This is why we need more devices like Pyra [1], which was in the frontpage today [2]. Or its sister project, the Neo900 [3].
To me, current mobile phones seem like a step backwards in many fronts, as highlighted by the EFF or the Neo900 developers [4]:
- It should be possible to install your preferred OS, pretty much like you do on a PC.
- Hardware components should be more open. When not possible, they should be isolated like the Neo900 will do [4].
These two things would lead to much better privacy, and less planned obsolescence. It's atrocious that many cell phones don't get software updates past the 24 months mark.
We should get much more serious about this. The current mobile landscape is depressing.
Thanks for the neo900 links; looks really interesting! My FreeRunner's still using the GTA02 motherboard, as I'm too much of a wimp to do the upgrade to GTA04 ;)
Not really. Cyanogen is OK, but it's just Android. The hardware problems are still there: i) no drivers so GNU/Linux can't be ported ii) the baseband processor is usually badly isolated so it's easy to attack the device.
You do, this is Ubuntu Mobile strategy at the moment AFAIK.
However, drivers in ARM platforms are very opaque. You rely upon the goodwill of the manufacturer to update them, and most of the time they don't. See how most devices get unsupported in Cyanogenmod after a while.
And in any case, all the privacy concerns remain. It's a hardware issue. Android would be fine.
Not unless you use a popular phone model since each phone needs to be individually ported. I just bought a Mi Note (http://s1.mi.com/m/product/minote/index.html) and am out of luck.
For now you can install arbitrary custom Android builds on a few commercial devices until all the device bootloaders have Trusted Execution Environment (TEE) signing schemes preventing any user changes. Mobile devices are becoming increasingly more tightly sealed blackboxes not more open.
The Electronic Frontier Foundation (EFF) notes in their report "mobile phones were not designed for privacy and security". While the report is mostly focused on the wide varieties of mobile phone tracking (from GPS to wireless access), it illuminates perhaps the root of the issue noted in many mobile security articles: Mobile phones now mimic personal computers, and it begs the question: Why?
For such a ubiquitous device that holds so much personal data and is portable in ways laptops will never be, one wonders why we are designing mobiles to be just like tiny laptops with all the same protocols, applications and OS APIs. First, sure, it's easy, but who ever heard of an old-school phone dying from a DDoS attack (which now is the current major mobile threat)? Or, being taken over by malware and every contact, password and account login sent to the Maldives for quick smash-and-grab sessions against bank accounts and so forth?
Maybe the intrinsic issue is really that we are still doing the "make it smaller" thing with tech and calling that innovation instead of "make it different" which out of the box often comes with intrinsic security of its own for actually being different.
Maybe Android is kind of like small laptop. But Windows phones and iPhones definitely aren't.
I can use my laptop without having any cloud identity tied to it - I don't need to give anyone my email address or card number just to log in. I don't have to upload my contact list or communication history to the cloud. I can install software on it that Microsoft or Apple haven't approved, and if I pay for software Microsoft or Apple don't take a cut. I can install different operating system, if I want. I can develop software on my laptop without special license and without paying Apple or Microsoft. When I develop software, I can share it with other people with laptops and they can run it. I can access filesystem in any way I want and directly modify, share or create files without them being transferred to the cloud.
Modern smartphones are very not like laptops.
Android is perhaps more like actual computer, but I'd guess that's mostly legacy - if Google made Android now, I'm sure they would make it more closed, and they are making it more closed with every release.
Ah, but I'm referring to stacks and protocols. From the perspective of having an OS, TCP/IP stack, wireless connectivity and access to the Internet via a web browser, you'd be hard-pressed to identify the PC from the phone in a functional diagram from which the label for the device was removed. Here is where the "mimic" of PC architecture comes in, not so much in how easy it is to access the file system, so forth. Sure, I realize even if there is an argument here, it's loose at first. I do believe there needs to be more separation, however, between how "we do" PC and how we do phone.
First, citation needed on DDoS being a major mobile threat to actual phones. If you mean the iOS wifi bug, that's not major or a DDoS.
Second, OK, we ditch IP and flip to OSI protocols. Now apart from decreased security due to all this new software that'd have to be made, how would that make things more secure, at all? Everyone will still want to use the Internet, so it's not airgapping.
