Insights For Success

Strategy, Innovation, Leadership and Security

Apple

What is brew and why you need is on your macOS device

GeneralEdward Kiledjian

Brew is a package manager for macOS. It simplifies the installation and updating of macOS applications.

Brew allows you to install your favourite apps with a few clicks. In addition, Brew makes it easy to manage your app dependencies. Brew automatically resolves and installs any dependencies that an application may have when it is installed.

It is thus easy to keep your applications up-to-date and to ensure that you have all necessary dependencies installed. Brew is also an excellent means of discovering new macOS applications. Browse through a list of popular apps and install them with just a few clicks using Brew. This makes it easy to discover new applications that you might not have known about otherwise.

How to install & use the Brew package manager

A website called brew.sh hosts the brew package manager. You can install brew by running the following commands in your terminal:

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

2) Once brew has been installed, you can use it to install your preferred macOS applications. To install an app with brew, simply type:

brew install

3) Brew will automatically resolve and install any dependencies the application may have. Therefore, it is easier to keep your applications up to date and ensure that all of the necessary dependencies are installed.

4) You can also update your macOS applications using brew. To update an application, type:

brew upgrade

Your smartphone security guide (iphone and android)

GeneralEdward Kiledjian
smartphone-5207836.jpg

There are companies out there that will pay top dollar for working full chain smartphone vulnerabilities that will lead to a complete compromise (check out Zerodium as an example ). A full zero-click compromise for a patched android phone can net you a cool 2.5M$ (Wired).

Considering how we use smartphones and the information they contain (or can leak), these aren’t just simple electronic tools. Smartphones can be considered a bionic extension of your mind—anyone who can access your phone gains unprecedented access to your mind, life and psyche.

You may doubt the validity of the above statement, but think about it. Your smartphone knows where you are and where you have been. It knows who your friends and colleagues are. It knows whom you interact with. It has access to all your emails and other messaging. It has a camera that can be remotely triggered and a microphone to listen in on any of your private conversations (when was the last time you were more than 6 ft from your smartphone?).

Who is this article for?

The more secure you make something, the less usable it becomes. Security professionals have to tailor their security recommendations based on the risk profile of their customers.

For this article, I am assuming you are a “normal” general computing user that is not subject to elevated risks or custom attacks (aka you aren’t in the intelligence field, a journalist in a less favourable geography, a politician, etc.)

Why is this important? An average user will be targeted by unsophisticated actors (ex-partners, lovers, former angry friends, coworkers, or script kiddies) or medium sophisticated actors (scammers, general hackers, etc.)

An average user is not important enough to merit an attack by state-sponsored actors or organized crime. These advanced actors have more developed capabilities that would require a customized security program built by an experienced security professional.

What are we trying to accomplish?

Whether I am building a multimillion-dollar security program for a large cloud service provider or helping you secure your own smartphone, the goal is always the same.

Absolute security does not exist regardless of how careful you are or how much you spend.

The goal of a solid security program is to be "good enough" to tire your attacker and encourage them to move onto their next victim. Even with the most expensive door lock, a thief can use a battering ram to break down your front door, but they probably won't. You buy a lock that is sufficiently strong to resist breaking with kicks. A good security program is the same.


Let’s begin.

Encrypt your device

If you are running an iPhone with IOS 12 or later, it comes automatically encrypted out of the box. IF you are running an older version, check out these instructions. Most modern Android devices from reputable manufacturers come encrypted as well. If you are running a phone from a lesser-known manufacturer, a phone that comes from a market where encryption is illegal or it is older, check out these instructions to encrypt your phone.

Password or Pin

Since IOS 9, Apple has made a six-digit pin mandatory (although you can still force it back to a four-digit pin). Remember that once an attacker finds your pin code, they are in, and no additional tools are protecting you.


The goal is to make your adversary’s life as difficult as possible. A 4 digit pin means your attacker will have to try 10,000 possible combinations. It may seem significant to you, but remember, they have tools to automate this process. Simply moving to a six-digit mixed password means there are 1,000,000 possible combinations.

If you choose to implement a passphrase instead, you make it more difficult for you but you also make it more difficult for an attacker to crack.

