anonymous coward: > Hello again, > > I hope this question is not totally off topic! > > Many people use TOR or secure ways to chat on smartphones. > > The last months have reveiled how hard secret services attack our phones. > > This leads me to the question, how secure are our smartphones at all? Not very, or not at all, depending on your threat model. > In my case I use Android 4.x. > > How easy is it for "them" to break into a smartphone? Very easy. At least, for most devices. We can do better, though. Read on. > Do they really need to install trojan software or does Google and Apple > allow them full access to users phones? If someone gets access to your Google account, they can silently install any app they want behind your back: http://nakedsecurity.sophos.com/2011/02/04/android-market-web-store-backdoor-phone-hackers/ This has been the case for years. I still don't know why Google hasn't added at least some kind of on-device confirmation for apps that get installed from a web login unrelated to the device. > My special concern is about the baseband CPU. The baseband potentially > allows full access to the whole system. And the baseband is closed source. > > Thus, the baseband is the perfect trojan for "them". I asked a phone > maker that makes "cryptophones" what they say about the baseband CPU as > a backdoor. They did not reply to the present day. > > If it really is that simply for "them" to break into a smartphone, all > the security apps are worthlesse. Be it TOR, ChatSecure, TextSecure, > RedPhone, everything would be crap. "They" could easily steal your > secret keys and contacts. > > Thus, what does the scientific community say about these concerns? You may like: https://blog.torproject.org/blog/mission-impossible-hardening-android-security-and-privacy It's still not perfect (nothing is), and it's certainly nowhere near user-friendly yet, but I happen to think it's a step in the right direction. > Bruce Schneier said "forget your data". > > Is it really that simple as Bruce Schneier says, forget your data? I dunno man. I've heard Bruce Schneier once decrypted a box of AlphaBits, so perhaps he knows something we don't. > If it was that simple, it would be pointless to use TOR or any software > with security in mind on a smartphone, it simply would not make any sense. > > And the worst thing is, the baseband CPU is closed source, even if you > use open source like Cyanogenmod, you still have the baseband backdoor > on your device and you can do *nothing* about it. Not nothing. You either need a device without a baseband, or with a hardware isolated baseband. See that blog post. > What do you say? The battle seems lost, just as the whole war seems lost? Nah. It's just going to be kinda tricky. I'm cautiously optimistic, though. -- Mike Perry
Attachment:
signature.asc
Description: Digital signature
-- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk