Our smartphones are so much more than just internet access devices. They have become extensions of our brains. They remember our friends' contact information; they help us shop; they know where we have been and where we are going.

But what happens when someone gains access to this treasure trove of ultra-private information? I have written about how you can make your iPhone more secure here. This article will provide a handful of easy-to-implement tips.

In dots we trust

You may have noticed tiny coloured dots (green and orange) showing up on the top of your screen (upper right-hand side).

A small orange dot means your microphone is active, while a tiny green dot indicates your camera has active. The purpose of these dots is to notify you can something may be watching or listening to you. If you are on a call, this is perfectly normal, but a little investigation may be warranted if you aren't actively using any apps.

Remember that you can change what apps have access to your camera and microphone by going to Settings > Privacy > Microphone or Camera. You can then turn off access on an app by app basis.

Peekaboo i see you

There are situations where your iPhone application must have your precise location, like when navigating with your GPS app of choice.

There are other times when the application doesn't need a precise location, like looking for restaurants in a given area.

If you go to Settings > Privacy > Location Services and then click on an app, on the bottom you will see a switch for Precise Location. Turning this off will only deliver an approximate location. This is useful for apps that you have to use but are worried they are collecting your location information and probably sharing it.

A weather app is a good example of something that doesn’t need your street level accurate location and where an approximate location would be just as good while improving your privacy a little.

Accessing your photos

There has been an incredible amount of discussion in online forums about Facebook using the metadata of your photos to build a more complete profile of you and they probably aren’t the only one. Your photos show where you have been and who you have been with. So make sure only app that truly require photo access are given it and then only to selected photos.

To change which apps can access your photos, go to Settings > Privacy > Camera

For apps you have granted photo access to, it is important to choose which photos the app can access:

None
All Photos
Selected Photos

To change this setting, go to Settings > Privacy > Photos, choose an app and then choose what level of photo access you want to grant. As an example Instagram for me has “selected photos” only and if I want to upload a photo, I change the settings to give it access only to that photo.

Local network access

With IOS 14, you have probably seen a message pop up asking you for permission to search your local network. If you are using an entertainment app that needs to cast content on a TV or a smart home control app, asking for this permission makes sense. You have likely seen this request from apps that that had no logical reason to request this permission and hopefully you denied them this request. This is one way apps will try to identify you by collecting information about your local networks.

You can find the configuration for this setting in Settings > Privacy > Local Network . Here you can see which apps you have granted access to this right and you can change the setting at any time.

As an example, Uber Eats asks for this permission yet there is no reason to grant it access to inventory my local network. Whereas my VizioTV app has a need for this permission so it can find my device.

Android vulnerabilities are more vulnerable than IOS ones

April 2, 2021GeneralEdward Kiledjian

Screen Shot 2021-04-02 at 4.32.55 PM.png

The free market determines pricing based on the intersection of supply and demand. For the longest time, an IOS Full Chain Compromise with Persistence (FCP) demanded a significantly higher payout from vulnerability vendors than Android ones. This was a simple question of economics: Android had more easily exploitable vulnerabilities thus each one was worth less. On the other hand IOS was built like Fort Knox. Vulnerabilities were few and far apart and dictatorial regimes and evil doers were willing to write much bigger checks to buy those rarer exploits.

The chart above shows the pricing as of April 2 2021 and clearly shows that an Android FCP demands a $500,000 bonus over an IOS one. We know demand for these has not dropped so the only possible explanation is that there are more IOS vulnerabilities in the market than Android ones.

Although Google doesn’t use security to market its smartphone OS, it has a best-in-class security team that is making Android more secure with every release. IOS is improving as well but not as fast as Android.

Before you start throwing things at me, remember that privacy and security are two very distinct qualities. There is no question that IOS offers a fairly secure computing environment and world class privacy.
Android on the other hand asks you to trade in some privacy in exchange for a super functional assistant but has done a fantastic job making it’s operating system more secure.

