Insights For Success

Strategy, Innovation, Leadership and Security

Pixel

Android vulnerabilities are more vulnerable than IOS ones

GeneralEdward Kiledjian
Screen Shot 2021-04-02 at 4.32.55 PM.png

The free market determines pricing based on the intersection of supply and demand. For the longest time, an IOS Full Chain Compromise with Persistence (FCP) demanded a significantly higher payout from vulnerability vendors than Android ones. This was a simple question of economics: Android had more easily exploitable vulnerabilities thus each one was worth less. On the other hand IOS was built like Fort Knox. Vulnerabilities were few and far apart and dictatorial regimes and evil doers were willing to write much bigger checks to buy those rarer exploits.

The chart above shows the pricing as of April 2 2021 and clearly shows that an Android FCP demands a $500,000 bonus over an IOS one. We know demand for these has not dropped so the only possible explanation is that there are more IOS vulnerabilities in the market than Android ones.

Although Google doesn’t use security to market its smartphone OS, it has a best-in-class security team that is making Android more secure with every release. IOS is improving as well but not as fast as Android.

Before you start throwing things at me, remember that privacy and security are two very distinct qualities. There is no question that IOS offers a fairly secure computing environment and world class privacy.

Android on the other hand asks you to trade in some privacy in exchange for a super functional assistant but has done a fantastic job making it’s operating system more secure.

Speaking with a security consultant buddy that advises many large companies and special interest private organizations about operational security, he confirms that the “underground” demand for FCP android vulnerabilities is skyrocketing. He mentioned that patched Android vulnerabilities are becoming harder to find but that the demand is skyrocketing (because so many of his customer targets use the lower cost android platforms"). Zerodium isn’t the only vulnerability broker in the market but it is the only one that publicly publishes its payout tables.

My contact said Android’s open source nature is yielding many of these security benefits (e.g. Google regularly upstreams security improvements made by AOSP fork operators like the GrapheneOS).

The bottom line is that these operating systems are typically weakened by bad user decisions (configurations, app choices, etc), but out of the box, Android running on a Pixel device is probably more secure (but less private) than IOS.

The challenge on Android is the fact many phone vendors do not offer timely upgrades (if ever) which makes these phones super vulnerable. That is why if you use Android, stick with a Pixel device with guaranteed security upgrades for 3 years and OS upgrades for 2 years.

We know Apple invests heavily in security so we’ll have to see what security improvements, if anything, Apple implement in IOS 15.

How to secure a smartphone

GeneralEdward Kiledjian

Smartphone hacking is a very lucrative business “threat actors”. Vulnerability broker Zerodium is now paying as much as $2,500,000.00 for an Android full chain (Zero-Click) with persistence.

https://zerodium.com/program.html

The increased payouts and interest in smartphone hacking isn’t because they are easy targets but because they are valuable. For most users, the smartphone is like a second brain. It contains personal data and insights like nothing ever has in the past. Access into your smartphone is almost like gaining access into your brain, your thoughts, your beliefs and your habits.

There is this misguided belief in the market than an iPhone is more secure than an Android device. That is not the case. An adequately secured Android can be as (or more) secure than a normally configured iPhone. And Android offers more options to heighten your security where you may need it (whereas iPhone is one size fits all).

As you read through this article, I will try to explain some of the differences.

Who is this tutorial for?

As a security professional, my recommendations are designed based on the threat model of the customer I am advising. This article aims to help a general consumer or business user, that is trying to mitigate the most common and general types of risks. This means that their typical attacker will be a low-resource individual using conventional attack techniques such a stalkerware, scams, social engineering and easily accessible hacking tools.

This article is not for an individual that is targeted by a nation-state or well-funded criminal organization. This last category requires custom attention that cannot be addressed via an article.

What is the goal of strong security?

Total, complete and unbreakable security does not exist. The goal of this article is to set up enough roadblocks that the type of adversary you are dealing with will likely give up and move on to another target. The best analogy is to think of this in terms of a door lock. A good door lock will keep out common criminals but won’t deter a determined, skilled and well-funded adversary.

Is Security the same as privacy?

Privacy is becoming more and more talked about because of very public breaches (Marriott, Equifax, etc.) and new regulations like GDPR or CCPA. Security often will support privacy but not always. There are times when you have to choose one of the other. Where such a choice is required in this article, know that I have chosen the secure option.

Encryption

Most modern devices are encrypted during the initial setup but you should double-check just to be sure.

