The phone you choose is more important than you realize for security
You would think a brand new phone fresh from the factory, or reset to factory settings, would be secure. No malware, no security holes. You might need to do a quick software update, but generally the device is safe…Right?
Google revealed details about an incident where Android devices had malware installed in the factory. In a classic supply chain attack, a third party module developed for the manufacturer contained malware triggers and the malware was embedded into the chipset. Even if you factory reset the device, the malware would still be there because it was in their customized version of Android. Attacks like these undermine the trust people—app developers like us included—have in devices and operating system security. Not ones to say “we told you so…”, but cases like this are exactly why:
- SKY ECC is deployed on devices directly from Apple, Google, and BlackBerry.
- We did our own security evaluations of the devices to ensure their security.
- We don’t make our own devices or modify core operating systems.
To be as secure as possible, you need to start with a secure foundation. That means starting with a vetted, secure device from the beginning because the device that you use matters.
How can phones can be compromised at the factory?
According to Google’s security blog post, the problem started with a Chinese manufacturer who wanted additional features in their device beyond what Android supported. The accepted practice is for a manufacturer to contract out the development of a custom module, like being able to unlock your phone with facial recognition, and the contractor integrates the module into Android. According to Forbes the outside developer infected the modified version of Android with Triada—malware aimed at installing spam apps to steal banking information—and this modified version of Android made it into roughly 42 different budget phones made for China.
Since the discovery of Triada in 2016, Google has patched Android to protect and defend against it. Google’s post above goes into those details if you’d like to understand the nitty gritty of how Triada works and how Google patched Android to combat it.
The more important thing for this post is “the manufacturer wanted to add features and went to an outside developer to make them”. It’s not inherently bad to want to create new modules for Android. All operating systems have been improved by third parties coming up with a new feature that later becomes part of the core operating system. The problem for device security comes in with how Android modules are developed. Developers get access to the core of the OS—they have to so a new feature can be integrated into the device—which means they can insert malicious code without anyone knowing.
The Triada infection might have been prevented if the manufacturer had a third party check the code for problems, but these were budget devices. The manufacturer put their trust into the outside developer, and that didn’t turn out well. This is much less of a problem in iOS since iOS can only be customized with jailbreaking, which trips all the security chips and would make it unusable as a secure device. Cheap phones come at a cost, and if that cost is security you’ll never see them in the SKY ECC store.
Why are Apple, Google, and BlackBerry secure?
Why did we choose devices from Apple, Google, and BlackBerry as the only devices supported for SKY ECC? Two words: security chips. Devices from these manufacturers all have hardware-based security chips, which act as separate “co-processors” from the main phone utilities, that protect against:
- Tampering: A secure area is created that is separate from the operating system and the apps on it. The secure area can not be ‘seen’ by the OS or apps, preventing tampering from those attack vectors.
- Kernel protection: This prevents rolling back the operating system to an insecure version. Attackers can become aware of a vulnerability, let’s say it’s on version 3.0 of your OS, and try to take your phone back to it if you’re on version 3.1 which patches the vulnerability.
- Strong cryptographic engines: There is no alternative to using strong encryption, which each manufacturer we use employing it across their devices, and especially within the secure area.
- Passcode and biometric breaches: Whatever you use to unlock your phone is stored in the secure area under encryption. Your phone is unlocked by the processor in the secure area, not a possibly insecure area. Any attacker trying to guess your passcode will be slowed down by the secure chip forcing delays between attempts. Any attacker which manages to breach your OS will also be unable to gain access to your biometrics as they’ll be protected in the separate secure area.
In the end we picked phones that have great features—there is no point in installing great software on a less-than great devices—and the security we need to build the concentric layers of security which are integral to making SKY ECC the most secure device available. The secure features of each phone that we use include:
- Apple: Secure Enclave is the name of their technically-not-a-different-chip chip that’s actually an isolated processor built in the main chip. It boots separately from the rest of your device’s OS. Everything on it is encrypted by 256 bit elliptic curve cryptography, a powerful (not as powerful as our own 521 bit elliptic curve cryptograhpy, but certainly nothing to sneeze at!) form of cryptographic protection. Apple Pay data also resides in here.
