The Prey of Trawlers and Spear-Fishermen
During the rest of this year Apple and Google will amass more data on their users and people with whom those users interact than all governments had on all people and each other during the entirety of the cold war. Let that sink in. As their data monopolies are challenged in court, they are implementing new and anti-competitive mechanisms to enforce use of their data collection technology as a condition of being able to use applications created by third party developers. This too will likely be challenged in court, but not before it does serious damage to the third party OS ecosystem built atop the Android Open Source Project and bereft of the collection-ware desired by Google or sandboxing of those wares to prevent them from getting access to everything they might want. In effect, Google is implementing the same walled-garden approach used by Apple to say that compatibility with their app store necessitates delegation of access to their code while acting as Apple's scapegoat in saying to regulators that Apple are not a monopoly abusing its access. A duopoly in which the only choice is who gets to sell all of our data and have the ability to provide tailored backdoors to our lives doesn't sound like much choice at all.
What happened?
When smartphones first became commonly available and accessible to the masses, two ideological camps formed around the technology platforms which power them:
Apple's all-inclusive lease option wherein users don't really own anything but do learn to like it because they believe they have nothing to worry about in regards to security and integrity of their data - as it is safe on their supposedly Apple-protected device and in Apple's theoretically well-isolated cloud services (individually encrypted and so forth). Running on a Borg-like construct of technological components adopted with varying quality from other operating systems and some stuff built bespoke in-house, the vertical integration of execution context and hardware has permitted Apple to move ahead of mainstream Google at various times in terms of runtime security and percentage of app store contents containing third-party data collection or outright attack tooling. Their ability to collect information on users is arguably greater than Google's due to breadth and depth of data sources per user.
The Android ecosystem adopted (largely bought) by Google which utilizes Linux to manage its hardware and its own somewhat differentiated userspace to run applications is not fully controlled by one party. This permits developers to build and distribute Android ecosystem components without being beholden to a corporate master if they so choose. Freedom inherently brings risk as developers may either be outright malicious or less adherent to security practices/have less access to security posture qualification mechanisms than a large corporate entity; but a critical thinker can sort their way through the tiers of private and public ecosystems to decide on and implement what they want. This entire regime is now at risk due to Google's attempts to enforce compliance with app-store semantics as a thinly veiled power grab masquerading as a poorly explained and even then still thin security function.
What are the risks?
Smartphones pose several key points of interest to attackers in that they are both authenticated portals to user-specific services over the network from which an attacker can act as though they are the valid/authenticated user without having to "break in" to the service at all; and in the vast array of EM transceivers and sensors which both give an attacker relative proximity to other assets and information about elements of physical space sufficiently precise to call for fire.
In plain English: others can pretend to be you with access to your device and do things far worse than the way Batman found the Joker relying on Fox' integrity and moral fiber to not abuse the technology (that part is pure Hollywood, the rest is now the tip of the reality ice berg). Non-exhaustively, this means:
Access to your E2E encrypted messaging because the device is one of those ends where decryption occurs which is also true for corporate VPN
Access to all logged-in or synchronized calendars, email, social media accounts, and device sync/backup services working in the background
Access to call logs, wifi and cell tower data, GPS information, microphones, speakers, cameras, and any NFC/thermal/radar/etc mechanisms on tap in the system
Apple can at any time deploy a patch to gain that access to all iDevices (the controversy was over whether over they should, not if they could) and Google soon stands to be in the same unqualified position of control if they are able to eliminate the third party ecosystem by forcing apps to only run on their privileged stack making most other OS' impractical for the average person.
They can also develop 0-day/0-click exploits which infect devices specifically by controlling the vulnerabilities present and valid context for reaching those vulnerabilities without having to infect the whole world. That type of exploit is valued at millions by current industry standards for exactly the reasons outlined above and the fact that victims have no idea it is happening while being far easier to craft when controlling the entire ecosystem of the medium being exploited.
How's the sinking-in going?
Evolving to Escape
Why is an independent OS ecosystem important?
