Mobile phone security is a very popular topic in the public discourse, with a lot of companies offering quick fixes. However there are countless attack vectors and, while possible, it is near impossible to defend against all of them. We intend to give a comprehensive overview, show known attack vectors and vulnerabilies and give best practices to counter or even neutralize these threats. Total protection however would need to user to be extremely disciplined and change their entire habits regarding their mobile phones.
Mobile Devices Backdoors in Most Phones Tablets Etc
{{Anchor|baseband_backdoor}}<font size=-3>[[#baseband_backdoor]]</font>Quote Hugo Landau, OpenSSL developer, [https://www.devever.net/~hl/nosecuresmartphone There are no secure smartphones.] (<u>Underline</u> added. <b>Bold</b> added.):
<blockquote>This is a simple fact which is overlooked remarkably often.
Modern smartphones have a CPU chip, and a baseband chip which handles radio network communications (GSM/UMTS/LTE/etc.) This chip is connected to the CPU via DMA. Thus, unless an IOMMU is used, the <u>baseband has full access to main memory, and can compromise it arbitrarily</u>.
<u>It can be safely assumed that this baseband is highly insecure.</u> It is closed source and probably not audited at all. My understanding is that the genesis of modern baseband firmware is a development effort for GSM basebands dating back to the 1990s during which the importance of secure software development practices were not apparent. In other words, and my understanding is that this is borne out by research, this firmware tends to be extremely insecure and probably has numerous remote code execution vulnerabilities.
<u>Thus, no smartphone can be considered secure against an adversary capable of compromising the radio link (called the Um link). This includes any entity capable of deploying Stingray-like devices, or any entity capable of obtaining control of a base station, whether by hacking or legal or other coercion.
It would, in my view, be abject insanity not to assume that half a dozen or more nation-states (or their associated contractors) have code execution exploits against popular basebands in stock.</u>
<b>So long as basebands are not audited, and smartphones do not possess IOMMUs and have their operating systems configure them in a way that effectively mitigates the threat, no smartphone can be trusted for the integrity or confidentiality of any data it processes.</b>
This being the case, the quest for “secure” phones and “secure” communications applications is rather bizarre. There are only two possible roads to a secure phone: auditing baseband or using an IOMMU. There can't even begin to be a discussion on secure communications applications until the security of the hardware is established.</blockquote>
Quote [https://www.fsf.org/blogs/community/replicant-developers-find-and-close-samsung-galaxy-backdoor Replicant developers find and close Samsung Galaxy backdoor]:
<blockquote>While working on Replicant, a fully free/libre version of Android, we discovered that the proprietary program running on the applications processor in charge of handling the communication protocol with the modem actually implements a backdoor that lets the modem perform remote file I/O operations on the file system.</blockquote>
<blockquote>Today's phones come with two separate processors: one is a general-purpose applications processor that runs the main operating system, e.g. Android; the other, known as the modem, baseband, or radio, is in charge of communications with the mobile telephony network. This processor always runs a proprietary operating system, and these systems are known to have backdoors that make it possible to remotely convert the modem into a remote spying device. The spying can involve activating the device's microphone, but it could also use the precise GPS location of the device and access the camera, as well as the user data stored on the phone. Moreover, modems are connected most of the time to the operator's network, making the backdoors nearly always accessible.
It is possible to build a device that isolates the modem from the rest of the phone, so it can't mess with the main processor or access other components such as the camera or the GPS. Very few devices offer such guarantees. In most devices, for all we know, the modem may have total control over the applications processor and the system, but that's nothing new.</blockquote>
<blockquote>Replicant does not cooperate with backdoors, but if the modem can take control of the main processor and rewrite the software in the latter, there is no way for a main processor system such as Replicant to stop it.</blockquote>
See also [https://redmine.replicant.us/projects/replicant/wiki/SamsungGalaxyBackdoor Samsung Galaxy back-door].
Data Harvesting by Most Phones
Espionage Data Harvesting
[https://apnews.com/828aefab64d4411bac257a07c1af0ecb/AP-Exclusive:-Google-tracks-your-movements,-like-it-or-not AP Exclusive: Google tracks your movements, like it or not]:
<blockquote>Google wants to know where you go so badly that it records your movements even when you explicitly tell it not to.
An Associated Press investigation found that many Google services on Android devices and iPhones store your location data even if you’ve used a privacy setting that says it will prevent Google from doing so.
Computer-science researchers at Princeton confirmed these findings at the AP’s request.</blockquote>
Quote <ref name=research-paper-one>
The research paper https://www.scss.tcd.ie/Doug.Leith/pubs/contact_tracing_app_traffic.pdf is about contact tracing apps but the analysis of Google Play Services which runs by default on all stock android devices applies with or without any installed contact tracing apps.