The EFF published an article explaining how to encrypt IOS devices (from version 4-11).

To maximize the protection encryption offers, you should choose a long (but memorable) alphanumeric password or a 6-8 digit passcode.

  • An example of a long memorable alphanumeric passphrase is: I3at@ppl3sAtMidn1ght

  • An example of an 8 digit secure passcode is: 72046290

You should also configure your device to erase all contents after a certain number of failed login attempts. This will protect you from a brute force attack.

Device encryption is a tool to secure your data when someone has physical access to your device but does not have the password (loss or theft of your device). It offers no protection from malware, viruses, or other related nasties.

Find my device

The iPhone and Android offer free tools to find a lost or stolen device. More importantly, they offer the option to remotely wipe your device if you are sure it is lost (not misplaced). For this remote feature to work, you have to ensure that the option is enabled on your device.

  • Here is the Apple article explaining how to enable Find My Phone on IOS devices.

  • Here is the Google article explaining how to enable Find My Phone on Android devices.

Remember that this option needs to be enabled before you lose your device (it cannot be done afterwards).

Both IOS and Android require that the phone be powered on and connected to the internet for this feature to work. If you want to remotely wipe your device, do it before you report your phone lost to your carrier (they will immediately deactivate your line and remote wiping won’t work).

Enable two-factor authentication

A chain is only as strong as its weakest link. Today’s smartphone is a powerful network-connected computer. Most smartphones connect back to either an Apple or Apple account. Any compromise of these accounts can lead to a compromise of your smartphone.

Two-factor authentication may sound scary but it is very simple to implement with Apple and Google. By doing this you secure your online presence by making your account more difficult to compromise and more resilient to unauthorized access.

  • Here is a Google article on how to enable two-factor authentication for a Google account.

  • Here is an Apple article on how to enable two-factor authentication for an Apple ID.

The modern implementation of this system is that your phone will be pinged by the service (when you are logging in from a computer) or another device connected to your account (when logging in from a mobile device).

When setting up, you will be asked to choose a backup authentication mechanism and you should choose a Time Based One Time Password (TOTP) option. Never choose SMS or email (as those are very easy to compromise).

You will be asked to download a TOTP application and scan the barcode they show during the setup of two-factor authentication. This barcode is a one-time thing and will never be shown again. A good cross-platform TOTP app that synchronize your codes across multiple devices is Authy. Authy is a trusted well-designed app and is completely free.

  • You can download Authy from the Google Play store (for Android) here

  • You can download Authy from the iTunes store (for IOS) here

Another good app (that is available on both platforms) is the Google Authenticator app. The Google app does not sync TOTP tokens across devices so if you change your smartphone, you have to revisit each site and reset the two-factor authentication process to get a new seed (aka the barcode).

Another good backup option is using a USB security token. The best option right now is the Yubikey product. It does cost money but is solid and unbroken (as I write this). I am not recommending the Google Titan key because many third party sites that allow two-factor authentication (see the list here) do not support the Google Titan but do support the Yubikey products.

Update, Update, Update

I had to write update three times because it is critically important. Make sure you configure your phone to download and install updates automatically for both the operating system AND the applications.

95% of hacks are made possible because people use insecure passwords, don’t enable two-factor authentication and don’t update their applications & operating systems.

Reboot regularly

We have seen a healthy number of non-persistent malware in the wild. This means that the hack used does not persist after a reboot (aka a reboot get’s rid of the hack). This isn’t always the case but nevertheless, it is a good idea to regularly reboot your device.

Application firewalls

Know that hackers that crack software are not benevolent and that cracked app probably contains malware. Unless you know what you are doing, never download applications from third-party app stores or web sites (this is a problem on Android but not on IOS since Apple does not allow users to side-load applications).

Even apps on the app stores can sometimes become malicious when the original developer sells the app and the new owners push a change containing malware. Apple and Google work hard to prevent this but we have seen examples of this in the real world on both platforms.

Application firewalls are an easy way to control which apps can have access to mobile or WIFI data.

  • On Android, you can use the NetGuard application available on the Google Play store.

  • On IOS, you can use the Lockdown application available on the Apple AppStore.

There are other apps available but these are the easiest for the general user. Here is a quick tutorial and overview of NetGuard

Take the time to install and configure one of those apps. Remember that attackers love using loose application permissions to steal information from your device.

As you set this up, take the time to review all of your installed apps and uninstall any that you no longer require (we call this reducing your attack vector). If you use an app once a quarter, install it and use it, then uninstall it.

