Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Mobile device security researches discuss frank ractual results on hacking iOS & Android devices (i.e., definitely not marketing bullshit here)

5 views
Skip to first unread message

Arlen Holder

unread,
Feb 29, 2020, 9:44:58 AM2/29/20
to
Dateline a few hours ago...

Tom's Guide gave a synopses of security researcher's frank comments.
<https://www.tomsguide.com/news/mobile-auth-app-hack-rsa20>

"Security researcher says to 'stop buying' Samsung phones"
'[German phone hacker] Karsten Nohl showed that Samsung was faking
device updates last year' Turner said. 'Stop buying their stuff.'"

"The only form of two-factor authentication without security problems
right now, Turner said, is a hardware security key such as a Yubikey
or Google Titan key"

"Fingerprint readers are biometric toys."

"Asked about biometric authentication such as fingerprint readers and
facial recognition, Weidman said that it's 'better than nothing when
used in addition to passwords.'"

"'"You don't want the risk associated with 32-bit iOS,' said Turner,
adding that you should use only iPhones that can run iOS 13."

"And don't think iOS devices are safer than Android ones - they're not.
There are just as many known exploits for either one"

"'We charge three times as much for an Android pentest than we charge
for an iOS one' Turner said, referring to an exercise in which hackers
are paid by a company to try to penetrate the company's security.
'Fully patched Android is more difficult to go after'"

"The iPhone's Secure Enclave offers some additional security, but the
authenticator apps aren't using those elements, said Weidman.
iOS is still good, but Android's [security-enhanced] SELinux is
the bane of [the] existence [of] someone who's building exploits."

"The problem is that if an attacker or a piece of mobile malware
can get into the kernel of iOS or Android, then it can do anything
it wants, including presenting fake authenticator-app screens."

"Apps like Google Authenticator are only as safe as the devices
they run on"

"'What could possibly go wrong when installing a user-mode application
with sensitive cryptographic key materials on a platform with kernel
vulnerabilities?' Turner asked rhetorically."
--
Two kinds of people are on Usenet: Those who add value & those who can't.



nospam

unread,
Feb 29, 2020, 10:07:55 AM2/29/20
to
In article <r3dtd9$89i$1...@news.mixmin.net>, Arlen Holder
<arlen.geo...@is.invalid> wrote:

> "'"You don't want the risk associated with 32-bit iOS,' said Turner,
> adding that you should use only iPhones that can run iOS 13."

ios isn't 32 bit anymore.

64 bit appeared with ios 7, more than six years ago, and with ios 11,
everything is 64 bit.

he cites an example with an iphone 4 that was supposedly exploited (no
details given, so nothing to verify). that's a device that's a few
months short of a decade old. hardly a good example.

he claims that fingerprint sensors are bad because someone's finger was
chopped off to spoof a sensor on their car, yet he carries two
yubikeys, which are *much* easier to steal, no chopping required.

also, modern fingerprint sensors require a finger that's alive, and a
chopped off finger is not that. it might work for a minute or two after
being chopped but it will soon stop.

it's also not a common scenario. if someone finds a phone on the
street, there won't be a finger to chop.

stealing a yubikey is not only easier and less messy, but it will last
a lot longer.

Arlen Holder

unread,
Feb 29, 2020, 12:39:24 PM2/29/20
to
On Sat, 29 Feb 2020 10:07:54 -0500, nospam wrote:

> 64 bit appeared with ios 7, more than six years ago, and with ios 11,
> everything is 64 bit.

Hi nospam,
I think the important main cross platform security takeaway is thus...

"*Don't think iOS devices are safer than Android ones - they're not*.
*There are just as many known exploits for either one*"

As I've always said, privacy/security is a long chain of many links where
OEMs may loudly and incessantly tout the very few links where they're
strong, but they also ignore their very many links which are weak.

Anyone who claims one platform is more secure than the other is simply
spouting what the OEM marketing organization fed them to believe, usually
by cherry picking a single strong link of the very long chain of many weak
links (which the OEM is glad to brilliantly advertise).

Hence, I wasn't surprised about the glut of iOS exploits nor the security
of a fully patched Android (if that even exists in the wild); but I was
surprised that Samsung, and others, apparently faked security updates:
o Android Phone Makers Caught Fibbing About Security Patches
<https://www.tomsguide.com/us/android-patch-gap,news-26970.html>

That makes those Android OEMs no better than Apple in terms of sleazy lies.
--
Neither the Android nor the Apple OEMs are anywhere near private/secure.
0 new messages