Fun fact, approximately 25% of all smartphones can be cracked by using one of these pin codes:

  • 1234

  • 1111

  • 0000

  • 1212

  • 7777

  • 1004

  • 2000

  • 4444

  • 2222

  • 6969

  • 9999

  • 3333

  • 5555

  • 6666

  • 1122

  • 1313

  • 8888

  • 4321

  • 2001

  • 1010

on IOS

on IOS

Most phones also support a feature that wipes all the data from your phone after a certain number of wrong attempts have been made. This eliminates the threat of automated attacks.

Remotely wipe your phone

. If you feel someone else may be in possession of your phone, and it is connected to the internet, you may be able to remotely wipe the data.

On Android it is normally called Find My Device

d8da53b-6f3bacda-97-1739327f058.jpg

On iPhone it is called Find My iPhone.

20200727-220453.jpg

You can log into the manufacturer portal to find your device or wipe it if necessary.

Sample iCloud Find my phone interface with the Erase button

Sample iCloud Find my phone interface with the Erase button

Find my device links

  • Android : https://support.google.com/accounts/answer/6160491?hl=en

  • IOS : https://support.apple.com/explore/find-my

Two Factor Authentication

Remember that your phone is an extension to your online Google or Apple ID. It is very important that you protect these from unauthorized access. You should be using a long, complex, non-dictionary, passphrase to log in. You should also enable two-factor authentication to add another layer of protection to your account in case your password is compromised.

The easiest is to use Time based One Time Authentication codes.

On Apple devices, you will use your smartphone (or any other Apple device connected to your account. The Apple instructions are here.

Google users can use a software TOTP system with any one of the free TOPT clients available. The cleints I recommend are :

or some password managers (e.g. 1Password) also offer this as a function. The most secure option is to use a hardware token (e.g. Yubikey) but this is slightly more demanding and I won’t be covering it here.

Update and uninstall

Most attacks are against old vulnerabilities that remain unpatched. If you have a phone from a manufacturer that does not regularly deliver (monthly) security updates or the updates for your phone have stopped then it is time to buy something else.

You must update your phone operating system and all the apps on it regularly. Doing this will reduce your attack surface (ake make an attackers life more difficult).

Remember that applications may have undiscovered or unpublished vulnerabilities. In addition to updating them using the Apple AppStore or Google Play, you should uninstall any applications you do not regularly use. Many of these apps are stying on your anyway but they could be the weak gateway an attacker gains access to your phone.

Where possible, use the web version of services. As an example, instead of using a Twitter app (on most of my devices), I use the PWA website at mobile.twitter.com. This gives me full functionality without needing an app (that can track me or compromise by device).

Only install apps from official apps stores (Apple AppStore or Google Play). Apps in these stores are cryptographically signed to prevent impersonation by attackers. If you are a little more adventurous (on Android), you can also check out the F-Droid alternative app store.

Reboot often

We have seen many attacks in the last 3 years that are not persistent. This means they go away after you reboot your device. This is why it is a good idea to regularly reboot your device. I typically try to reboot it every 8 hours or so (while I am awake).

Turn off your phone

A phone that is off can’t be attacked.

An unsophisticated attacker will not be able to compromise your phone’s baseband chip and turn on your phone.

It is a good idea to turn off your phone when you can (at night or when you will be away from it from a while). Plus turning it off while charging will often allow your phone to charge a bit faster.

Install a firewall

You may not know it but if you use a Windows or macOS device, there is a manufacturer-provided firewall on your device. Unfortunately, smartphones do not come bundled with them but they are extremely useful.

It seems every week we read about another couple hundred apps (on IOS and Android) that made it to the app store but that were malicious. A firewall will define what apps will be permitted to use WIFI and/or LTE.

The best firewall for Android is Netguard and the best one for IOS is called Lockdown.

These apps can work in 2 modes:

  • blacklists mode, is where you choose what apps should not be allowed to communicate

  • whitelist mode, is where no apps can communicate unless you specifically allow them to

Obviously whitelist mode is the most secure but may require a little bit of tweaking when an app just doesn’t work right.

Due to recent societal changes, expect the authors of these apps to change the above terms shortly. Blacklist will be changed to blocklist and whitelist will be changed to allow list.

Disable WIFI and Bluetooth

Anytime you are out of a trusted location (home or work), turn off WIFI and Bluetooth. Also make sure that any feature that would automatically turn them back on is disabled (e.g. Automatically connect to public networks).

Attackers can set up a malicious network and easily trick your device into connecting to it. This is trivial but not part of this discussion so I won’t explain how to do it here.