- Google: Titan M is the separate secure chip used by Google which verifies the signature using a public key which is built right into the silicon of the chip. It’s first function is as a tool to verify boot conditions. It checks to make sure that it hasn’t been tampered with at a lower level, while also preventing rollbacks to previous versions.
- Blackberry: While they don’t have a separate chip for the security features, they do conduct their hardware security on an isolated part of the processor (like Apple’s Secure Enclave). To minimize issues like we saw with Triada, they track their phones through the manufacturing process with hardware-based keys. Their secure boot function makes sure that only a BlackBerry signed OS can be loaded, while also checking for tampering.
Earlier this year we found a review of the best phones for privacy and security, and our three devices are right there in the five listed. While we are confident in the devices we continue to choose, it’s nice to see some external validation as independent proof too.
This is what it takes to create a secure foundation
Uri Kreisman wrote in Helpnet Security about what it takes to be truly secure today:
This new approach to cybersecurity aims to protect a phone by taking the battleground away entirely: if you store away data on a hardware isolated container, it cannot be accessible to an attacker. If you build cybersecurity solutions that take advantage of hardware isolation, you will be able to create truly accessible solutions for enterprises that want to be protected against spyware, ransomware, and other threats that may target their employees. While software best practices can prevent rudimentary attacks, relying on Android for security is like asking your car’s manufacturer to protect you against car thieves – there is only so much a company can do to protect its own popular product. Adding an isolated self-contained layer of hardware and software protection is of paramount importance to running a responsible, cyber secure business in the twenty-first century.
The approach he suggests is how we approach our security model as we take a zero-trust approach to security. Kreisman uses the example of trusting a car maker to completely protect your vehicle against car thieves. They do a lot, but they can’t do everything. This is why you can buy security alarms and steering wheel locks. Just as Apple, Google, and BlackBerry can’t do everything to fully protect a device against all threats.
Filling the security gaps left by manufacturers falls to us.
Which is why:
- SKY ECC devices are locked-down, managed devices.
- We install SKY ECC into a secure container on the device.
- We take extra steps to secure network connections to and from the device.
Why don’t we just build our own devices? Why not manufacture the most secure device available and make an ironclad operating system to run it? We could have. We know what we want, but going down the custom route poses a lot of challenges:
- Quality of devices could suffer.
- We wouldn’t have the volume to reduce device costs.
- We would only offer Android phones as you can’t do custom hardware and run iOS.
It also comes down to this: we make software. We’re not a device company. We’re not a mobile OS company. The Chinese manufacturer hit with the supply chain attack was a device company and even they didn’t catch the problem. We think there is more value in creating great software—and building security around it—than trying to get into areas that distract us from our goals. Once we start modifying devices, making our own custom versions of Android, we could quickly lose sight of making our great product better. And building more great products in the future.
The device you start with matters
You have to consider the device you’re using as step one of many steps taken to fully protect the device and your security if:
- You care about keeping your messages secure, protected, and encrypted.
- You don’t want to compromise your privacy because the device you’re using is flawed from the start.
We start with secure devices, secure from our own tests and others, then layer on more security. If somehow Google, Apple, or BlackBerry suffered a supply-chain attack, our protections would buffer against breaches. Not to mention if devices from any of these companies were compromised—we’d know quickly. There are enough independent eyes on all of these companies that if something happened, it would be discovered and dealt with.
From picking the right devices, to how the app thwarts brute force attacks, to layers of network encryption, security is something we take very seriously. It isn’t just at the core of our app, it’s at the core of our entire company from the people on up…even the office dogs like to keep us secure!
If you care about protecting your messages and privacy—and know other people who feel the same way—think about becoming a SKY ECC Partner to turn your passion into a business.