Speaking with a security consultant buddy that advises many large companies and special interest private organizations about operational security, he confirms that the “underground” demand for FCP android vulnerabilities is skyrocketing. He mentioned that patched Android vulnerabilities are becoming harder to find but that the demand is skyrocketing (because so many of his customer targets use the lower cost android platforms"). Zerodium isn’t the only vulnerability broker in the market but it is the only one that publicly publishes its payout tables.

My contact said Android’s open source nature is yielding many of these security benefits (e.g. Google regularly upstreams security improvements made by AOSP fork operators like the GrapheneOS).

The bottom line is that these operating systems are typically weakened by bad user decisions (configurations, app choices, etc), but out of the box, Android running on a Pixel device is probably more secure (but less private) than IOS.

The challenge on Android is the fact many phone vendors do not offer timely upgrades (if ever) which makes these phones super vulnerable. That is why if you use Android, stick with a Pixel device with guaranteed security upgrades for 3 years and OS upgrades for 2 years.

We know Apple invests heavily in security so we’ll have to see what security improvements, if anything, Apple implement in IOS 15.

How to limit software exploits on your iPhone

February 19, 2021GeneralEdward Kiledjian

Security and usability are contradictory forces. Ultimate usability means less security and ultimate security mean less usability. It is a fine balancing act tat every user must perform themselves.

The iPhone is a well designed and fairly safe device out of the box but there are some settings you can change to reduce your odds of getting attacked. Each setting that you change will make your device a bit more secure but will limit a useful functionality.

This article will walk you through some of the settings that will reduce your susceptibility to software exploitation.

Install patches

Your iPhone should be configured (out of the box) to periodically download software and OS patches but you should check manually every day (to ensure you get the patches as quickly as possible)..

Don’t open that attachment or that link

Although the iPhone has a very mature and sophisticated security model (including sandboxing), we have seen advanced threat actors use zero-day attacks sold by vulnerability merchants to attack freedom fighters, journalists and other people of interest.

Like on a traditional computer:

never open an attachment from an unknown person
never open an unexpected attachment from a known contact
never click through on a link (SMS, Whatsapp, Telegram, Twitter, Facebook, Instagram, etc) from an unknown person
never click through on a link from a known contact but an unexpected message

Reboot your device

We have seen many sophisticated and advanced attacks performed against iOS devices that leverage unknown (therefore unpatched) vulnerabilities but many of them are not persistent. This means that the attacker has to re-compromise your phone if they want control, after a reboot. Think of the reboot as a cleanse or detox.

This has become a standard ritual for me and I regularly restart my phone throughout the day.

Pay attention to the dots

Apple has implemented an ingenious feature to quickly show you if an app is using your camera or your microphone. When in use, an orange or green dot will appear on your top menu bar next to the battery indicator.

An orange indicator means the microphone is being used by an app on your iPhone. Remember that if you are legitimately using this for features like Siri, it is normal that this will show up but it should disappear when you are done or it means something is still listening in (legitimate or not).

A green indicator means either the camera or the camera and the microphone are being used

If you swipe Control Center open, on the top, it will show you the last app that triggered the microphone or the camera

Disable Airdrop

Airdrop is an Apple technology that allows you to quickly and easily share content (files, videos, music, links, etc) between IOS and macOS devices. AirDrop itself could have vulnerabilities that could allow an attacker to send a malicious attack file to your device without your knowledge or they can perform social engineering attack to trick you to click on a malicious file.

Swipe up (on older phones) or down from the right-hand side of the screen (on modern devices) to show the control center
3d touch or long-press the network settings card (in the upper left-hand corner, then click on AirDrop)
Choose Receiving Off to disable AirDrop

Disable Bluetooth

Bluetooth has had many easily exploitable vulnerabilities in the past. Although Apple quickly patches vulnerabilities, there may be unknown vulnerabilities being sold by vulnerability merchants to threat actors or nation-state attackers. Additionally many organizations (from law enforcement to shopping mall managers) are known to track users with their Bluetooth ID.