Some apps request a lot of permissions but will still work if you restrict some of the more worrisome ones (think about access to your location, photos, microphone, etc). As an example, read this article documenting the time Uber switched when it collected user location data and started collecting it all the time.

The app update (it’s 3.222.4, for those keeping track) changes the way Uber collects location data from its users. Previously, Uber only collected location information while a user had the app open – now, Uber asks users to always share their location with the ride-hailing company. - TechCrunch

Android 10 and IOS 13 both allow you to choose when an app can access your location so ensure you make the right choice and don’t just share your location (or other data) all the time when it may not be required).

Public WIFI is evil

Many companies and venues use WIFI and Bluetooth to track you as you walk around their establishments. Many malls use tools from companies like AisleLabs to track you thus enabling them to target you more accurately. Attackers can use WIFI or Bluetooth to compromise your device as well.

The easiest approach is to assume that all public WIFI is evil.

When not absolutely required, turn off WIFI and Bluetooth.

Do not automatically connect to WIFI networks. I won’t get into the details here (because this is a more general article) but hackers can find out what your home network is called and trick your device into connecting to them (thinking it is that trusted home network).

Anytime you connect to a public (aka not your own WIFI) network, use a VPN to protect your traffic.I won’t discuss which VPN to choose here but stay away from free or very cheap VPNs.

If you aren’t paying for the product, you are the product.

Chose a solid well known provider whose policies and practices have somehow been reviewed.

You can run TOR to secure your traffic but that will be too slow and cumbersome for most users.

Secure backup and cloud

August 31, 2014, hackers released tones of celebrity personal photos and videos (many naked and pornographic in nature). This event was called the fapening and this was made possible because the icloud accounts, used to back up those photos from the smartphones, had been compromised. We don’t believe Apple was compromised but the attackers somehow managed to find the usernames and passwords for these users. Another reason you should enable two-factor authentication now.

Beyond 2 FA, most users may not realize that their information is being backed up to the cloud. Remember that cloud backup is an easy way for attackers to steal your data. Once you have two-factor authentication enabled on your accounts, ask yourself what you should be backing up to the cloud and where it should be backed up.

Remember that if you choose to trust the backup of your default provider (Apple or Google), you are not in control of your data. In most cases, we now the data is saved unencrypted on those services.

  • Apple has given police data backed up from an iPhone to icloud

  • Google, Dropbox and others routinely scan your content looking for malware or copyrighted material

I recommend choosing a secure end-to-end encrypted cloud backup service (if you want to use one). Although there are a bunch in the market, I recommend looking at Sync.com. They offer an end to end encrypted product (using the Trust No One Model). This means that as long as you use two-factor authentication and a long passphrase, your content should be relatively secure.

Your Browser

So your browser is one of the most dangerous apps on your smartphone because it is designed to run code from a remote server (aka a webpage). In the worst-case scenarios, a browser can load a malicious zero-click compromise that would take over your phone without you having to do anything and without you even realizing it. Most of these are non-persistent which is why I recommended regularly rebooting your device earlier.

On Android, I recommend you take a look at a browser called Bromite. Unfortunately due to app store rules, they do not offer a version on the Google Play store and you have to sideload it if you want it. Bromite supports ad-blocking natively and it uses the Ublock Origin model.

It also supports DNS over HTTPS (DOH). You can also enable HTTPS Everywhere and configure it to block unencrypted traffic. You should also disable Javascript and sparingly re-enable it for some sites that you absolutely need but that break without Javascript.

On IOS, I recommend the Brave browser (which is also available on Android but Bromite is more secure). You can download Brave from the Apple AppStore here.

Stalkerware

Stalkerware is a category of badware installed on your device by a third party to spy on you and often to track you.

The EFF is spearheading an initiative to fight Stalkerware (read this) because it is often used to victimize you. Think of it as commercial spyware that covertly steals your data and sends it to the stalker. In some cases, the stalker can be an ex but remember that many companies use Mobile Device Management software that often can perform the same function (normally if the device is owned or is allowed to access the corporate network.) In the case of companies, it is most often done for security reasons. Otherwise (in the private space), it is used to victimize or control someone.

If you are not using a corporate phone and suspect something may be going on (in most cases you won’t realize it), the only way to secure your device is to perform a factory reset and restart the set up from scratch.

Remember that the threat actor (partner, ex, etc.) has to access your device to install the stalkerware so never leave your device unlocked, never leave it unattended and choose a long and complicated passphrase.