Many public venues (e.g. malls use your phones Bluetooth beaconing to track you as you walk around. This works without any intervention from you. When you don’t need Bluetooth, turn it off.

Remember that public WIFI is evil. Any WIFI that you don’t control can be used to steal your information. If you have to connect to untrusted WIFI, use a VPN. Please use a good VPN and know that good VPNs are never free or extremely cheap. You get what you pay for.

Many will recommend TOR but it is slow and most users would find the experience painful. So I stopped recommending TOR for most users.

Browsers

Browsers are dangerous. Dangerous. Dangerous. They run code delivered to your device from another computer which means it could be a wonderful way for someone to compromise your device remotely.

If you don’t believe me, read this article China hacked iPhones and Android devices to target Uyghur Muslims.

For iPhone users, I recommend sticking with the built-in Safari. Apple has done a relatively good job with it and it should be secure enough.

On Android, my browser of choice is Bromite . Bromite has native support for the uBlockOrigin adblock engine( the best in my opinion). It supports DNS over HTTPS, to encrypt your DNS queries. It is always in incognito mode and it offers many more wonderful security-friendly features. Remember to turn on HTTPS everywhere in it and disable Javascript.

Is IOS more secure than Android?

To close out this article, I will quickly touch on the question I receive the most often.

For this discussion, we have to separate privacy and security. This article was written to improve your security not your privacy. They do not usually go hand in hand.

For a general user looking for a no worry relatively secure platform then IOS is probably the way to go.

For a general user that doesn’t mind a little work and that wants good security, Android is the way to go. IT offers more customization options to make your device more secure.

For a more security-conscious geek, then I recommend going to GrapheneOS. GrapheneOS will require some work (you have to install it) and will make you uncomfortable (does not come with any Google services or the Google Play store) but it is the most secure consumer option right now.

OnePlus policy that makes it a better buy than Samsung, HTC or LG

GeneralEdward Kiledjian

As a security technologist, the security philosophy of the OEM is a crucial determinant of my decision to buy or recommend a device. This is where Apple shines with it's iPhone update strategy. Every single iPhone receives updates (security and version) at the same time. 

This is why I highly recommend Google's Pixel devices. The Pixel line offers the same regular and speedy update schedule. The other Android manufacturer that has shown it cares about upgrades is OnePlus. Until this week, it did a great job delivering updates quickly, but it didn't formally commit to a software upgrade schedule. 

All of that changes this week when OnePlus unveiled its new operating system (Android) maintenance schedule. It has copied the Google Pixel model and will deliver major upgrades for two years and security updates for three years. 

As per the maintenance schedule, there will be 2 years of regular software updates from the release date of the phone (release dates of T variants would be considered), including new features, Android versions, Android security patches and bug fixes and an additional year of Android security patch updates every 2 months.
— OnePlus OS Maintenance Schedule

Conclusion

OnePlus has always offered solid well-designed devices at competitive prices. This new software maintenance schedule commitment makes their offering that much more compelling. 

I can no longer recommend devices from manufacturers that do not regularly deliver security and version upgrades. This is why I only recommend Android devices from Google, Blackberry Mobile and OnePlus. 

My history with mobile gadgets

GeneralEdward Kiledjian

I've been involved in technology for a long time and bought my first real personal digital assistant (PDA) in 1997. It was an Apple Computers MessagePad (Newton) 130, and it was a thing of beauty. It had handwriting recognition, an external keyboard attachment and fueled my geek dreams about what wondrous technologies the future would bring.

Along the way, I owned hundreds of devices including Palm pilots, Treos, Handspring devices, Nokias and almost every other portable gadget in between.

As you can imagine, I also bought the first iPhone and almost every one since (in the last ten years). Every time I watched an Apple keynote, I was like a kid in a candy store. I starred at the presentation anxiously waiting to see what amazing new technologies Apple would bring into my life. Apple didn't invent most of that tech, but it usually made it usable and practical.

Then Steve passed away, and many were worried whether Apple had lost its mojo. Fans defended the Cupertino giant, but we started to see some cracks forming in its otherwise perfect and shining armor. Tech reviewers what would never have dared to challenge the superiority of the big Apple began to ask difficult questions.