If you are not actively using Bluetooth (aka connected to headphones for example) then you should consider disabling it. Disabling it will cut off the connection between your phone and Apple Watch (until you turn it on again).

Swipe up (on older phones) or down from the right-hand side of the screen (on modern devices) to show the control center
Click on the Bluetooth icon to turn it off

Disable JavaScript in Safari

JavaScript powers the modern web but has been used in a significant number of web attacks. Disabling JavaScript will significantly improve the security of your device but will likely break many modern websites (rendering them unusable).

If you are a higher-risk individual (politician, journalist, dissent, etc, then you may want to turn JavaScript off. Otherwise, you may want to ignore this change (aka leave it on). Changing this setting only applies to JavaScript inside of the Apple Safari web browser.

Open the Settings App
Find Safari
Scroll to the bottom until you see Advanced
Turn of JavaScript by tapping the toggle switch.

Disable WIFI Hotspot

The WIFI Hotspot is a setting that is normally set to off. I am specifying it here in case you turned it on.

WIFI hotspot allows other WIFI devices to connect to your smartphone and share its LTE connection (3G, 4G or 5G). Obviously, those devices need to have the WIFI Hotspot password that is configured on your smartphone, but it is possible iOS contains a vulnerability not yet known by Apple that could be exploited, this allowing a threat actor to connect to your device and push malware.

Open the Settings App
Open Personal Hotspot
Turn off Allow Others to Join

Your smartphone security guide (iphone and android)

July 28, 2020GeneralEdward Kiledjian

There are companies out there that will pay top dollar for working full chain smartphone vulnerabilities that will lead to a complete compromise (check out Zerodium as an example ). A full zero-click compromise for a patched android phone can net you a cool 2.5M$ (Wired).

Considering how we use smartphones and the information they contain (or can leak), these aren’t just simple electronic tools. Smartphones can be considered a bionic extension of your mind—anyone who can access your phone gains unprecedented access to your mind, life and psyche.

You may doubt the validity of the above statement, but think about it. Your smartphone knows where you are and where you have been. It knows who your friends and colleagues are. It knows whom you interact with. It has access to all your emails and other messaging. It has a camera that can be remotely triggered and a microphone to listen in on any of your private conversations (when was the last time you were more than 6 ft from your smartphone?).

Who is this article for?

The more secure you make something, the less usable it becomes. Security professionals have to tailor their security recommendations based on the risk profile of their customers.

For this article, I am assuming you are a “normal” general computing user that is not subject to elevated risks or custom attacks (aka you aren’t in the intelligence field, a journalist in a less favourable geography, a politician, etc.)

Why is this important? An average user will be targeted by unsophisticated actors (ex-partners, lovers, former angry friends, coworkers, or script kiddies) or medium sophisticated actors (scammers, general hackers, etc.)

An average user is not important enough to merit an attack by state-sponsored actors or organized crime. These advanced actors have more developed capabilities that would require a customized security program built by an experienced security professional.

What are we trying to accomplish?

Whether I am building a multimillion-dollar security program for a large cloud service provider or helping you secure your own smartphone, the goal is always the same.

Absolute security does not exist regardless of how careful you are or how much you spend.

The goal of a solid security program is to be "good enough" to tire your attacker and encourage them to move onto their next victim. Even with the most expensive door lock, a thief can use a battering ram to break down your front door, but they probably won't. You buy a lock that is sufficiently strong to resist breaking with kicks. A good security program is the same.

Let’s begin.

Encrypt your device

If you are running an iPhone with IOS 12 or later, it comes automatically encrypted out of the box. IF you are running an older version, check out these instructions. Most modern Android devices from reputable manufacturers come encrypted as well. If you are running a phone from a lesser-known manufacturer, a phone that comes from a market where encryption is illegal or it is older, check out these instructions to encrypt your phone.