<blockquote>Google therefore gathers detailed, fine-grained information on how the handset is being used and can link this data to the handset hardware, SIM and user email. When combined with the fine-grained location tracking via IP address made possible by the frequent nature of the requests Google Play Services makes to Google servers its hard to imagine a more intrusive data collection setup.</blockquote>
In research paper [https://www.scss.tcd.ie/Doug.Leith/Android_privacy_report.pdf Android Mobile OS Snooping By Samsung, Xiaomi, Huawei and Realme Handsets] lots of default data harvesting has been observed even if users use the highest privacy settings.
<div class="use-2-columns strict-list-columns mw-collapsible-content">
* what apps are used and when,
* what app screens are viewed,
* a time history of the app windows viewed
* timing and duration of phone calls, SMS texts
* logs when the keyboard is used within an app
* <u>undeletable apps:</u> some non-essential apps are undeletable.
* <u>forced autostart:</u> some non-essential apps are automatically started in the background without user consent or awareness. <ref>
<blockquote>It is worth noting that much of the functionality of the Android OS3 is provided by so-called system apps. These are privileged pre-installed apps that the OS developer bundles with the OS. System apps cannot be deleted (they are installed on a protected read-only disk partition) and can be granted enhanced rights/permissions not available to ordinary apps such as those that a user might install. It is common for Android to include pre-installed third-party system apps, i.e. apps not written by the OS developer. One example is the socalled GApps package of Google apps (which includes Google Play Services, Google Play store, Google Maps, Youtube etc). Other examples include pre-installed system apps from Microsoft, LinkedIn, Facebook and so on. We intercept and analyse the data traffic sent by the Android OS, including by pre-installed system apps, in a range of scenarios.</blockquote>
** Examples: Google Play Services, Google Play store, Google Maps, Youtube, etc. Other examples include pre-installed system apps from Microsoft, LinkedIn, Facebook.
** <u>These forcibly autostarted and undeletable applications into the background are phoning home to their vendor and leaking data.</u>
* <u>hardware identifiers:</u> IMEI, the hardware serial number, the SIM serial number, the WiFi, MAC address, and the user email address. These are all long-lived hardware identifiers that do not change between reinstalls of the app or even factory reset of the handset.
* <u>The list of installed apps:</u> <blockquote>Potentially sensitive information since it can reveal user interests and traits, e.g. a muslim prayer app, an app for a gay magazine, a mental health app, a political news app.</blockquote>
* <u>Unknown data harvesting:</u> <blockquote>On all of the other handsets the Google Play Services and Google Play store system apps send a considerable volume of data to Google, the content of which is unclear, not publicly documented and Google confirm there is no opt out from this data collection.</blockquote>
* <u>Extend of data harvesting intentionally hidden from researchers through code obfuscation:</u> <blockquote>This has also been observed in other recent studies [https://www.scss.tcd.ie/Doug.Leith/pubs/contact_tracing_app_traffic.pdf (6)], which also note the opaque nature of this data collection (no documentation, binary encoded payloads, obfuscated code).</blockquote>
Quote <ref name=research-paper-one />:
<blockquote>Recall that as far as we can tell this data collection is enabled simply by installing Google Play Services, even when all other Google services and settings are disabled.</blockquote>
Apple iPhone iOS also harvests lots of private information. See research paper [https://www.scss.tcd.ie/doug.leith/apple_google.pdf Mobile Handset Privacy: Measuring The Data iOS and Android Send to Apple And Google].
<blockquote>the lack of an opt out from this data collection seems in conflict with GDPR.</blockquote>
* https://therecord.media/google-collects-20-times-more-telemetry-from-android-devices-than-apple-from-ios/
* https://digitalcontentnext.org/blog/2018/08/21/google-data-collection-research/
* https://digitalcontentnext.org/wp-content/uploads/2018/08/DCN-Google-Data-Collection-Paper.pdf
Inescapable Data Harvesting
<blockquote>No opt-out. As already noted, this data collection occurs even though privacy settings are enabled. Handset users therefore have no easy opt out from this data collection.</blockquote>
The study was run under fair conditions. Quote:
<blockquote>We assume a privacy-conscious but busy/non-technical user, who when asked does not select options that share data but otherwise leaves handset settings at their default value. This means that the user has opted out of diagnostics/analytics/user experience improvement data collection and has not logged in to an OS vendor user account. The user also does not make use of optional services such as cloud storage, find my phone etc. Essentially, the handset is just being used to make and receive phone calls and texts. This provides a baseline for privacy analysis, and we expect that the level of data sharing may well be larger for a less privacy-conscious user and/or a user who makes greater use of the services on a handset.</blockquote>
Phones operating systems should be providing privacy by default. The user shouldn't be required to choose the right option for best privacy for lots of questions during the first time setup. But even if users choosing the the best privacy settings, lots of data harvesting was found.
