Android Devices Are at Risk of Data Theft (2020) (opens in new tab)

(wired.com)

39 pointsamaajemyfren4y ago22 comments

22 comments

My smartphone is a simple affair. I have a hardened Firefox as my default browser (uBlock Origin with JS disabled by default with HTTPS-Everywhere addon with EASE turned on).

I keep my app-count to a minimum. There are people who need every app imaginable, but that increases the attack surface of the phone. Try to minimize the amount of apps on your phone please!

Then of course all the usual OPSEC practices like not clicking on suspicious links in Whatsapp, E-mail or SMS always apply. You have to consider the human element of all this. So many people have been owned by fat-fingering some suspicious link in an SMS that then took over their phone.

But there is always the argument that: phones ship with malware anyway so you're pwned either way.

livre4y ago

You can do a little more if you have root access, like use XPrivacyLua to restrict the amount of data and hardware apps like your browser have access to, and AdAway to block ads globally (protects you from app telemetry that shares data with third parties). You can also run a DoT server and point your phone there to protect your DNS queries from random WiFi networks you may have to connect to, or better run a VPN server and stay connected to it. Also whenever you can, always replace the OS that comes preinstalled with LineageOS (just makes sure everything works for your phone, like the camera and LTE). With the latest LineageOS you can also restrict internet access per app and per network type, though AFWall+ still gives better control over that. For the extremely suspicious apps you can install them on the work profile for extra isolation with Island (Play Store) or Insular (F-Droid).

zibzab4y ago

https://www.qualcomm.com/company/product-security/bulletins/...

This happened months ago but I still can't see much info. Also, I see check point reported 4-5 issues to qcomm, not 400.

To people complaining android never gets updates: Android has been providing monthly security updates for some years now. It is even possible that this was fixed even faster since modern android can update some system libraries right from the store (Project Treble announced in 2017)

afrcnc4y ago

Actual source: https://research.checkpoint.com/2021/security-probe-of-qualc...

johnthuss4y ago

  400 vulnerabilities! Good luck getting any reasonable percentage of users to install these patches. The software update situation on Android is horrible.

smiley14374y ago

I dont LOVE walled gardens but has there been any exposure of this scale in IOS devices?

zibzab4y ago

This sort of things happen all the time in both camps. It's just that Android security is more open and visible to ordinary people.

Apple _just_ patched some really big zero-days.

Update: since this is getting down voted be skeptics, here are some sources for you

https://www.bleepingcomputer.com/news/apple/apple-fixes-2-io...

https://www.bleepingcomputer.com/news/security/apple-fixes-m...

https://www.bleepingcomputer.com/news/security/apple-fixes-a...

toast04y ago

Apple doesn't have a spotless record with security. However, they are significantly better at pushing updates. A large majority of eligible iOS devices install OS updates, and iOS devices tend to be eligible for updates for many years.

Additionally, because sales are much lower for iOS than Android, it's hard to get to the same scale. I don't know about iPad numbers, but 1 billion iPhones is about 5 years of sales, and five years is around where Apple stops providing updates (edit: as pointed out below, they're doing closer to 8 years from release now, but not all sales are from current model phones) and that combines with other factors and very few devices make it past five years of use.

gord2884y ago

Just a few days ago, Apple issued a security update (iOS 12.5.3) for the iPhone 5s, a phone that first came out in Sept. 2013. Not bad huh?

GeekyBear4y ago

> that combines with other factors and very few devices make it past five years of use

The original version of the iPhone SE and the iPhone 6s are six years old now.

They run the current version of iOS and still work just fine.

1 more reply

pwdisswordfish04y ago

The 5s received iOS 12.5.1 in January, it was released Autumn 2013

Saris4y ago

I wonder how much of it is due to a walled garden, and how much of it is due to iOS devices getting security updates.

