One of the Tor Project developers, Mike Perry, has documented the difficulties in securing a mobile device. If you haven’t thought this through, here’s likely how it would go:
- You don’t use iOS. Apple has backdoors installed by design and don’t listen to press releases that tell you otherwise
- You could use a cryptophone. This was a great idea for a time when nothing else existed but unless you have a friend with another cryptophone, and a large wallet, it’s not happening.
- You could use a Neo900. This is not a bad idea but it’s just not keeping up with the times.
- Well I’ll just lock down Android or a Linux device and make it ultra secure. Ok. Now you’re on the same page but here’s why that’s so hard:
If you go back to 2014, Tor Project’s blog post first documented the dire state of mobile security. In short, Android has a lot of fantastic security features maligned with a variety of horrific privacy deal-breakers.
Why do we need a mobile device
OPSEC is not just restricting what you do and how you act, it’s also coming up with solutions to figure out how to do things securely. We can’t apply a unilateral security policy on other people or simply say “Nope. You can’t do that.” There simply are people that need to be able to do things that may be risky. It’s our job to learn about technology so that we can figure out ways to do what we need to do while taking OPSEC into account.
Mobile is the best example of this problem. Mobile devices give us a powerful way of staying connected but we all know that a mobile device is basically a tracking device you willingly put in your pocket (and even worse than that). This dichotomy of liberation technology and privacy abandonment is a perfect example of the OPSEC struggle.
What can Android offer
Android is not just a Linux computer in your pocket like many recite. Android is the most secure Linux environment whether or not it’s in your pocket… but is also backdoored. Consider whether your Linux distro of choice supports these features:
- Sandboxed isolation for every running application
- Hardware backed, forensic-resistant storage location for keys and passwords.
- Verification for all system partitions at boot
- Controlled application inter-process communication mechanism
- Egress firewall controls and alerts
- Controls over what an application can have access to
This checklist outlines many of the goals for Subgraph OS.
What are Android’s problems
This is much harder to list. There are a ton of problems built into Android’s core that need to be addressed.
- Baseband: all cellular devices have a baseband and no one knows what it does. This baseband can transmit your location and, even worse, has the ability to be a complete backdoor into the system.
- Network controls: Android’s base OS has no egress filtering. Any application that has received the appropriate permissions can access any remote host.
- Authentication controls: Having a strong password on a laptop is easier than on a touch screen interface. So users will end up choosing numeric pins to protect sensitive data.
- Google: Just the fact that in the end Google controls all of the code and the devices but promises to release it in itself is a risk.
- Others: Google Play Store, WiFi scanning, binary blobs, vulnerable Linux kernels, … the list goes on.
What’s the answer
Mike Perry outlines the problems and provides a less bleak perspective on the state of mobile thanks to Copperhead OS, the secure from-the-ground-up Android OS. Copperhead addresses many of the items above in itself. If you have a supported device, I suggest you take a look at flashing Copperhead today.
The result is a phone:
- Anonymously routed through tor and enforced at the firewall/Netfilter level
- Modern Linux kernel with GRSEC PAX protections built in
- Firewall that grants users control over what an application can connect to
- OS Source built with modern hardening methods that the base Android OS never cared to implementation
But what Tor Project is doing is the same as what they did to Firefox. They didn’t fork the code, they cloned it to make the Tor Browser Bundle. The process that they outline for their super secure phone requires that you build from source and execute a variety of scripts but all do-able. They can’t fix everything but this is major step in the right direction or at least a short term fix to make something that we can use today.