Password or Pin

Since IOS 9, Apple has made a six-digit pin mandatory (although you can still force it back to a four-digit pin). Remember that once an attacker finds your pin code, they are in, and no additional tools are protecting you.

The goal is to make your adversary’s life as difficult as possible. A 4 digit pin means your attacker will have to try 10,000 possible combinations. It may seem significant to you, but remember, they have tools to automate this process. Simply moving to a six-digit mixed password means there are 1,000,000 possible combinations.

If you choose to implement a passphrase instead, you make it more difficult for you but you also make it more difficult for an attacker to crack.

Fun fact, approximately 25% of all smartphones can be cracked by using one of these pin codes:

1234
1111
0000
1212
7777
1004
2000
4444
2222
6969
9999
3333
5555
6666
1122
1313
8888
4321
2001
1010

Most phones also support a feature that wipes all the data from your phone after a certain number of wrong attempts have been made. This eliminates the threat of automated attacks.

Remotely wipe your phone

. If you feel someone else may be in possession of your phone, and it is connected to the internet, you may be able to remotely wipe the data.

On Android it is normally called Find My Device

On iPhone it is called Find My iPhone.

You can log into the manufacturer portal to find your device or wipe it if necessary.

Sample iCloud Find my phone interface with the Erase button

Find my device links

Android : https://support.google.com/accounts/answer/6160491?hl=en
IOS : https://support.apple.com/explore/find-my

Two Factor Authentication

Remember that your phone is an extension to your online Google or Apple ID. It is very important that you protect these from unauthorized access. You should be using a long, complex, non-dictionary, passphrase to log in. You should also enable two-factor authentication to add another layer of protection to your account in case your password is compromised.

The easiest is to use Time based One Time Authentication codes.

On Apple devices, you will use your smartphone (or any other Apple device connected to your account. The Apple instructions are here.

Google users can use a software TOTP system with any one of the free TOPT clients available. The cleints I recommend are :

or some password managers (e.g. 1Password) also offer this as a function. The most secure option is to use a hardware token (e.g. Yubikey) but this is slightly more demanding and I won’t be covering it here.

Update and uninstall

Most attacks are against old vulnerabilities that remain unpatched. If you have a phone from a manufacturer that does not regularly deliver (monthly) security updates or the updates for your phone have stopped then it is time to buy something else.

You must update your phone operating system and all the apps on it regularly. Doing this will reduce your attack surface (ake make an attackers life more difficult).

Remember that applications may have undiscovered or unpublished vulnerabilities. In addition to updating them using the Apple AppStore or Google Play, you should uninstall any applications you do not regularly use. Many of these apps are stying on your anyway but they could be the weak gateway an attacker gains access to your phone.

Where possible, use the web version of services. As an example, instead of using a Twitter app (on most of my devices), I use the PWA website at mobile.twitter.com. This gives me full functionality without needing an app (that can track me or compromise by device).

Only install apps from official apps stores (Apple AppStore or Google Play). Apps in these stores are cryptographically signed to prevent impersonation by attackers. If you are a little more adventurous (on Android), you can also check out the F-Droid alternative app store.

Reboot often

We have seen many attacks in the last 3 years that are not persistent. This means they go away after you reboot your device. This is why it is a good idea to regularly reboot your device. I typically try to reboot it every 8 hours or so (while I am awake).

Turn off your phone

A phone that is off can’t be attacked.

An unsophisticated attacker will not be able to compromise your phone’s baseband chip and turn on your phone.

It is a good idea to turn off your phone when you can (at night or when you will be away from it from a while). Plus turning it off while charging will often allow your phone to charge a bit faster.

Install a firewall

You may not know it but if you use a Windows or macOS device, there is a manufacturer-provided firewall on your device. Unfortunately, smartphones do not come bundled with them but they are extremely useful.

It seems every week we read about another couple hundred apps (on IOS and Android) that made it to the app store but that were malicious. A firewall will define what apps will be permitted to use WIFI and/or LTE.

The best firewall for Android is Netguard and the best one for IOS is called Lockdown.