extensive data collection is unnecessary
Extensive data collection by a mobile operating system is neither necessary nor essential. Quote:
<blockquote><code>/e/OS</code> collects almost no data</blockquote>
<blockquote>However, it is hard to justify the necessity of such data collection, i.e. that users should have no opt-out, when two mobile OSes adopt an opt-in approach.</blockquote>
<blockquote>Finally, it is worth noting that it is hard to see why data collection for diagnostics cannot be carried out in a fully anonymous manner, without any use of long-lived identifiers.</blockquote>
This is not an endorsement because <code>/e/OS</code> has not been fully reviewed on this wiki yet. See also [[Mobile_Operating_System_Comparison#/e/|/e/]].
Quote [https://www.scss.tcd.ie/Doug.Leith/Android_privacy_report.pdf Android Mobile OS Snooping By Samsung, Xiaomi, Huawei and Realme Handsets]:
<blockquote>Recording of user interactions with handset. System apps on several handsets upload details of user interactions with the apps on the handset (what apps are used and when, what app screens are viewed, when and for how long). The effect is analogous to the use of cookies to track users across web sites. On the Xiaomi handset the system app com.miui.analytics uploads a time history of the app windows viewed by the handset user to Xiaomi servers. This reveals detailed information on user handset usage over time, e.g. timing and duration of phone calls. Similarly, on the Huawei handset the Microsoft Swiftkey keyboard (the default system keyboard) logs when the keyboard is used within an app, uploading to Microsoft servers a history of app usage over time. Again, this is revealing of user handset usage over time e.g. writing of texts, use of the search bar, searching for contacts. Several Samsung system apps use Google Analytics to log user interactions (windows viewed etc). On the Xiaomi and Huawei handsets the Google messaging app (the system app used to send and receive SMS texts) logs user interactions, including when an SMS text is sent. In addition, with the notable exception of the /e/OS handset, Google Play Services and the Google Play store upload large volumes of data from all of the handsets (at least 10× that uploaded by the mobile OS developer). This has also been observed in other recent studies [https://www.scss.tcd.ie/Doug.Leith/pubs/contact_tracing_app_traffic.pdf (6)], which also note the opaque nature of this data collection.</blockquote>
<blockquote>Details of installed apps. Samsung, Xiaomi, Realme, Huawei, Heytap and Google collect details of the apps installed on a handset. Although less worrisome than tracking of user interactions with apps, the list of installed apps is potentially sensitive information since it can reveal user interests and traits, e.g. a muslim prayer app, an app for a gay magazine, a mental health app, a political news app. It also may well be unique to one handset, or a small number of handsets, and so act as a device fingerprint (especially when combined with device hardware/system configuration data, which is also widely collected). See, for example, [https://www.usenix.org/system/files/sec19-pham.pdf (9)], [https://dl.acm.org/doi/10.1145/3387905.3388594 (10)] for recent analyses of such privacy risks and we note that in light of such concerns, Google recently introduced restrictions on Play Store apps collection of this type of data4 , but such restrictions do not apply to system apps since these are not installed via the Google Play store.</blockquote>
<blockquote>Who Is Collecting Data?
