82

I'm looking at replacing my very old android smartphone. Information security is increasingly a feature that I'm looking for. As well as being slow, I don't think I can upgrade my current handset to the latest android versions or even the latest version of the mobile security app I use, so almost anything would likely be an improvement.

Ideally I'm looking for a handset or ROM which has security (ideally encrypting data in communication and at rest) as a priority and will likely still be secure (with updates) in several years' time. I'd prefer an android solution, unless security on other platforms is significantly better/easier to achieve.

Is the choice of handset a significant consideration, or is security mainly down to the way it is used - regular updates, careful checking of apps before installation?

PLEASE NOTE: I am not looking for a specific recommendation, but rather guidance in knowing what to look for. Feel free to pop recommendations in the comments - but NOT the answers.

Mark Buffalo
  • 22,498
  • 8
  • 74
  • 91
James Bradbury
  • 2,017
  • 19
  • 27
  • 11
    nowadays, android offers full disk encryption, apps like Signal offer strong encrypted communication and apps like Orbot allow you route (all of) your traffic through TOR. The most interesting security property nowadays for android is the post launch patch support. "How often does a specific model / ROM get patched and for how long?" (this is vendor specific) is the main question then. – SEJPM Mar 10 '16 at 10:12
  • 2
    James, I added an explicit notice to the question, to focus on features and such as per your original question, instead of flooding answers with baseless recommendations (which would have been closed as off-topic - your question is a good one though). Let me know if this is as you intended. – AviD Mar 10 '16 at 10:25
  • 4
    @AviD. Thanks, this is exactly what I intended. I'm aware that recommendation questions go out of date too quickly to be useful. – James Bradbury Mar 10 '16 at 10:44
  • If you can install a software on the phone you're considering, and that it runs on android, run [Android Vulnerability Test Suite](https://github.com/nowsecure/android-vts). It won't tell you anything about the future, but it will tell you if the phone currently is safe, and that should give you an hint whenever the ROM are updated or not. – Clément Mar 11 '16 at 03:58
  • Readers interested in this question might also be interested in a [Smartphone that ships without pre-installed proprietary software?](http://hardwarerecs.stackexchange.com/q/27/30) – unor Mar 11 '16 at 16:34
  • The choice of handset is definitely significant. There are a number of Android devices that have had remote root exploits -- in one case, someone could gain control of your phone simply by texting you a video file. On the other hand, there are devices that haven't been rooted even by device owners with full physical access. One example is the BlackBerry Priv -- it has very strict SELinux policies, pathtrust, and is the only Android phone to release with grsec (among other things). Disclosure: I worked on that phone. – Matthew Read Mar 11 '16 at 19:43
  • Here's a review shooting down the "private by design" claim of the Blackphone: [part 1](http://www.version2.dk/blog/blackphone2-review-1-508188), [part 2](http://www.version2.dk/blog/blackphone2-review-2-545078). – KlaymenDK Mar 13 '16 at 12:49

6 Answers6

73

TLDR: There are several categories of security you must consider when looking for a phone. The main advice, though, is to get a newer phone with the latest security features, and from a manufacturer that has a good reputation of providing updates.

Security against other people (peers, police/government)

Look for newer devices with full disk encryption, and at the very least have a code or fingerprint required to unlock your device.

Both Android and iOS have the ability to encrypt the phone. When booting the phone, the password must be provided to finish booting and to view files.

  • Upside: Your phone is protected from external attempts to read the data
  • Downside: You must type in your password/PIN every time you boot, and usually every time you unlock your screen.

As this is built-in to more recent versions of Android and iOS, you must slightly narrow your search to exclude older phones that don't have this capability.

Encryption key vs unlock code

As a usability/security tradeoff, I prefer to have a long password required on boot, but have a simpler code to unlock the screen. Apple does this natively, letting you set a PIN or password required on boot, but thereafter letting you unlock the phone with your fingerprint.

  • Upside: You can use a complex password, while keeping the ease of unlocking your phone quickly.
  • Upside: A shoulder-surfer can't unlock your phone, since your fingerprint unlocks it. They would have to catch you as you type in the password on boot. (When you type your password, be sure no one is watching!)
  • Downside: Your fingerprint is not protected by law (in the U.S.). The police can force you to unlock the phone with your fingerprint. Whereas a password or code, something you know, cannot be forced out of you. Even if a court orders you and holds you in contempt for failing to provide the unlock code, they cannot access your data without your cooperation.

On a rooted Android device, you can install a mod that lets you have a complex boot password and a simpler PIN for the screen unlock. If you enter the PIN incorrectly, it requires the strong password to be entered, which prevents brute-force attempts at the much simpler PIN. You are losing some security, however, since anyone shoulder-surfing could see you put in your PIN and later steal the phone for unlocking.