These apps can work in 2 modes:

blacklists mode, is where you choose what apps should not be allowed to communicate
whitelist mode, is where no apps can communicate unless you specifically allow them to

Obviously whitelist mode is the most secure but may require a little bit of tweaking when an app just doesn’t work right.

Due to recent societal changes, expect the authors of these apps to change the above terms shortly. Blacklist will be changed to blocklist and whitelist will be changed to allow list.

Disable WIFI and Bluetooth

Anytime you are out of a trusted location (home or work), turn off WIFI and Bluetooth. Also make sure that any feature that would automatically turn them back on is disabled (e.g. Automatically connect to public networks).

Attackers can set up a malicious network and easily trick your device into connecting to it. This is trivial but not part of this discussion so I won’t explain how to do it here.

Many public venues (e.g. malls use your phones Bluetooth beaconing to track you as you walk around. This works without any intervention from you. When you don’t need Bluetooth, turn it off.

Remember that public WIFI is evil. Any WIFI that you don’t control can be used to steal your information. If you have to connect to untrusted WIFI, use a VPN. Please use a good VPN and know that good VPNs are never free or extremely cheap. You get what you pay for.

Many will recommend TOR but it is slow and most users would find the experience painful. So I stopped recommending TOR for most users.

Browsers

Browsers are dangerous. Dangerous. Dangerous. They run code delivered to your device from another computer which means it could be a wonderful way for someone to compromise your device remotely.

If you don’t believe me, read this article China hacked iPhones and Android devices to target Uyghur Muslims.

For iPhone users, I recommend sticking with the built-in Safari. Apple has done a relatively good job with it and it should be secure enough.

On Android, my browser of choice is Bromite . Bromite has native support for the uBlockOrigin adblock engine( the best in my opinion). It supports DNS over HTTPS, to encrypt your DNS queries. It is always in incognito mode and it offers many more wonderful security-friendly features. Remember to turn on HTTPS everywhere in it and disable Javascript.

Is IOS more secure than Android?

To close out this article, I will quickly touch on the question I receive the most often.

For this discussion, we have to separate privacy and security. This article was written to improve your security not your privacy. They do not usually go hand in hand.

For a general user looking for a no worry relatively secure platform then IOS is probably the way to go.

For a general user that doesn’t mind a little work and that wants good security, Android is the way to go. IT offers more customization options to make your device more secure.

For a more security-conscious geek, then I recommend going to GrapheneOS. GrapheneOS will require some work (you have to install it) and will make you uncomfortable (does not come with any Google services or the Google Play store) but it is the most secure consumer option right now.

Exodus Privacy will help you identify the trackers embedded in your favorite android apps

July 20, 2020GeneralEdward Kiledjian

Companies large and small are always looking for new and creative ways to violate your privacy.

One popular tool of the trade is to embed trackers and ask for more permissions than necessary to "steal" user data. The question is, how do you know what trackers are embedded in your installed Android apps? This is were The Exodus Privacy Report tool comes in.

Here is a sample report for the Adobe Acrobat app

When you click on one of the trackers, it gives you interesting information

Clearly they want to acquire as much information about you as possible to track your device. You can then decide if the app is worth giving up all this information or if you want to use another app that is less invasive.

Are iPhone users safe? The answer is no, but researchers don't have permission to analyze IOS apps. We know that many of the worst offending apps are on both platforms and use cross-platform Software Development Kits.

So what do you do? Remove any apps from your smartphone that you don't use regularly. Before installing any application, make sure you read and understand the permissions being requested by the app. If a game wants your location, access to your camera or other weird permission, pick something else.

Are there "good" apps?

Yes, there are. Protonmail is an example of an app that only has crash analytics trackers built-in. Another example of a "good" app is the DuckDuckGo Privacy browser; it contains zero trackers.

I was disappointed to see NordVPN with its six trackers. NordVPN is tracking user behaviour.

You can access the database online here.

Tips to make your iPhone more secure