There are companies out there that will pay top dollar for working full chain smartphone vulnerabilities that will lead to a complete compromise (check out Zerodium as an example ). A full zero-click compromise for a patched android phone can net you a cool 2.5M$ (Wired).

Considering how we use smartphones and the information they contain (or can leak), these aren’t just simple electronic tools. Smartphones can be considered a bionic extension of your mind—anyone who can access your phone gains unprecedented access to your mind, life and psyche.

You may doubt the validity of the above statement, but think about it. Your smartphone knows where you are and where you have been. It knows who your friends and colleagues are. It knows whom you interact with. It has access to all your emails and other messaging. It has a camera that can be remotely triggered and a microphone to listen in on any of your private conversations (when was the last time you were more than 6 ft from your smartphone?).

Who is this article for?

The more secure you make something, the less usable it becomes. Security professionals have to tailor their security recommendations based on the risk profile of their customers.

For this article, I am assuming you are a “normal” general computing user that is not subject to elevated risks or custom attacks (aka you aren’t in the intelligence field, a journalist in a less favourable geography, a politician, etc.)

Why is this important? An average user will be targeted by unsophisticated actors (ex-partners, lovers, former angry friends, coworkers, or script kiddies) or medium sophisticated actors (scammers, general hackers, etc.)

An average user is not important enough to merit an attack by state-sponsored actors or organized crime. These advanced actors have more developed capabilities that would require a customized security program built by an experienced security professional.

What are we trying to accomplish?

Whether I am building a multimillion-dollar security program for a large cloud service provider or helping you secure your own smartphone, the goal is always the same.

Absolute security does not exist regardless of how careful you are or how much you spend.

The goal of a solid security program is to be "good enough" to tire your attacker and encourage them to move onto their next victim. Even with the most expensive door lock, a thief can use a battering ram to break down your front door, but they probably won't. You buy a lock that is sufficiently strong to resist breaking with kicks. A good security program is the same.

Let’s begin.

Encrypt your device

If you are running an iPhone with IOS 12 or later, it comes automatically encrypted out of the box. IF you are running an older version, check out these instructions. Most modern Android devices from reputable manufacturers come encrypted as well. If you are running a phone from a lesser-known manufacturer, a phone that comes from a market where encryption is illegal or it is older, check out these instructions to encrypt your phone.

Password or Pin

Since IOS 9, Apple has made a six-digit pin mandatory (although you can still force it back to a four-digit pin). Remember that once an attacker finds your pin code, they are in, and no additional tools are protecting you.

The goal is to make your adversary’s life as difficult as possible. A 4 digit pin means your attacker will have to try 10,000 possible combinations. It may seem significant to you, but remember, they have tools to automate this process. Simply moving to a six-digit mixed password means there are 1,000,000 possible combinations.

If you choose to implement a passphrase instead, you make it more difficult for you but you also make it more difficult for an attacker to crack.

Fun fact, approximately 25% of all smartphones can be cracked by using one of these pin codes:

1234
1111
0000
1212
7777
1004
2000
4444
2222
6969
9999
3333
5555
6666
1122
1313
8888
4321
2001
1010

Most phones also support a feature that wipes all the data from your phone after a certain number of wrong attempts have been made. This eliminates the threat of automated attacks.

Remotely wipe your phone

. If you feel someone else may be in possession of your phone, and it is connected to the internet, you may be able to remotely wipe the data.

On Android it is normally called Find My Device

On iPhone it is called Find My iPhone.

You can log into the manufacturer portal to find your device or wipe it if necessary.

Sample iCloud Find my phone interface with the Erase button

Find my device links

Android : https://support.google.com/accounts/answer/6160491?hl=en
IOS : https://support.apple.com/explore/find-my

Two Factor Authentication

Remember that your phone is an extension to your online Google or Apple ID. It is very important that you protect these from unauthorized access. You should be using a long, complex, non-dictionary, passphrase to log in. You should also enable two-factor authentication to add another layer of protection to your account in case your password is compromised.

The easiest is to use Time based One Time Authentication codes.

On Apple devices, you will use your smartphone (or any other Apple device connected to your account. The Apple instructions are here.

Google users can use a software TOTP system with any one of the free TOPT clients available. The cleints I recommend are :

or some password managers (e.g. 1Password) also offer this as a function. The most secure option is to use a hardware token (e.g. Yubikey) but this is slightly more demanding and I won’t be covering it here.

Update and uninstall

Most attacks are against old vulnerabilities that remain unpatched. If you have a phone from a manufacturer that does not regularly deliver (monthly) security updates or the updates for your phone have stopped then it is time to buy something else.