1) Haha, well the "current major mobile threat" jab was more tongue in cheek, and you're right - it's the "No iOS Zone" vulnerability. The citation is the following: RSA conference presenter SkyCure discussed the possible vulnerability [0] in iOS 8 that _could_ allow iPhone users with iOS 8 to be victimized by the equivalent of a DoS attack. And, the org has worked with Apple and iOS 8.3 likely fixes the issue.
2) However, while I wasn't making an argument per se, more just thinking out loud about architecture choices, especially when they "mimic" systems that are not for the same purpose, I do believe that is a small part of the problem when it comes to mobile security as pertains to phones. And, maybe I'm also thinking that with that in mind, there might be room for a whole separate set of protocols and methods for interacting with the Internet (or a reasonable facsimile of it) from your phone, which is not a PC :-)
I understand your motives, but the problem with your argument is that youre telling us what a mobile phine shouldn't be (no internet, no TCPIP even, and reading a bit between the lines perhaps no GPS or Wifi even). But to usefully describe a thing you need to say what it is and what it does, not what it doesn't do.
Yes, I suppose I left out the important part where I should turn around and state what I think the actual alternatives are, and if they don't exist, propose them :-)
I'm still getting my feet wet with this critical thinking exercise, especially where an exchange of ideas is required to hone my own! I'll have to come back to this one...
I've made my peace, somewhat, with my phone activity being tracked and everything. But this point about smartphones trying to mimic PCs is where I draw the line. I don't like the push for everything mobile to replace everything desktop/PC because I frankly don't trust smartphones to be powerful enough and secure enough to handle much more than to-do lists, social media or the occasional bank transfer (never done on a public wi-fi network of course). Of course I'm stubborn in preferring a full-sized keyboard, mouse and I dunno...computer for tasks like programming, photo editing (no, putting filters on photos is not what I consider photo editing) and gaming but that's how I think smartphones should be used vs. full-fledged computers.
Correct. That is probably why pagers are so popular with drug dealers.
The downside of a one way pager is that there is no way to know if the message got through. If you are in an elevator (or wherever) you simply never know of the page.
One way pagers only work in a particular area of the world. In that area all the transmitters send all the pages. Such systems do not scale all that well and as a result getting pager service over a wide area can be fairly expensive.
There's a few nationwide pager networks out there; they're quite easy to build without the task of making communication two way. Just set up a hundred or so watt UHF transmitter at an antenna farm, feed it with PSK or FSK from a satellite receiver, and boom! You just covered most of a large city.
That's why a modular mobile phone is so interesting.
The important aspect of a modular mobile phone is not what you can add to it (silly little consumer modules) but what you ca subtract from it.
With a modular mobile phone, you could physically isolate the GPS/GSM/LTE/bluetooth components at will.
My prediction is that the google modular phone, whatever it's called, will have the cellular components on the base system and not removable, which is a pity.
Most electronic cards have built in batteries like the CMOS battery in computers. So just removing the battery or pulling the cord will not be enough to "turn it off".
I'm surprised A-GPS didn't get a mention. There must be data leaked when your phone uses MSA to obtain higher resolution for the rough GPS location that it has. (less so with MSB)
Even the ubuntu phone comes with software you 'can't install' (unless you go beyond the normal interface) and has software of dubious origin on it ('here'). Missed chance on many fronts.
The problem isn't so much 'mobile phones' the problem is smart mobile phones and the suppliers of software for them, and for all mobile phones the big black box that is the baseband processor and whatever goes on in there. Little snitches does not cover it.
I'm surprised that addon cards for laptops such as the Gobi3000 aren't mentioned yet. Are these a security risk? Is "off" really off to such a card? Is isolation sufficient?
To me, current mobile phones seem like a step backwards in many fronts, as highlighted by the EFF or the Neo900 developers [4]:
- It should be possible to install your preferred OS, pretty much like you do on a PC.
- Hardware components should be more open. When not possible, they should be isolated like the Neo900 will do [4].
These two things would lead to much better privacy, and less planned obsolescence. It's atrocious that many cell phones don't get software updates past the 24 months mark.
We should get much more serious about this. The current mobile landscape is depressing.
[1] http://pyra-handheld.com/
[2] https://news.ycombinator.com/item?id=9463032
[3] http://neo900.org/
[4] http://neo900.org/stuff/ohsw2014/ohsw2014.pdf