For the past five years, I have been carrying both Android and IOS smartphones, but the iPhone has always been my primary daily driver. September 2017, was time for me to upgrade my "primary driver" from an iPhone  6s Plus + an iPhone 7 (yes I have both). I watched the keynote and was dumbfounded by the iPhone X. It was a beautiful piece of kit but had a screen smaller than the plus models and a price tag of $1500CAD. The camera wasn't materially better than the one in the iPhone 8 Plus. The only new "thing" it brought to the table was the FaceID sensor, an OLED screen, and smaller bezels.  

Apple technology innovation

Surely I had missed something. A ~$400 price increase had to bring something new and revolutionary? But it didn't. Having been a gadget geek for the last 25+ years, I knew perfectly well that previous devices  contained technology Apple commercialized many years later:

  • wireless charging (HTC Droid DNA in 2012 - Apple in 2017)
  • dual rear cameras (HTC One M8 in April 2014 - Apple 2016)
  • OLED screen (Nokia N85 in October 2008 - Apple in 2017)
  • Fingerprint scanner ( Motorola ATRIX 4G in March 2011 - Apple 2013)

Apple made many of these technologies better but by the time it included it, Android devices at half the price of an iPhone had them built in.

Apple has been a significant force pushing smartphone manufacturers to make safer, more secure devices and operating systems. This has been a clear win for consumers. Good healthy competition is good for the marketplace.

Is the iPhone more secure than an Android device?

Technologically yes. Apple's IOS is designed with strict application controls to protect user information. Its hardware (e,g, the secure enclave) is a thing of beauty and incredibly well designed to protect your biometric and financial information.

In the real world, for the average consumer that is not being targeted by skilled blackhat hackers or nation-state threat actors, both can be made equally safe with minimal handling precautions.

Not in my walled garden

A couple of months ago, Apple made headlines when it blocked all VPN apps from its China app store. This decision was made to comply with local laws, and Apple had no choice. The problem arises when you realize that Apple doesn't have a mechanism for users to sideload apps onto its devices.

Sideloading apps is a risk because it could be an attack vector, but shouldn't the user be able to accept the risk and perform their desired action on an $800-1000 device?

This had a chilling effect on some activists in China, but the same model of application category control could be applied to anything else in any other country (e.g., a country can outlaw social media or dating apps, etc.).

Time to switch?

Apple's latest financial results show that the company is doing smashingly well. They are selling record numbers of mobile devices, and their cash horde is only getting larger. Any talk about its demise is greatly exaggerated.

There is, however, a growing number of users, who were once ardent fans gobbling up all Apple branded tech, as fast as the company could release them, that are now looking at alternatives. I am amongst this group. My decision to switch isn't based on the cost of the device,  but on the more advanced Artifical intelligence features like the built-in assistant.


Android Auto versus Apple CarPlay

My latest car can support both platforms, but anyone that has used Apple Maps will tell you, it sucks. I can't tell you how many times it has navigated me into a major traffic jam or has taken me 20 minutes in the wrong direction. Apple doesn't like competition and would rather offer a sub-par experience to its users and maintain control.

On Android Auto, I can use other mapping apps, but on the iPhone, you can only use Apple Maps.

On Android Auto, you can choose which music app is your default and voice control it. On Apple, you can only voice control Apple Music.

And this is an example of the user-hostile behavior exhibited by Apple. Not only does it block competition, forcing you into inferior apps, but it isn't even improving the core interaction mechanisms of Car Play: the visual interface and SIRI.

SIRI the terrible


Most iPhone users from teenagers to CEOs use Siri a couple of times at first, then give up. I had hoped that Apple would update Siri's capabilities with IOS 11 (particularly with the expected December release of the Siri powered home speaker system, the HomePod). Surely Apple would impress us with massive gains in understanding and capabilities. Nope. Nothing.

While the Amazon Echo and Google Assistant improve every month, Apple hasn't developed Siri in years. It feels like Amazon and Google are working in internet time while Apple is working ... To be honest, I don't even think they are working on Siri. I say that facetious. I know they are working on Siri, but until users benefit from that work, it is useless.

The big data problem

I work in security and understand that absolute security is the enemy of usability. An absolutely secure system is not usable.
In the enterprise space, we are continually struggling to find the right balance between security and usability.

It feels Apple has taken a more security-focused approach and is willing to sacrifice modern functionality.

