As longtime readers here know, I’ve never been a fan of Google’s mobile device collection platform known as Android. I have, however, been a fan of a few niche variants of Android that attempt to excise Google’s collection capabilities from the OS itself. One of those OSs is the very security-focused CopperheadOS. Continue reading “Update: CopperheadOS for Android”
It seems that encrypted messaging systems are all the rage these days. I’m not complaining – this is a very good thing. Even WhatsApp recently announced it would implement strong end-to-end encryption using Signal’s excellent protocol. I think this is great – a billion users will be using end-to-end encryption by default. There is still room, however, for dedicated secure messaging apps. Threema Secure Messenger is one of those apps. While many of the features mirror apps like Signal and Wickr, there is still room on my phone for Threema. Continue reading “Review: Threema Secure Messenger”
Signal Private Messenger is a free application, and my new favorite encrypted communication solution. Signal supports both voice and instant messaging (texting) in a single app. It is incredibly easy to use, and convince others to use. There is no complicated setup and no username or password to create and remember. This app is incredibly intuitive and resembles native phone and texting applications.
Signal uses your phone’s Wi-Fi or data connection. Signal has replaced the legacy RedPhone and TextSecure apps for Android and merged them into a single platform. To use Signal Private Messenger simply install the application. You will be prompted to enter your telephone number for verification. I have successfully used a Google Voice number for this, even though Signal specifically warns that GV numbers will not work. Full disclosure: I have also seen GV numbers fail. This is the ONLY reason for which I use a Google Voice number. I have no problem with this because the number is only used as an identifier and no data is sent though Google after the initial verification message. The app will verify the number by sending you a code that you must enter into the application. No other personal information is required or requested.
If you allow Signal Private Messenger to access your contacts it will identify the ones who have Signal installed. There is one slight downside to the way Signal identifies its users: in order for others to contact you via Signal they must have the telephone number you used to register the app in their contacts. This requires that you give out this number to others with whom you wish to use Signal. For this reason I recommend setting up a Google Voice number that is used only for Signal, and giving that number out to friend, family, and business contacts that are likely to use Signal (or be persuaded to), rather than giving out your real phone number. I will post in the future about why giving out your real phone number may be a bad idea.
Signal’s interface is almost disconcertingly simple. Tapping the “+” icon in the upper right of the interface a list of your contacts who have Signal installed. Tapping one of these contacts will open a new message to that contact. From there you can send a text message, photo, or video, or type the handset icon to initiate a voice call. In the search bar on this screen you may input a telephone number, which Signal will then search to see if the number has the app installed. Once a call is initiated a more typical phone interface is displayed with some standard phone options to mute the call or use the phone’s speaker.
The call interface will also display two random words. The words displayed will change with each voice call but should match on both handsets involved in the call. These words are used to ensure the call is not being tampered with by a man-in-the-middle. If an attacker were to successfully get in the middle of a call each phone would display different authentication words. This is becasue each handset would establish a key with the attacker rather than the intended recipeint’s handset . I recommend ALWAYS validating these words at the beginning of each conversation made over Signal. This is especially important before engaging in sensitive communications. The messaging portion of the application is likewise incredibly simple. Messages are composed and set like they are in any other messaging application. Attaching a file is as simple as tapping the paperclip icon beside the compose pane. Signal also supports group messaging.
Signal is one of the best privacy-enhancing applications available (especially considering its cost) and I strongly encourage its use. It’s encryption utilizes the “axolotl ratchet”, a system of perfect forward secrecy. Perfect forward secrecy means that each message is encrypted with a unique, ephemeral key. If one message is decrypted it has no impact on the others since each has a unique key.
As pointed out by the grugq, however, Signal does leak a great deal of metadata about you. This includes your contact list, who you talk to, and the frequency with which you talk to them. This metadata is certainly no worse than that generated by your normal telephone conversations. It is also not any worse than that created by other encrypted messaging applications. For this reason it may not be suitable for defeating certain threat models. For encrypting your day-to-day comms that would otherwise be made through insecure means, Signal is a major upgrade. Signal is funded by donations and grants, and much of the work in developing and maintaining the app is done by volunteers.