1) Mobile OS Developers: We observe that Samsung, Xiaomi, Realme and Huawei all collect data from user handsets, despite the user having opted out of data collection/telemetry/analytics and making no use of services offered by these companies. This data is tagged with long-lived identifiers that tie it to the physical device, including across factory resets.</blockquote>
<blockquote>2) Pre-installed Third-Party System Apps: System apps are pre-installed on the /system partition of the handset disk. Since this partition is read-only, these apps cannot be removed. They are also privileged in the sense that they can be assigned permissions without needing user consent, be silently started, etc.</blockquote>
<blockquote>The Samsung handset studied also contains pre-installed system apps from Microsoft that send handset telemetry data to mobile.pipe.aria.microsoft.com, app.adjust.com (a third-party analytics company17) and use Firebase push messaging. A LinkedIn (now owned by Microsoft) system app also sends telemetry to www.linkedin.com/li/track. This third-party data collection occurs despite no Microsoft/LinkedIn apps were ever opened on the device, and no popup or request to send data was observed.</blockquote>
<blockquote>In addition to mobile operator system app sharing data on the Xiaomi handset, a pre-installed Facebook app collects data.</blockquote>
<blockquote>3) Google System Apps (GApps):</blockquote>
<blockquote>It is known that Google Play Services and the Google Play store send large volumes of handset data to Google and collect long-lived device identifiers, although until recently there has been a notable lack of measurement studies (see [https://www.scss.tcd.ie/Doug.Leith/pubs/contact_tracing_app_traffic.pdf (6)], [https://www.scss.tcd.ie/doug.leith/apple_google.pdf (16)]). Other Google apps such as YouTube and Gmail also send handset data and telemetry to Google. It is worth noting that the volume of data uploaded by Google is considerably larger than the volume of data uploaded to other parties.</blockquote>
<blockquote>Recall that this is despite the “usage & diagnostics” option being disabled for Google services on all handsets (and also the diagnostics/analytics options also being disabled for the mobile OS developers, see Section IV-B). Note however that from a privacy viewpoint it is not the volume of data that is primarily of concern, but rather the contents of that data and the frequency with which it is sent.</blockquote>
'''Figure:''' ''Data harvesting with settings already configured for highest privacy''
[[File:data collection summary.jpg]]
With such an extreme amount of data harvesting ongoing that cannot be disabled it was difficult for the author of this wiki page to decide which quotes are the most most relevant and intrusive. The reader might enjoy reading the research paper [https://www.scss.tcd.ie/Doug.Leith/Android_privacy_report.pdf Android Mobile OS Snooping By Samsung, Xiaomi, Huawei and Realme Handsets] for themselves for more detail.
Data Harvesting by Most Apps
The following is just an incomplete list of popular articles exposing the massive data harvesting by countless apps.
* https://mashable.com/article/facebook-android-phone-call-data-gathering
* https://arstechnica.com/information-technology/2018/03/facebook-scraped-call-text-message-data-for-years-from-android-phones/
* https://www.techspot.com/news/78062-many-most-popular-android-apps-illegally-sending-data.html
* https://www.bleepingcomputer.com/news/security/android-apps-with-45-million-installs-used-data-harvesting-sdk/
Advanced Mobile Phone Spyware
Recent revelations highlight that advanced mobile phone spyware (Pegasus) poses a serious surveillance threat. Quote [https://www.theguardian.com/news/2021/jul/18/what-is-pegasus-spyware-and-how-does-it-hack-phones The Guardian: What is Pegasus spyware and how does it hack phones?]:
<blockquote>It is the name for perhaps the most powerful piece of spyware ever developed – certainly by a private company. Once it has wormed its way on to your phone, without you noticing, it can turn it into a 24-hour surveillance device. It can copy messages you send or receive, harvest your photos and record your calls. It might secretly film you through your phone’s camera, or activate the microphone to record your conversations. It can potentially pinpoint where you are, where you’ve been, and who you’ve met. ... Pegasus infections can be achieved through so-called “zero-click” attacks, which do not require any interaction from the phone’s owner in order to succeed. These will often exploit “zero-day” vulnerabilities, which are flaws or bugs in an operating system that the mobile phone’s manufacturer does not yet know about and so has not been able to fix. ... Security researchers suspect more recent versions of Pegasus only ever inhabit the phone’s temporary memory, rather than its hard drive, meaning that once the phone is powered down virtually all trace of the software vanishes.</blockquote>
Contrary to propaganda from NSO Group who develop the tool, Pegasus is already in use by many governments worldwide, posing a significant threat to journalists, human rights defenders, political opponents, businesspeople, heads of state and NGOs among others. <ref>
https://forbiddenstories.org/pegasus-the-new-global-weapon-for-silencing-journalists/
</ref> [https://citizenlab.ca/ The Citizen Lab] has analyzed various NSO zero-day, zero-click exploits and accurately describes their flagrant breaches of international human rights law: <ref>
https://citizenlab.ca/2021/09/forcedentry-nso-group-imessage-zero-click-exploit-captured-in-the-wild/
<blockquote>Our latest discovery of yet another Apple zero day employed as part of NSO Group’s arsenal further illustrates that companies like NSO Group are facilitating “despotism-as-a-service” for unaccountable government security agencies. Regulation of this growing, highly profitable, and harmful marketplace is desperately needed.</blockquote>
Pegasus threats emphasize that even the most security-conscious individuals cannot prevent such attacks, therefore those at high-risk should limit the use of mobiles for sensitive activities whenever possible.