Any modern deep learning expert (aka neural networking that powers smart assistants) will tell you that the key to success is having vast amounts of ingestible data. Apple doesn't have this type of data because of it is privileging user privacy, whereas Google and Amazon do. Where Apple's image search can show you a dog, Google's can find the chihuahua on a beach eating a hotdog.

Siri is a parlour trick you get tired of after a day or two. Google Assistant will become a real time saver and thus will become something you will likely come back to over and over.

The latest and greatest thinking in machine learning from Geoffrey Hinton may eventually be beneficial for Apple. It is called Capsule Theory and is a new way of developing machine learning models that require much less data, but this is still early day research.

Conclusion

As I search for my next daily driver, I am testing a handful of new Android smartphones that I will review shortly on my blog. First-up will be a review of the Samsung Note 8. I won't be discussing the specifications but looking at it from the viewpoint of an iPhone user considering the switch.

I am hoping to also get my hands on a Mate 10 Pro, Pixel 2 XL and the ONePlus 5T.

Is the $499 Essential phone worth it?

GeneralEdward Kiledjian

No other Android smartphone in 2017 has been as polarizing as the Essential phone. Created by the father of Android, many of us (tech reviewers) wanted a no compromise phone we could love. A device that would be a trailblazer showing other manufacturers what is possible and ushering in an new era of innovation through competition.

Instead the Essential phone is a device I want to love but can't. 

Essential recently dropped its Canadian and US price and many readers wanted to know if I could recommend this phone at the new price. Keep reading to find out.

It feels rushed

So Andy Rubin teed the essential phone in March an created a tone of excitement.

Reviewers went wild because it was the first phone with an edge to edge display. Since then, we have been bombarded with a bunch of beautiful, wet designed smartphones with edge to edge displays (like the Samsung Note 8, Samsung Galaxy S8+, iPhone X, etc). 

When I use the phone and compare it to its cousins, I have the feeling the phone was rushed. Since September, Essential has had to release 4 updates to make the device usable and it still has a lot of room for improvement.

One major complaint that seems to affect all users is the camera quality. Even with the hardware Essential used, most of us expected the device to take much better pictures. Then a port of the Google Pixel Camera app was released by an unknown developer and tests (see article here) show that through software, image quality can be greatly improved. This is the perfect example of issues created because Essential didn't take the time to release adequate software to make it's device shine.

If you take too many sequential burst pictures, the native Essential Camera app crashes and won't work until you restart the phone. 

The good

The Essential phone looks and feel amazing. It has a beautiful edge to edge screen that is brights.  The device is slightly heavier than competing products and really feels well built. It is (to me at least) the best looking android phone you can buy today.

It comes with USB C.

It has a camera that doesn't have a hump so the entire back of the device is flat and won't wobble when placed on a table.

It has a fantastic fingerprint reader that is well placed and works very quickly every time. 

It is running a stock version of Android (comparable to the Google Pixel line). This clean version of Android means the phone is extremely fast and responsive. Apps start quickly (often faster than on a Samsung Galaxy S8+ or Note 8). 

Essential has committed to 3 years of security patches and 2 years of major OS updates which is a huge win. Even companies like Lenovo Motorola, Samsung and OnePlus don't commit to software updates like this. I think this is a huge plus for Essential and I wish other companies would follow it's lead.

The bad

The camera is one of the main reasons people buy smartphones and the Essential camera is just "ok". I won't bore you with samples because every reviewer has posted dozens but trust me, the camera will leave you wanting.

As mentioned above, the illicit port of the Google Pixel Camera app does make a significant improvement to the picture quality but it still isn't in the same league as the Samsung Galaxy S8 (which you can now buy around the same price) or the OnePlus 5 (which is out of stock as we wait for its replacement the OnePlus 5T).

It doesn't have any type of water or dust protection.

It doesn't support wireless charging.

You can't buy a second Essential branded was charger yet and the only add-on they released is their $150 360 camera which itself produces "ok" quality pictures and videos.

The speakers on the Essential phone get fairly loud but the audio quality is sub-par. 

Conclusion

The Essential phone was the phone I was hoping to love and was hoping it would become my daily driver (replacing my iPhone). 

So to answer the original question, even at this price, I can't recommend the phone for most users. If Essential released an Android 8 upgrade (we know they are testing it internally) and that version included a massively reworked camera app and they released the charging pad, then may recommendation would likely change.