It seems like even expensive flagship android devices get a year or maybe 2 of updates now and then you're just left on your own.

deadmutex4y ago

Here is an interesting (sad) story I read yesterday: https://www.technologyreview.com/2021/05/06/1024621/china-ap...

lawtalkinghuman4y ago

From August 2020.

Proven4y ago

The duration and quality of security updates/fixes is roughly commesurate with the price users paid for the s/w part of their mobile devices.

That's pretty cool - you can pay almost nothing for the s/w and still get a phone that works.

lambda_obrien4y ago

Alternatively, i bought my Google phone for 1000 dollars 3 years ago and get zero updates now. That's pretty sorry.

sumtechguy4y ago

What is even more sorry is if you had bought a 100 dollar phone you could have bought a new phone every year for 10 years and had better protection. Which is totally wasteful.

ryanmarsh4y ago

Kind of ironic that 3 year old chrome books cost less and still get updates.

1 more reply

j / k navigate · click thread line to collapse

22 comments

______-4y ago

My smartphone is a simple affair. I have a hardened Firefox as my default browser (uBlock Origin with JS disabled by default with HTTPS-Everywhere addon with EASE turned on).

I keep my app-count to a minimum. There are people who need every app imaginable, but that increases the attack surface of the phone. Try to minimize the amount of apps on your phone please!

But there is always the argument that: phones ship with malware anyway so you're pwned either way.

livre4y ago

zibzab4y ago

https://www.qualcomm.com/company/product-security/bulletins/...

This happened months ago but I still can't see much info. Also, I see check point reported 4-5 issues to qcomm, not 400.

afrcnc4y ago

Actual source: https://research.checkpoint.com/2021/security-probe-of-qualc...

johnthuss4y ago

  400 vulnerabilities! Good luck getting any reasonable percentage of users to install these patches. The software update situation on Android is horrible.

smiley14374y ago

I dont LOVE walled gardens but has there been any exposure of this scale in IOS devices?

zibzab4y ago

This sort of things happen all the time in both camps. It's just that Android security is more open and visible to ordinary people.

Apple _just_ patched some really big zero-days.

Update: since this is getting down voted be skeptics, here are some sources for you

https://www.bleepingcomputer.com/news/apple/apple-fixes-2-io...

https://www.bleepingcomputer.com/news/security/apple-fixes-m...

https://www.bleepingcomputer.com/news/security/apple-fixes-a...

toast04y ago

gord2884y ago

Just a few days ago, Apple issued a security update (iOS 12.5.3) for the iPhone 5s, a phone that first came out in Sept. 2013. Not bad huh?

GeekyBear4y ago

> that combines with other factors and very few devices make it past five years of use

The original version of the iPhone SE and the iPhone 6s are six years old now.

They run the current version of iOS and still work just fine.

1 more reply

pwdisswordfish04y ago

The 5s received iOS 12.5.1 in January, it was released Autumn 2013

Saris4y ago

I wonder how much of it is due to a walled garden, and how much of it is due to iOS devices getting security updates.

It seems like even expensive flagship android devices get a year or maybe 2 of updates now and then you're just left on your own.

deadmutex4y ago

Here is an interesting (sad) story I read yesterday: https://www.technologyreview.com/2021/05/06/1024621/china-ap...

lawtalkinghuman4y ago

From August 2020.

Proven4y ago

The duration and quality of security updates/fixes is roughly commesurate with the price users paid for the s/w part of their mobile devices.

That's pretty cool - you can pay almost nothing for the s/w and still get a phone that works.

lambda_obrien4y ago

Alternatively, i bought my Google phone for 1000 dollars 3 years ago and get zero updates now. That's pretty sorry.

sumtechguy4y ago

What is even more sorry is if you had bought a 100 dollar phone you could have bought a new phone every year for 10 years and had better protection. Which is totally wasteful.

ryanmarsh4y ago

Kind of ironic that 3 year old chrome books cost less and still get updates.

1 more reply

j / k navigate · click thread line to collapse