You must update your phone operating system and all the apps on it regularly. Doing this will reduce your attack surface (ake make an attackers life more difficult).

Remember that applications may have undiscovered or unpublished vulnerabilities. In addition to updating them using the Apple AppStore or Google Play, you should uninstall any applications you do not regularly use. Many of these apps are stying on your anyway but they could be the weak gateway an attacker gains access to your phone.

Where possible, use the web version of services. As an example, instead of using a Twitter app (on most of my devices), I use the PWA website at mobile.twitter.com. This gives me full functionality without needing an app (that can track me or compromise by device).

Only install apps from official apps stores (Apple AppStore or Google Play). Apps in these stores are cryptographically signed to prevent impersonation by attackers. If you are a little more adventurous (on Android), you can also check out the F-Droid alternative app store.

Reboot often

We have seen many attacks in the last 3 years that are not persistent. This means they go away after you reboot your device. This is why it is a good idea to regularly reboot your device. I typically try to reboot it every 8 hours or so (while I am awake).

Turn off your phone

A phone that is off can’t be attacked.

An unsophisticated attacker will not be able to compromise your phone’s baseband chip and turn on your phone.

It is a good idea to turn off your phone when you can (at night or when you will be away from it from a while). Plus turning it off while charging will often allow your phone to charge a bit faster.

Install a firewall

You may not know it but if you use a Windows or macOS device, there is a manufacturer-provided firewall on your device. Unfortunately, smartphones do not come bundled with them but they are extremely useful.

It seems every week we read about another couple hundred apps (on IOS and Android) that made it to the app store but that were malicious. A firewall will define what apps will be permitted to use WIFI and/or LTE.

The best firewall for Android is Netguard and the best one for IOS is called Lockdown.

These apps can work in 2 modes:

blacklists mode, is where you choose what apps should not be allowed to communicate
whitelist mode, is where no apps can communicate unless you specifically allow them to

Obviously whitelist mode is the most secure but may require a little bit of tweaking when an app just doesn’t work right.

Due to recent societal changes, expect the authors of these apps to change the above terms shortly. Blacklist will be changed to blocklist and whitelist will be changed to allow list.

Disable WIFI and Bluetooth

Anytime you are out of a trusted location (home or work), turn off WIFI and Bluetooth. Also make sure that any feature that would automatically turn them back on is disabled (e.g. Automatically connect to public networks).

Attackers can set up a malicious network and easily trick your device into connecting to it. This is trivial but not part of this discussion so I won’t explain how to do it here.

Many public venues (e.g. malls use your phones Bluetooth beaconing to track you as you walk around. This works without any intervention from you. When you don’t need Bluetooth, turn it off.

Remember that public WIFI is evil. Any WIFI that you don’t control can be used to steal your information. If you have to connect to untrusted WIFI, use a VPN. Please use a good VPN and know that good VPNs are never free or extremely cheap. You get what you pay for.

Many will recommend TOR but it is slow and most users would find the experience painful. So I stopped recommending TOR for most users.

Browsers

Browsers are dangerous. Dangerous. Dangerous. They run code delivered to your device from another computer which means it could be a wonderful way for someone to compromise your device remotely.

If you don’t believe me, read this article China hacked iPhones and Android devices to target Uyghur Muslims.

For iPhone users, I recommend sticking with the built-in Safari. Apple has done a relatively good job with it and it should be secure enough.

On Android, my browser of choice is Bromite . Bromite has native support for the uBlockOrigin adblock engine( the best in my opinion). It supports DNS over HTTPS, to encrypt your DNS queries. It is always in incognito mode and it offers many more wonderful security-friendly features. Remember to turn on HTTPS everywhere in it and disable Javascript.

Is IOS more secure than Android?

To close out this article, I will quickly touch on the question I receive the most often.

For this discussion, we have to separate privacy and security. This article was written to improve your security not your privacy. They do not usually go hand in hand.

For a general user looking for a no worry relatively secure platform then IOS is probably the way to go.

For a general user that doesn’t mind a little work and that wants good security, Android is the way to go. IT offers more customization options to make your device more secure.

For a more security-conscious geek, then I recommend going to GrapheneOS. GrapheneOS will require some work (you have to install it) and will make you uncomfortable (does not come with any Google services or the Google Play store) but it is the most secure consumer option right now.

Microsoft releases a news app powered by AI

December 13, 2018GeneralEdward Kiledjian

Everyone is trying to crack the automated news curation field using AI. First, there was Google News, then Apple News and Now Microsoft Hummingbird. Hummingbird is available in the US, and I was able to find the listing in Canada, but I am not allowed to download it. Reports suggest users in Germany, India are not able to download it either.