Other settings

On IOS, choose to Limit Ad Tracking, instructions can be found here. Choose to reset your Advertising ID (instructions here) periodically.

On Android, choose Opt-Out of Interest-based Ads, instructions can be found here.

Conclusion

I know this was probably a dry and long article for most of you but I needed to get it out. This is a question I receive regularly and I wanted to write about it rather than respond individually to each of you. If you have questions or want to send me a note, do it on twitter (my handle is @ekiledjian).

Hope you found this article interesting and useful.

What is DXO Mark Mobile and should you care?

GeneralEdward Kiledjian

Over the span of a couple of weeks, we saw three phones released, and with every release, the manufacturer touted the device's incredible "best ever" DXO Mark Mobile performance rating:

  1. Samsung released the Galaxy Note 8 with a DXO Camera score of 94
  2. Apple released the iPhone 8 Plus with a DXO Camera score of 94
  3. Google released the Pixel 2 / Pixel 2 XL with a DXO Camera score of 98

Manufacturers love touting these scores to "prove" that they have designed the finest camera a distinguished tech user could ask for. For all intents and purposes, technology should get better and this means every new phone released (at the high end) should have better overall performance than its predecessor. Why would you buy an inferior phone?

While most blogs blindly write headlines repeating this single "representative" number, very few actually take the time to read the full DXO reviews and explain the details to their readers. 

It's complicated

The first thing to keep in mind that blending complex factors into a single easy to digest number is complicated and sometimes may mislead some readers. While most blogs only show the single number, DXO actually provides a generous amount of valuable information for the curious reader.

The DXO tests include a slew of carefully controlled tests and other real world tests that are more subjective. 

If we pick on today's "highest ranking" phone, the Google Pixel 2, here is how the rating of 98 is made up:

DXO provides detailed test results and write-ups for each of these categories. While most blogs will tout that the Pixel 2 has a rating of 98 (the best ever rating for a smartphone), they rarely provide the makeup of that number.

And the make-up of that number is critical to your buying decision. If you will use the camera primarily for video, you may notice it scored 96. You can also check out how DXO made up that score by evaluating what is important to you about video (which attributes are more important to you).

  • Exposure and contrast
  • color
  • Autofocus
  • Texture
  • Noise
  • Artifacts
  • Stabilization

Remeber that the video rating fo 96 is not a straight average but rather a "black box" formulae closely guarded by DXO. 

Is DXO Mark Trustworthy?

The next question is "can you trust the DXO testing methodology"?

Having reviewed the public information made available by DXO, I say yes. They have a well-documented methodology that is as good as it is going to get. I trust their rating but use the detailed review information to make up my mind, not the single number most blogs publicise. 

It is also important to keep in mind that DXO is a for-profit consulting company that manufacturers hire. DXO works with manufacturers to tune their imaging systems and get the best possible performance out of the equipment and software. DXO also sells image quality testing solutions.

I do not believe this consulting arm influences the device ratings in any way but it is still an important fact to keep in mind.

DXO Optics Pro

DXO Optics makes very good photo improvement software because of all this camera/lens knowledge they have accumulated. They know the shortcomings of each of the camera/lens combos and can this build specific correction profiles. 

I own their software and paid for it myself. 

90% of all the questions I receive these days is about comparing the iPhone to the Google Pixel2.  In addition to all the information I have already written and the info provided above, there is one more piece of knowledge you should consider. 

The Google Camera app on the Pixel 2 does not natively support RAW (the iPhone 5s or newer) does. This means DXO Optics Pro has corrective filters for all these iPhone RAW images, but does not for the Google Pixel2. This could be a major deciding factor for more astute or demanding mobile photographer.

Conclusion

I know most users simply don't care about the details. They want one easy to read headline that justifies their belief (Google is better / iPhone is better). My ask is that you, my more knowledgeable readers, take the time to look at the data that makes up the numbers.

It's a worthwhile investment of your time.

First look at the Bose QC-30 Bluetooth noise-cancelling earphones

GeneralEdward Kiledjian

Apple hates ports and will kill each and every one of them come hell or high water. The iPhone 7 / 7 Plus pushed the market away from wired headphones into the loving arms of Bluetooth. Audiophiles will explain that Bluetooth has limited bandwidth which means audio fidelity is severely compromised and they are right. Bluetooth can't match the quality of a good set of wired headphones, but let's be honest, most people aren't listening to high quality audio tracks fed through a good headphone amp and $1000 headphones. Most people are streaming their music via Google Play Music, Apple Music, Spotify or Pandora at 128/256 kbps (some are now streaming 320kbps). 