For further in-depth detail see:
* [https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/ Forensic Methodology Report: How to catch NSO Group’s Pegasus]
* [https://citizenlab.ca/2021/07/amnesty-peer-review/ Independent Peer Review of Amnesty International’s Forensic Methods for Identifying Pegasus Spyware]
* [https://techcrunch.com/2021/07/19/toolkit-nso-pegasus-iphone-android/ This tool tells you if NSO’s Pegasus spyware targeted your phone]
* [https://forbiddenstories.org/case/the-pegasus-project/ Forbidden Stories: The Pegasus Project]
* [https://citizenlab.ca/2021/09/forcedentry-nso-group-imessage-zero-click-exploit-captured-in-the-wild/ NSO Group iMessage Zero-Click Exploit Captured in the Wild]
* [https://citizenlab.ca/2021/10/breaking-news-new-york-times-journalist-ben-hubbard-pegasus/ New York Times Journalist Ben Hubbard Hacked with Pegasus after Reporting on Previous Hacking Attempts]
Mobile Devices Hardware Risks
Since [https://arxiv.org/pdf/1907.05972.pdf motion sensors (accelerometer) can be turned into microphones], these are a risk too. Quote [https://www.wired.com/story/mobile-websites-can-tap-into-your-phones-sensors-without-asking/ Wired: Mobile Websites Can Tap Into Your Phone's Sensors Without Asking:] <blockquote>Mobile apps need explicit permission to access your smartphone's motion and light sensors. Mobile websites? Not so much.</blockquote>
[[#Advanced Mobile Phone Spyware|Advanced Mobile Phone Spyware]] show the risks introduced my mobile devices.
* A compromised mobile device could turn on the microphone and eavesdrop without any [[Malware and Firmware Trojans#Valid_Compromise_Indicators_versus_Invalid_Compromise_Indicators|compromise indicator]] noticeable by the user.
** Obviously the microphone of a compromised phone can be used for eavesdropping, see [[Hardware_Threat_Minimization#Microphones|microphones warning]].
** Since [[Hardware_Threat_Minimization#Speakers|speakers can be turned into microphones]], these are a risk too.
** The audio leakage from keyboard typing can be used to infer the words up to a certain degree of accuracy. This might reveal [[Passwords|passwords]].
* Similar risks exist for the in-built cameras (front camera and back camera), see also [[Hardware_Threat_Minimization#Webcams|webcams warning]].
* All content on the mobile phone can potentially be exfiltrated, including contacts, media, messages and documents.
* All browsing and communications history can potentially be monitored.
* Location data and history might be accessed by adversaries.
* Any other data or activities on the mobile phone is at risk of access/exfiltration.
In 2014, Joanna Rutkowska, security researcher, founder of Qubes OS, removed all microphones and cameras from her smartphone (iPhone) in year 2014 and posted a photo, see [https://twitter.com/rootkovska/status/547496843291410432 @rootkovska (on twitter.com)] ([https://nitter.net/rootkovska/status/547496843291410432 nitter]). Fast forward, 8 years later at the time of updating this wiki page, in 2022 unfortunately nobody could predict that it is also required to remove the speaker and motion sensor for hopefully full eavesdropping protection.
Mitigations are documented in chapter [[#Best Practices|Best Practices]].
Hacks of Telecommunication Providers
Advanced spyware is not the only risk facing users of mobile devices. In late-2021 it was revealed that state-level adversaries have hacked a number of telecommunication providers, with a persistent presence since at least 2016: <ref>https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks/</ref>
* LightBasin (aka UNC1945) is an activity cluster that has been consistently targeting the telecommunications sector at a global scale since at least 2016, leveraging custom tools and an in-depth knowledge of telecommunications network architectures.
* Recent findings highlight this cluster’s extensive knowledge of telecommunications protocols, including the emulation of these protocols to facilitate command and control (C2) and utilizing scanning/packet-capture tools to retrieve highly specific information from mobile communication infrastructure, such as subscriber information and call metadata.
* The nature of the data targeted by the actor aligns with information likely to be of significant interest to signals intelligence organizations.
* CrowdStrike Intelligence assesses that LightBasin is a targeted intrusion actor that will continue to target the telecommunications sector. This assessment is made with high confidence and is based on tactics, techniques and procedures (TTPs), target scope, and objectives exhibited by this activity cluster. There is currently not enough available evidence to link the cluster’s activity to a specific country-nexus.</blockquote>
The CrowdStrike intelligence report confirms that advanced spyware tools are capable of infiltrating various telecommunications companies at present, while remaining undetected for long periods. This has allowed retrieval of highly sensitive information such as call metadata, subscriber details, telephone numbers, GPS location and other data, as well as enabling the fingerprinting of devices. As the investigation revealed core parts of mobile networks are managed by third parties, with limited evaluation and monitoring of security controls on core network systems, little faith should be placed in the security of available infrastructure to protect against advanced threats.
or create an account