Efforts like GrapheneOS implement significant isolation and layered proactive hardening to reinforce said isolation which prevent applications from accessing information they shouldn't, break exploit killchains otherwise granting access to device resources and data at various links in the chain, and keep data flows in the user's control as opposed to handing them to the vendor. Coupled with user-controlled services and functions for messaging, data synchronization, credential management, and other critical applications; a hardened base platform which does not include vendor spyware and provides a way to isolate it if absolutely required is the most viable foundation on which to build a sovereign ecosystem with mobile functions facilitated and freedom for users to decide what they do and how they get it done.
How can the average person orient themselves in all of this complexity?
As with most other defensive plans, the process comes down to understanding what we value in these systems and in the services these systems access as our PDA bridges to the online space - in the case of our information, we need to understand how it is accessed, where it is stored, and how those components relate to the ways someone we don't want having access might try to get to the information; whereas for the other capabilities of these devices we need to be aware of what can be collected/effected and how it relates to our physical and digital security posture as pieces of those bigger puzzles. Once we have assay, developing a defensive plan involves figuring out how to keep the things we want under our control in "places and configurations" which only we govern and tying those together to provide a convenient user experience such that we actually utilize our own systems with the appropriate hardening and defensive elements instead of defaulting back to the pit out of frustration at how difficult it is to use such a setup.
Practically speaking...
Starting with the device itself:
Objectives
We want to reduce the viable mechanisms for access by offline parties in the event of device loss, confiscation by hostile entity, or other loss of physical control.
We also want to assure that digital surfaces of both an offline (early boot) and online device are controlled and protected from unauthorized access
We want to prevent apps from accessing any more than they have to when they do what we installed them to do (control code on the system)
We want to ensure that the information specific to every user of a device is protected separately and discretely from the other profiles
Approaches
Acquire a GrapheneOS-approved device which requires boot rollback protection and several hardware facilities relevant to cryptographic and runtime mechanics (MTE helps)
Deploy the OS with the base configuration and re-lock the bootloader when done to cover the majority of objectives outright
Use whatever FOSS store has not been hijacked by special interests at the time or directly acquire APKs from the producers for (DAVx) cal synchronization, (K9) email client, (Signal) E2E messaging, (NextCloud) data synchronization & private comms clients, and a credential manager client to boot (BitWarden handles MFA too) - with mapping/navigation (OpenStreetMaps and/or Waze) to round out the usual device functionality
Configure calendar, email, file sync, messaging, and credential access integrations as appropriate. Validate everything works and continue life without eyes over shoulder.
Supporting infrastructure:
Objectives
Control both sides of properly encrypted communications between device and service endpoints
Control data storage and handling within the service layers themselves
Audit and control all access to the service and its underlying resources
Approaches
NextCloud/OwnCloud or analogous server (can be used for chat/video/etc as well)
VaultWarden or BitWarden self-hosted instance
ActiveSync-capable mail service such as Kopano/OpenXChange
All of which can be
Found in OCI containers or similarly simple deployments
Encrypted at rest and in-transit by various means
Hardened using the same linux-hardened kernel from GrapheneOS and its hardened_malloc (or OSS' Grsecurity+PaX if you need proper peace of mind/defense-in-depth on that front)
Wrapped in HIDS/HIPS (OSSEC), and fronted by WAFs (ModSec) + NGFWs (XTables Addons) to audit, deter, and confound attackers with additional standoff
In Summary
Understanding threat and defense models at any level allows for (better) informed decision making when selecting how to handle one's own security posture. It is in the freedom of choice and Open Source ecosystem that we find actual innovation and sanctuary from the prying paws of interests serving themselves at our expense - both in the ability to protect ourselves from malicious activity (hardening) and control information which is rightfully ours from dissemination for profit or worse by third parties.
Unfortunately, Google is now actively engaging in efforts to eliminate users' ability to choose by their thinly veiled attempts at claiming that their spyware brings a measure of security to the problem domain and it is up to the users or people who may someday want to choose not to have all of their info collected to do something about it before its too late. If being able to choose to stand on your own without data harvesting by these large vendors is important to you, raise awareness of what's going on and the duopoly into which we are actively careening - call and write to your elected representatives, talk to your GRC/legal teams about impacts of company communications being collected/collectible through these back-channels, and talk to your kids about how they use their mobile devices because data taken by third parties can never truly be recovered and can be used against them later in life by whomever acquires it through whatever means down the line.
Comments