For the geeky reader, a CD ... Yes that plastic disk us old people use to play music from ;-)  So a music CD was 44.1 kHz x 16 bits x 2 channels = 1411.2 kbps, just for comparison.  

Let's dive into the new in-ear Bluetooth noise cancelling champ from Bose. 

This is more of a first look at the QC30 and a more in depth review will come later. The Qc30 seems to beat the QC35 when strictly comparing noise cancellation quality.  The QC35 has a 12 step noise cancellation intensity control. Where is this useful? When you may want "some" noise cancellation but still need situational awareness (e.g. using these while walking on a busy street). 

QC use to mean QuietComfort buy now means QuietControl. A slight branding update undertaken by Bose

So the branding change was done because you now (for the first time) have that variable noise cancellation strength. 

Design

Most users assume wireless and light weight go hand in hand but not when it comes to the QC30. The QC30 has that strange neckband that connects to the earbuds. When passing the device around, people liked the headband, were indifferent about it or absolutely ragefully hated it. Regardless of how you feel about it, itis universally regarded as ugly.

The ugly spaceship around your neck is the lifeline of the product housing the battery. Bose promises 10 hours of use per charge which is good for most situations (except the long haul overseas flights to Asia). 

Remember that the QC20 had that in line battery compartment which itself was ugly and relatively heavy. 

The other noticeable improvement is fit. I have normal medium sized ear canals and rarely have fit problems with in-ear headphones. The QC30 seem to fit better than the QC20 did which means improved sound quality and noise isolation

The audio control module has all of the standard controls you expect plus additional buttons to control the level of noise cancellation. After a couple of days, you can control everything by feel because of the unique shape of the control module. 

Sound Quality

Let's cut to the chase,  the noise cancellation delivered by the QC30 is truly spectacular. The noise cancellation of the QC30 is as good as the full sized (over the ear) QC35. The only difference is the QC35 benefits from much better noise isolation in addition to active noise cancellation.

I cannot stress how useful the variable noise cancellation strength feature is. It means you can use this on the plane, on the train or while walking on the street. 

Like every other noise cancellation headphone I have ever tried, sound reproduction typically suffers. The QC30 offer clean and clear low/mid ranges. The highs are were it suffers. Highs are drowned out by the other ranges and don't sound as clean as I had hoped. 

The Bose QC30 offers better sound reproduction than the QC20/20i and the sound-stage is more open and airy. So when comparing it to good headphones, sound quality suffers but is a step up when compared to its older sibling.

The bad

Sound is more bass heavy which may impact your enjoyment of some types of more balanced music.  The on/off slider is badly designed (difficult to figure out if the device is on or off when you aren't using the earbuds. 

The ugly UGLY neckband. 

I have to add the price here. At $299 its a rather considerable investment. Not surprising as this is typically the price range for Bose noise cancellation headphones but still....

Conclusion

There is no perfect device. The truth is that this type of noise cancelling headphone has always catered to a specific affluent customer base. Unlike previous years, the in-ear earbuds now offer noise cancellation on par with the on-ear big brother. 

Sound reproduction is good for noise cancelling headphones/earphone but not as good as "normal" ones. If your primary use isn't while on noisy transit and sound quality is important to you, you may want to look at a non noise-cancelling product. If you need noise cancellation, the QC30 offers sound quality better than its noise-cancelling competitors.

If you are looking for standard in-ear bluetooth headphones with decent sound quality and good battery life, take a look at the JLAB Epic 2

Australian carrier ships Google Pixel a week early

GeneralEdward Kiledjian

While everyone is waiting for the new Google branded Pixel to finally launch, a reddit user in Australia claims to have received his Pixel from Telstra early. 

And this doesn't seem to be an isolated case. There are a handful of Reddit threads talking about users receiving their units and backing up the claims with pictures.  Going through the information, we gleam the following :

Google Assistant welcomes you when you open the box 

Google's free unlimited full resolution storage option is automatic and available as soon as you sign in to the device. The app/service detects all Pixel images and videos. I am wondering if we will be able to game the system by playing with EXIF information.

Also and Duo are pre-loaded and the default apps. 

29.75GB of storage is available (out of the 32GB shown in this model).

The LED notification light is near the earpiece.

On a funnier note, people claiming to be Telstra employees commented on some posts and one said he bought his Pixel from Google because it offered a better warranty.