Comparing phone operating systems for any reason is akin to discussing religion or politics at a broadly mixed table. Tensions mount concurrently with blood pressure. Alliances are formed and the room becomes divided between “us” and “them”. Capabilities are compared, and not in cold, scientific language. Awkwardness ensues when the Android vs iOS debate is hauled out. I don’t enjoy confrontation for the sake of confrontation, so I generally avoid the subject if possible. If the conversation comes up, I typically try to bow out of it gracefully. After writing Your Ultimate Security Guide: iOS and beginning research for Your Ultimate Security Guide: Android, I no longer feel comfortable continuing to give a bland, “well, each has it’s strengths and weaknesses.”
So, this article will be a side-by-side comparison of the Google (now Alphabet, though I will continue to call it Google throughout this post)-produced Android and Apple’s iOS operating systems where the following two factors are primary above all else: privacy and security. It will not be a generalized “Android vs iOS” discussion. It will not take into account considerations like convenience, familiarity, availability of apps, availability/diversity/choice in hardware, ability to customize, or other factors that people frequently cite when comparing the two. It will focus entirely on privacy and security. That’s it. I will address eight areas of concern as follows: each companies general stance on privacy as evidenced by public statements and actions, data collection and monetization, device encryption and passcodes, default protection of data-in-transit, malware prevalence and susceptibility, operating system and app integrity and updates.
TL;DR: If you don’t want to be bothered with the justification and if privacy and security are your primary concerns, buy an iPhone.
General Stance on Privacy
Ok, so this one is a little hard to quantify, but I do think it is worth considering. I may be accused of cherry-picking quotes here, and I agree – I am. But on the whole I think these two quotes fairly epitomize the philosophies of these competing companies.
Apple’s policy on this is pretty clear, per Apple’s “commitment to your privacy“, signed by CEO Tim Cook:
“Our business model is very straightforward: We sell great products. We don’t build a profile based on your email content or web browsing habits to sell to advertisers. We don’t ‘monetize’ the information you store on your iPhone or in iCloud. And we don’t read your email or your messages to get information to market to you.”
Google’s stance on privacy is equally clear. CEO Erik Schmidt:
“…A person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.”
The bottom line: Apple is a hardware company, interested in selling you, its customer, more product. Google is a advertising, data-mining, and marketing company interested in selling you, its product, to more customers.
Data Collection and Monetization
I’m not sure that I need to explain in great detail the vastness of Google’s data collection apparatus. Google Search/Image Search/Patent Search/News, Gmail, YouTube, Google Calendar, Google Drive, Google Voice, Google Plus, Google Books, Google Docs, Google Translate, Google Chat, Google Groups, Google Hangouts, Google Sites, Google Alerts, Google Maps, Google Streeview, and Google Earth are just a few of the “free” services are designed to entice you to put more, and more granular and detailed, information into the Google data stream. Google also controls a number of advertising services, including AdMob, AdSense, AdWords, AdWords Express, Double Click, Google Grants, etc. Google is now also involved in the Internet of Things, purchasing Nest, a manufacturer or internet-connected thermostats and smoke detectors for $3.2 billion. Why would an advertising company purchase a thermostat company for such a huge sum? Because it can record when you are at home, when you are sleeping, how active you, and other information that it aggregates along with your other information to build a more detailed advertising package about you. But perhaps the single most detailed collection platform in Google’s inventory is the Android-equipped phone. Your Android phone (make no mistake about it, it’s really a Google phone) can record your location, periods of wakefulness, frequency of movement, Wi-Fi connections and passwords, physical movement, correlation with other devices, and a host of other very, very detailed information that it shares with Google. Some of this can be opted out of to some extent, but it’s still a Google-powered handset, and Google put the software on the open market for a reason. Do you have privacy-related concerns about using a Chromebook? If so you should probably re-think your
Apple does allow some app developers to collect and sell data to advertisers, but in nothing even approaching the scale and scope of what Google does (again I will point out that Apple is a hardware company and Google is an advertising company). This data collection is done in a very limited manner through an initiative called iAds, and it is possible to opt out of iAds. This is not to downplay Apple’s data collection – I still don’t like it from a privacy perspective and you shouldn’t, either. But when compared with the immensity that is Google, well, it isn’t really much of a comparison. In fairness, though, Apple does still collect a lot of data and this is not a good thing, even if it doesn’t package and sell it; large repositories of data are dangerous because they are desirable targets for hackers and governments alike. All other things being equal though, I still prefer the company that does package and sell my data as a primary revenue stream.
