SamSuka
The Hated One
The Hated One

patreon


Why phones are more secure than desktops [Work in progress]

If you want to maximize your digital privacy and security, you should use your phone. This is a hot take, unfortunately, still in 2022. But it has been the case for years that modern phone security models allow for a much greater protection of your sensitive data than any desktop offers today.

The myth about insecure phones has been so prevalent that I used to ignore secure phone setups entirely because I considered a mere ownership of a phone unacceptable. There are plenty of problems with phones, many of which are totally unethical. But here’s the thing. Any issue you can criticize a modern phone for is several times worse on a desktop equivalent of it.

Let’s tackle some of these myths real quick.

You might have heard plenty of times how these mobile devices were designed to track all of our movements and activities and that’s all they do. But this a factually wrong assumption because the exact opposite is true. If you believe this notion you probably don’t know that Android apps have had no access to your phone’s hardware identifiers since Android 10. Or you haven’t noticed that app permission prompts you see in the pop-up dialogues on your phone are virtually non existent on any desktop. If you go to your phone’s privacy settings, you will find plenty of toggles that allow you to harden your security and limit what data apps can access.

It’s amusing and tragic at the same time how many people suggest Linux as a privacy alternative to phones, when no such extensive privacy settings exist on pretty much any Linux distro. Even Windows has implemented more permission toggles and that system is data collection hub.

Threat models

Both Android and iOS were designed with a thorough threat model in mind. For example, Android’s threat model assumes your device could be stolen or the police might want to unlock it against your consent. To mitigate this threat, Android developed a secure key store implementation that generates and stores your on-device encryption keys in a tamper resistant hardware. This hardware-bound key implementation was designed so that it’s impossible to extract your cryptographic keys without your lockscreen pass code. So not even a full kernel exploit orsystem compromise can access your secret keys.

All modern phones are encrypted by default. Most desktops don’t even offer it as an option and those that do have no or limited mitigation against brute force or cold boot attacks. Full-disk encryption has been abandoned since Android 7 due to its limitation of not being able to protect the encryption keys. There is virtually no protection of your desktop encryption once someone has physical access to it.

App permissions

Modern mobile operating systems implement defense in depth mechanisms that eliminate the ability of malicious software to access your sensitive data. Much of this is done via exploit mitigation, attack surface reduction and isolation. Isolation and containment is where the differences between desktop and mobile security models are most visible to the end user.

For instance, when I install a password manager app on my phone, I can reasonably assume no other app is gonna be able to access its data or log the key strokes during password prompts. This is ensured with the application sandbox that strictly limits how apps can communicate and share data with each other and the system. If my password manager doesn’t allow a certain IPC mechanism, no other app can reach it. The strict permission model enforces this consent.

If I use the same password manager on my desktop machine, the only defense mechanism I have is the encryption of the password database. It’s easy for malicious apps on my desktop to steal my password database and brute force it locally. There is no permission model that would restrict other apps’ access to my password manager database.

App stores

Privacy often times balances between anonymity and security. And sometimes trade-offs have to be made.

For example, the most secure way to install apps is through an official app repository. This is due to multiple reasons, mainly because the app signing requirement which makes sure the app is coming from the developer and not an untrusted party. Various repositories have submission checks or a vetting process that eliminates the presence of malicious knockoffs for instance.

The problem is, that the only way Google and Apple allow you to use their app stores is after you sign in with a real phone number. At best, this is gonna be pseudonymous, because it’s hard or impossible to obtain an anonymous SIM card and phone numbers will always be tied to an approximate location. This allows app stores to collect your app usage data or by the very least your app list, which can be used to fingerprint you.

On Linux, on the other hand, you can also install apps from a repository, but you are not required to create an account. This is beneficial because the only identifier left is your IP address which can be obfuscated with a VPN or Tor. But that’s where the benefits end. Because Linux app stores have no permission manifests and all Linux apps you install are immediately granted access to all user data based on your logged in account.

So you can’t expect to be anonymous on a stock mobile app store, you are at least reasonably secure and private. On a desktop repository, you could maintain anonymity to a limited extent but everything else is subject to a huge amount of trust in every single app you install.

Services vs platforms

Many zealots in the privacy community, if such a thing even exists, do not make a distinction between services and platforms. Android means a lot of completely unrelated things to a lot of different people. But in reality, Android is just a free and open source mobile operating system. It has no Google apps or services, no pre-installed bundles or bloatware. It’s a very clean and user-friendly operating system that’s available for everyone for free.

It’s important to make this distinction, because it’s possible to use an Android device without any privacy invasive apps and services. The Android’s model allows for it.

