[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] How safe is smartphones today?

anonymous coward:
> Hello again,
> I hope this question is not totally off topic!
> Many people use TOR or secure ways to chat on smartphones.
> The last months have reveiled how hard secret services attack our phones.
> This leads me to the question, how secure are our smartphones at all?

Not very, or not at all, depending on your threat model.
> In my case I use Android 4.x.
> How easy is it for "them" to break into a smartphone?

Very easy. At least, for most devices. We can do better, though. Read
> Do they really need to install trojan software or does Google and Apple
> allow them full access to users phones?

If someone gets access to your Google account, they can silently install
any app they want behind your back:

This has been the case for years. I still don't know why Google hasn't
added at least some kind of on-device confirmation for apps that get
installed from a web login unrelated to the device.
> My special concern is about the baseband CPU. The baseband potentially
> allows full access to the whole system. And the baseband is closed source.
> Thus, the baseband is the perfect trojan for "them". I asked a phone
> maker that makes "cryptophones" what they say about the baseband CPU as
> a backdoor. They did not reply to the present day.
> If it really is that simply for "them" to break into a smartphone, all
> the security apps are worthlesse. Be it TOR, ChatSecure, TextSecure,
> RedPhone, everything would be crap. "They" could easily steal your
> secret keys and contacts.
> Thus, what does the scientific community say about these concerns?

You may like:

It's still not perfect (nothing is), and it's certainly nowhere near
user-friendly yet, but I happen to think it's a step in the right
> Bruce Schneier said "forget your data".
> Is it really that simple as Bruce Schneier says, forget your data?

I dunno man. I've heard Bruce Schneier once decrypted a box of
AlphaBits, so perhaps he knows something we don't.

> If it was that simple, it would be pointless to use TOR or any software
> with security in mind on a smartphone, it simply would not make any sense.
> And the worst thing is, the baseband CPU is closed source, even  if you
> use open source like Cyanogenmod, you still have the baseband backdoor
> on your device and you can do *nothing* about it.

Not nothing. You either need a device without a baseband, or with a
hardware isolated baseband. See that blog post.
> What do you say? The battle seems lost, just as the whole war seems lost?

Nah. It's just going to be kinda tricky. I'm cautiously optimistic,

Mike Perry

Attachment: signature.asc
Description: Digital signature

tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to