Device Encryption and Passcodes
Because they are small and carried literally everywhere with us smartphones are much more vulnerable to loss or theft than desktop computers. Encryption on smartphones is incredibly important and this is another area in which Apple excels. Apple has included device encryption by default for years, and very good encryption at that. When they publicly announced that devices would no longer include a backdoor that allowed Apple to access information on devices Google quickly followed suit with a press release that said all Android devices would be encrypted by default. Unfortunately (and it is unfortunate – we need encryption!) Google quickly and quietly backtracked on this promise upon complaints of performance hit on encrypted devices. Android devices are still sold that are not encrypted by default. Of course users can choose to encrypt their devices I greatly prefer encryption that is implemented by default and does not require user input because we know a large percentage of users, either ignorant or uncaring, will not implement.
One thing worth mentioning here: on mobile devices your passcode is (usually) not the same thing as the decryption key. The decryption key is tied to a unique code burned into the hardware of the device. The purpose of the passcode is to provide OS-level protection of the device and prevent unauthorized access to data on the device. But since we are talking about passcodes it is worth taking a look at. Beginning with iOS 9 on the iPhone 6S, Apple required a six-digit passcode as a “simple” passcode. This is a substantial security upgrade over the old iOS requirements. Additionally, I have found no upper limit on the characters permitted in a passcode for iOS devices (I have gone as high as 30 characters). By comparison, Android permits not only 4-character simple passcodes but also the ridiculous swipe-to-unlock patterns, and have a maximum passcode character limit of 17 characters. A 17-character passcode is probably plenty but I was dismayed when I could not use the same, longer passcode I use on my iPhone to lock my privacy- and security-focused (and Android-based) Blackphone.
Default Data-in-Transit Encryption
Apple offers very good AES-256 encryption over its iMessage messaging and FaceTime voice- and video-telephony applications. It is so good it has raised the ire of the FBI. While there are plenty of more reputable, free, encrypted communications platforms out there but this is my favorite type of encryption: ubiquitous, organically-integrated, and seamless. Millions of encrypted messages are being sent in cases where very it is probable that few of the senders and recipients value or even know about the underlying encryption. This is a very good thing. Additionally, in iOS 9 Apple introduced App Transport Security (ATS), a developer protocol that encourages (though doesn’t require) app developers to use HTTPS when data from apps is transmitted from the device. This is a very good thing; the data that is constantly being transmitted by our apps reveals an enormity of data that is hard to overestimate.
Gmail, it must be said, also offers excellent security. Google permits incredibly long passwords and it’s two-factor authentication system is the standard by which others are judged. Your entire session with a Google product is typically HTTPS-encrypted, and encrypted inside of Google. All of these measures, however, are designed to protect you from everyone except Google (and it should be noted that email is only a tiny percentage of overall transmitted over Android handsets). Google holds the keys and your data, no matter how secure, is scraped by Google (unless of course, you have encrypted it yourself). Unfortunately the Android OS offers no competing (or, even more unfortunately, compatible) product to answer Apple’s iMessage and encrypt text messages by default and without requiring an additional app.
A smartphone is a computer and is subject to the same malware threats as computers. The commonality of malware for the two devices is incomparable: in 2014 the Cisco annual security report estimated that an astonishing ninety-nine percent of mobile malware was targeted at Android devices and there is little evidence to suggest this trend has changed dramatically in the intervening two years. Though Apple is not immune to malware, it still makes news when Apple products are found vulnerable to it. As an example of this, Zerodium recently, and very publicly, offered a $1,000,000.00 bounty for a remote jailbreak vulnerability for iOS 9. Only one team (of three possible) actually collected. Root access exploits for Android devices are far more common, and don’t make national news when they are found. As another indicator, Zerodium also publicly posted a pricing chart for remote exploits; nothing ranked higher in pricing (up to $500,000.00) than iOS; by comparison, Android exploits only fetch up to $100,000.00. Much of the malware problem with Android is due to the lack of routine, direct updates of the operating system and the inclusion of unvetted applications in the Google Play store.