APKMirror has the APK available if you want to install it. Click here.

Once you sign in, you choose the categories you are interested in. Unlike Google news (however), you cannot select specific granular elements like sports teams, cities, etc.

This is the first attempt and will require some improvements.

You can download Microsoft Hummingbird from the Google Play store here.

The best way to share your location with friends or family

January 17, 2018GeneralEdward Kiledjian

Let's say you are meeting friends at a large outdoor concert, how do you provide your location? A street address may get them to the entrance gate, then what? What3words has proposed a solution that solves the issue of finding exact locations on a map?

What3words has divided the entire planet into 57 trillion 3mx3m grids and assigned each grid a unique three-word "address".

If I want to meet friends at the entrance of Union Station in Toronto, I can search for "Union Station" in Google maps, and it will take me to the building but not necessarily the front entrance:

Or I can give my friends the What3Words address for the main entrance 3mx3m square which is: tens.listed.surviving

The What3Words address takes them directly to the entrance where I want to meet them. No ambiguity and no confusion.

In most western countries, we have mailing addresses but these aren't always easy to find. The most accurate mechanism has been latitude and longitude (which would look like this 43°38'43.3"N 79°22'51.9"W). Obviously, the three-word descriptor is easier to communicate and remember than the latitude/longitude.

The entire world is mapped using about 40,000 words (it is available in multiple languages including French, Spanish, Arabic and more). Obviously, great care has gone into choosing the words to ensure there is nothing offending and no double meanings. They have assigned more common words to locations in major centers.

What3Words claims their tech is being used in over 170 countries by dozens of organizations from delivery companies (Aramex) to disaster relief coordination in the Philipines by the Red Cross.

The entire mapping can be downloaded for use offline and consumes about 10MB of space. They are partnering with companies to build this tech into third-party apps.

I really think this is a wonderfully unique approach to a problem everyone experiences and I hope more companies start using the What3Words technology. In the meantime, you can download their free Android and IOS app to get started. You can find the What3Words location address or navigate to any What3Words address (using your favorite Nav app installed on your IOS or Android phone (Google Maps, Apple Maps, Waze).

Android App showing the entrance of Union Station

Once you enter a three-word address, you can click on the navigate app and it will send the exact GPS coordinates to the location to any GPS app installed on your device.

Once you enter a three-word adress, you can share the exact location using any messaging app installed on your smartphone (Google Messages, Facebook, Whatsapp, etc).

Google Home forced me to switch to Spotify

December 19, 2017GeneralEdward Kiledjian

Tech titans Google and Amazon chose Christmas 2017 to battle it out for your love and money. These smart speakers are designed to quickly provide access to each company's ecosystem and make your life easier. At least that is the promise.

I am heavily invested in the Google ecosystem and have been for over ten years. In addition to using their free services, I pay for Google Music, storage, have an android phone (so I buy apps), etc.

I signed up for the free Google Apps service in 2007 (predecessor to GSuite) when each domain was given 100 free user accounts. This was a great way to provide essential internet services to my family for my kiledjian.com domain (emails, calendar, etc.)

The Google home

These devices can answer questions about science, history and everything in between. Most buyers use these smart speakers as intelligent modern voice-controlled boomboxes.

I have owned a Google home almost from its original release date and picked up a Google home mini for my bedroom.

In addition to making money from the sale of these devices, companies like Amazon and Google hope to lock users into the ecosystem. Except...

The Google Home and Google's account issues forced me to move from Google Music to Spotify.

The music problem GSuite accounts

With an individual music subscription, I can only stream to a single device at a time. I can't listen to music on my smartphone in the gym while my kids listen to music at home.

I tried to upgrade to a family account, only to be told by a support agent that GSuite accounts are not eligible. So if I wanted to enable on-demand commercial-free music on my multiple devices, I needed to move to Spotify, which I begrudgingly did.

Rant

There have always been irritants when using Gsuite (Google Apps) accounts with some Google services. Until now, all of my issues have been irritants for me, but have not affected Google, which may be why they have never solved this issue.

This is a situation where their complacency has cost them subscription dollars (steady recurring income). I know that only a small minority of Google's millions of users are affected by this issue, but I receive a constant flow of complaints from my readers about it.

This is the issue when dealing with giant faceless internet companies like Google. No matter how annoying some of their actions may be, there is nothing you can do as a customer. Your only option is to pick up and spend your money elsewhere.

Your smartphone security guide (iphone and android)