As for item 4 – yes, the source code for Android’s encryption is published and open-source, as part of AOSP, and has been so for a long time.
They even have a detailed description of how it works: https://source.android.com/devices/tech/encryption/android_crypto_implementation.html
As can be seen there, the encryption actually comes from the Linux kernel, and is the same kind of encryption you get when you tell a Linux distribution installer to do full-disk encryption.
Re: Re: It's security theater
The good news is that it’s dm_crypt. The bad news is that they apparently are still using CBC, which — unless I’m mistaken — is susceptible to known-content attacks. But I’ll grant that this is at least forward progress in the area of the device’s security.
All theater.
What else did you expect I would say ? What else were you going to say about all this ?
Get it in your head: no hardware is secure. The more you implement security the more they will suspect you, and your passcodes, secrets will still be cracked.
The only solution is to educate young people on how the government should work and teach them how to take up arms against oppressors. There is no other way out.
Re: All theater.
Get it in your head: nothing is secure.
ftfy
Re: All theater.
How does the “taking up arms” thing work then?
Are you advocating that children should be educated (read indoctrined) to fight a cause that you are not willing to fight yourself?
Re: Re: All theater.
education = indoctrination?
Re: Re: Re: All theater.
In the context of the statement, sure.
Re: All theater.
“no hardware is secure”
As a blanket statement, of course not. Nor is any software secure, nor is anything that exists in the world secure.
But security isn’t a back and white kindof thing. All security is a matter of degree — you can’t stop anyone who is both determined enough and has access to enough resources from subverting your security. The goal of security is to make accessing whatever has been secured expensive and difficult enough to accomplish one of two things: make breaking the security more costly than it’s worth, or to increase the amount of time it takes to break security.
“The only solution is to educate young people on how the government should work and teach them how to take up arms against oppressors. “
Which isn’t a complete solution at all. It assumes that the only bad actor is the government, for one thing, which isn’t the case at all. For another thing, once arms have been taken up against the government, all security is pretty much out the window.
XKCD.org
http://www.xkcd.org/504/
http://www.xkcd.org/538/
It’s a step in the right direction, but please remember that encryption software is only secure as the hardware it’s running on top of.
Re Cloud
The last couple of weeks has established that all the data on the device is backed up to the Cloud. Law enforcement no longer needs to access the device; they can get it all from Apple, possibly from a web page download.
That seems to me to make accessing the device completely unnecessary. Even better from LEO perspective, having the physical device itself–and making the owner suspicious–isn’t needed either. Perfect for warrantless secret investigations.
It seems to me that all the hoopla is just and only smoke.
Re: Re Cloud
It used to be possible to use the iPhone without it accessing cloud services at all (outside of iTunes for software). Is this no longer the case?
Re: Re: Re Cloud
See:
http://support.apple.com/kb/HT5262
for example. It’s quite clear that Apple is well on its way to forcing use of the cloud on its users. Of course they are: it’s profitable and they now have a sufficiently large base of locked-in users to make it work.
Re: Re: Re: Re Cloud
That page specifically details how you can do backups without using the cloud.
Re: Re: Re:2 Re Cloud
Yes, I know. I read it. Quite thoroughly.
The most important things on that page aren’t the technical minutiae discussing backup methods. The most important things are the wording choices, which are most certainly not accidental.
I can see the writing on the wall. Can you?
Re: Re: Re:3 Re Cloud
It sounds like you’re interpreting the page to say something, but you aren’t explaining your interpretation. You might do better to actually say what you mean.
“I can see the writing on the wall. Can you?”
Not on that page, no. You’ll have to actually explain. In general, yes, it was obvious from the introduction of the very first iDevice (and it was strongly hinted at from the introduction of the first Macintosh). Which is precisely why I don’t own any Apple products.
Re: Re: Re:4 Re Cloud
Here’s what I see (via that page as well as Apple’s other pronouncements):
Apple is trying to do what Microsoft and IBM and other vendors who’ve achieved significant market share have done: force lock-in to their product family. That includes not just all the i-devices but their cloud service: Apple wants total control of every user’s bytes from cradle to grave.
It starts as an option or a suggestion of course, but then it becomes a recommendation or best practice, and then it becomes mandatory. All the while, it’s painted as “good for consumers” and “secure” and “private” while of course it’s anything but. The cloud is not only insecure, but insecurable by its very nature and yet Apple is nudging, cajoling and occasionally forcing its customers in that direction.
Device security is worthless if all the content (and/or metadata about the content) is available in the cloud.
I recommend reading both http://www.zdziarski.com/blog/?p=3875 and http://www.metzdowd.com/pipermail/cryptography/2014-September/022919.html for further perspective.
Re: Re: Re:5 Re Cloud
I don’t disagree with any of that, but it’s all irrelevant to the question I asked: do you have to use the cloud with iPhones? From the page you linked to, the answer is clearly “no”, at least for backups.
Encryption Updates
Let’s hope they hold their promises and that these updates are actually worth their salt!
I think the privacy of these company’s users will become even more of a priority in the future with hackers becoming even more clever with their methods.
Competition sure is a good thing for us consumers with these companies trying to beat each other to protect us better!