OS Integrity and Updates
Much of the malware issue can be lain at the feet of operating system integrity – that is, the operating system remaining intact and being kept up-to-date. This is a major problem for Android handsets. Google released Android as an open-source project and as a result it can be freely modified. Hardware manufacturers modify the OS to suit their needs, and a service providers like AT&T and Verizon modify them even further. Updating is the real issue with Android, though. When Google pushes software updates they typically don’t go directly to the device. Instead they have to to work their way again through hardware manufacturers and service providers before reaching the end-user device.
The Apple OS, on the other hand, is designed for a particular set of hardware and is not modified. Further, and perhaps more importantly, updates are pushed directly from Apple directly to all handsets. This means that a significantly higher percentage of iOS devices get updated quickly. A number of articles (most citing Mixpanel statistics) highlight this trend. Within 72 hours of its release a higher percentage of iOS users had upgraded to the latest OS version (iOS 9) than Android users had in the previous nine months (to Android 5/Lollipop). At the time of this writing approximately 75% of iOS users are running the latest version of the OS compared to only 44% of Android users who are running the latest OS (iOS 9 has been out for under three months at this time; Lollipop has been available for more than 12). Even the brand new Blackberry Priv, a phone marketed around privacy and security, ships with an outdated operating system.
Installing an application on a device gives it an incredibly amount of privilege. Regardless of whether you use an iOS or Android device, it is only as private and secure as the applications you choose to install on it. With that being said, there is a difference between the level of trust I place in the apps I download from the App Store and Google Play. Apple’s App Store is a so called “walled garden”, into which only vetted applications are allowed. Curating apps in this manner prevents many potentially malicious apps from even being accessible to the user, let alone executed. This is not to say that the App Store is perfect; privacy- and security-compromising code does occasionally get through, and much to everyone’s chagrin, Apple is incredibly opaque about the vetting process for applications and what black- and whitelisted criteria they look for.
Apps for Android devices face no such scrutiny (or any at all really, unless the app interferes with Google). Anyone can create an Android app, and anyone can download an execute any Android app from nearly any source. Couple this with an outdated OS and the potential for abuse is staggering. Because the App Store is curated, fewer apps are available to Apple users than Android users, but this argument is beyond the scope of this post. I compromise my convenience on a daily basis for the sake of privacy and security, and have no problem “restricting” myself to the 1.5 million or so apps that are in the App Store.
Before I conclude my privacy- and security-centric Android vs iOS comparison, let me make one other thing clear. I will not list my credentials to support this claim, but I am certainly not an Apple “fan boi”. But I do use an iPhone and have for a long time. With that said, it should be equally clear that I consider brand loyalty to be a fool’s errand am brand-name agnostic. The only allegiance I have is to the brand that provides me with the right balance of privacy, security, and yes, convenience, not the brand that is (or isn’t) the one I love (or loathe). Though we are all, by nature, hesitant to change, the fear of change does not override my fear of mass surveillance. No allegiance, no loyalty, no limiting my options because I like or dislike one manufacturer over another. If you are using your iPhone just because it’s an Apple product, you’re doing it wrong. And vice-versa.
Is it possible to make an Android device very secure? Yes, it is, and the people at Silent Circle have proven it with the Blackphone. If you are a DIY-er, you can install custom versions of Android software like CyanogenMod that are frequently and directly updated and generally much more secure than stock Android. Can you backup your Android phone locally without sending data to Google? Yes, but again it requires rooting the phone and using something like Titanium Backup, yet another workaround. Rooting also introduces another host of vulnerabilities that must be secured. Because I place such a high value on privacy and security, I would rather start with a more secure baseline and work upward from there, rather than starting at the bottom an hoping to get to an acceptable point.