Android is private and safe by default. It’s best if you can use it without privacy invasive services, such as the Google Play Store. This is best achieved on GrapheneOS. But even if you can’t use your phone without them, it’s not all lost. You should still go through the privacy settings of each of these services and disable all the collection you are not comfortable with. What’s neat is that even stock Android allows you to create multiple user profiles. You can use these profiles to compartmentalize your online identities and have separate profiles for work, personal life, and online banking and shopping for instance. Much of your privacy depends on how you use the tools at your disposal.

iOS vs Android

Another common misconception that’s extremely damaging yet too popular is that iPhones are just inherently more private and secure than any and all Android phones. But this again, is not true. There is nothing that iPhones do fundamentally differently than Android phones when it comes to protecting your private data on your phone. Especially protecting them from third party data collection. The “What happens on your iPhone stays on your iPhone” is a disgustingly misleading campaign. Android protects your data just as well as iOS. Where iPhones generally trade better is security updates, which are important. But more and more Android vendors are starting to catch up, especially Pixel phones, that in many cases beat iPhones in hardware security.

If you are buying a phone for privacy, Pixel phones from Google or the latest generation iPhones are gonna be your best bet. Pixel phones will let you go miles further than iPhones if you decide to flash GrapheneOS on them. That way your phone will be significantly protected against even unknown vulnerabilities and 0day exploits and it will completely anonymize your device.

But other than that, this whole myth that iOS is just infinitely more secure or private than Android is just a gross lack of understanding of the security models of these systems.

Unparalleled security

Mobile operating systems are constantly improving their security with every new release. Their ultimate goal is to make individual vulnerabilities impossible to exploit and increase the number of vulnerabilities required to bypass the security model.

It usually takes a chain of exploits to hack a mobile device, both with physical access or remote code execution.

The market prices for zero day exploits illustrates vividly how much ahead phones are as opposed to desktops. Android exploits are currently the most expensive ones, followed by iOS exploits, both costing millions of dollars. Compare that to desktop exploits and you’ll immediately see the difference. It’s night and day.

More privacy shouldn’t come at a cost of security. Phones aren’t gonna be perfectly private out of the box. There is still plenty of room for hardening to do. But the base features of mobile security are years if not decades ahead of desktop OSes.

It’s easier to take advantage of mobile security while understanding where you need to take steps to safeguard your privacy, than blindly trusting much more inferior desktop systems that offer no substantial defenses.

Comments

1) I am gonna be doing dedicated videos on GrapheneOS so this is not meant to cover it all. 2) That doesn't makes sense. Android implements key store in a dedicated tamper resistant hardware that is resistant to all known key extraction attacks. It is virtually impossibly to authorize key use without user authentication. No such protection exists on a desktop. Android has full verified boot which among many other threats, protects device data against physical manipulation with the OS installation. Any tampering requires unlocking the boot loader which wipes all phone data. This doesn't exist on any desktop either. So I am not sure if your point was about something else but phones are much more physically secure than desktops. 3) That wouldn't work because hardware keys authenticate websites both ways. Phishing attacks don't work with hardware tokens, but they do work with OTP based 2FA and passwords. 4) No. My latest episode covers this. Linux offers no substantial security properties, no app isolation, no kernel isolation, no verified boot, nothing. Android has a strict SELinux policy of default-deny on top of a strong application sandbox enforced by the kernel and implement in Unix UID permissions and Android permissions. These are non-existent on desktop Linux. Attack surface on Linux is greater because all apps are allowed full access of the logged in user. This is not an issue on Android.

The Hated One

Hey info on the web about work profiles are a bit confusing especially for a Samsung device . If you can elaborate on that on the upcoming video that would be great

Definitely sounds like a great topic. Saves me so much time when you do an in-depth analysis on something so I don't have to. I did note a few things in the script that maybe I can save *you* some time researching.. Notes: 1) Script should probably separate GraphineOS from Android+Carrier+Mfgr+Gapps, as their security differences are night and day... yet most people have Carrier+Mfgr+Gapps. Even newer changes like finally getting rid of hardware identifiers is nearly useless in a hardware fingerprinting world. 2) Most every physical security problem a desktop has, a phone has worse. (Re: hardware keys, secure boot, disk encryption, etc.) As the old IT department addage goes: If you ain't got physical security, you ain't got nothing. 3) Hardware keys are juicy prey for many easy attacks, like a fake lock screen. Off-device hardware key fobs are somewhat better, but far from secure against even just a computer virus. 4) Phones are inherently less secure than desktop linux (in a well configured system), because of the systemic lack of observability and control of nearly *everything that is critically important*, and added to that, phones have a huge attack surface bt/ant/wifi/mic/speaker/ota/gyro/accelerometer/fingerprint/etc... the list of leaks/breakins is long. Of course, as you noted, most people don't have their desktop configured properly. But it can be done, just like choosing a GraphineOS phone can be done. One point that you alluded to, that I really liked, and really struck me, was how much easier it is to just buy a GraphineOS phone, than to get any other system of any type setup for a similar level of security. Looking forward to the video! :)

Peter


More Creators