  • Upside: You can use a complex password, while keeping the ease of unlocking your phone quickly.
  • Upside: Only your knowledge can unlock the device.
  • Downside: You must enter a PIN every time you unlock the screen. As this happens frequently, it is much more likely that someone could find out your simple unlock combination.

Security against apps

Check app permissions before installing, and make sure you get a newer phone that has extra permission management.

Apple/iOS

Apple devices (excluding jailbroken ones) can only install apps that have gone through Apple's vetting process. While this isn't 100% successful, it does protect most users from installing a malicious app. On top of that, certain obvious privacy features, such as GPS location and contact info, require an extra user prompt to allow an app to access that information.

Android 6.0+

Android permission settings before 6.0 Marshmallow were all-or-nothing. If an app requested permissions to your GPS, you either allowed it or didn't install the app. Android 6.0 introduces similar features to iOS that let the user deny certain permissions while still installing the app.

If looking at Android devices, this narrows the eligible devices, excluding phones that don't have Android 6.0 or newer.

Android 4.x-5.x with XPrivacy

However, if the Android device has root and can install the Xposed framework, you can install XPrivacy. That app overhauls the permission model on Android so that nearly every possible privacy-related permission can be allowed or denied in real time. If the app tries to use GPS, it prompts you to allow or deny (or provide fake/null information). This is available to most rootable Android devices running any version of Android 4.0 to 5.0.

Look for a phone that can be rooted if you want extreme privacy permission tweaking.

Security against bugs/exploits

Look for phones made by manufacturers with a history of regular updates.

Most iOS and Android updates include bug fixes along with new features. As long as the iOS device is supported, they can all get the update at the same time when it is released.

On Android, Nexus devices are generally the first to receive updates. For other manufacturers, make sure they have a history of providing updates to older phones and within a reasonable timeframe.

Alternatively, find an Android phone with an unlocked bootloader and an active development community. While more technical, this can be the fastest way to get the latest updates, even after a manufacturer has stopped supporting the phone.

Security against the device manufacturer

Buy devices from a trusted manufacturer, and make sure it uses full-disk encryption where the manufacturer does not hold the key. Also, for Android, consider a device with an unlockable bootloader to be able to load custom ROMs with newer security updates and better privacy features built-in.

Apple devices cannot be unlocked even by Apple starting in iOS 8. While it may be possible in theory for Apple to provide an update that subverts this, currently it is impossible for Apple to unlock your phone or gain access to the encrypted partition on your phone. If you have iCloud Backup enabled, however, that data can be accessed by Apple.

Similarly, Android devices with Full Disk Encryption enabled cannot be unlocked by the manufacturer, or even Google.

Unlocked bootloader

With Android devices, an unlocked bootloader lets you install custom ROMs, or even make your own built from scratch using the Android OS source code. If your phone is no longer supported by the manufacturer, you can still update to the latest version of Android, assuming someone has compiled a Rom for your device.

Some Android ROMs have additional security and privacy controls built-in.

Warning: This can be detrimental to security. Make sure to use a Rom that is widely known and trusted.

Security in the cloud

Use a cloud storage provider that encrypts your data and does not have access to the unlock key.

Almost all cloud storage (Dropbox, iCloud, etc) store files in a non-encrypted way, or in a way that the cloud provider could decrypt the files without the user's permission.

The primary way to protect against this is to not use cloud storage. If you need to back up your files, use your own encrypted server or manually copy files onto an encrypted desktop computer.

A few storage providers, such as MEGA and SpiderOak, do encrypt your files. The encryption key is not accessible to them, and a government entity would have to coerce them to write an update to their software in order to acquire the unlock key from a user.

Android and Apple both have apps for MEGA that work similarly to Dropbox, including automatically saving photos taken by the phone.

Security against networks

Make sure your phone can use VPN software, and possibly use TOR to increase privacy. And be sure to browse the web with https when possible.

The internet service provider can view all of your unencrypted network traffic. To help avoid this, use a VPN. Note: the VPN can see your unencrypted data as well. Use a trusted VPN provider.

The ISP can even determine some information from encrypted network traffic, if you aren't using a VPN. If you open a web page that uses https, the ISP can see which domain you are going to. They cannot, however, see the specific page you are requesting, nor the data of the page itself.

If extreme privacy is a need, Tor may be the answer. It has plenty of downsides, the primary being slow speed (compared to normal browsing). But when using Tor, your ISP cannot see your network information, aside from the fact that you're using Tor. And the nodes on Tor are unable to know both the source (you) and destination (the website) due to the way the protocol is designed.

  • 12
    It's worth noting that cracking a pin can also be trivially easy if you have greasy fingers or a dirty screen... – aslum Mar 11 '16 at 15:09
  • Nice and thorough answer. It needs upvotes! – edmz Mar 11 '16 at 16:56
  • 5
    XPrivacy was shown to be possible to circumvent. I'd not advise relying on XPrivacy when something serious is at stake. – Display Name Mar 11 '16 at 19:55
  • Speaking about security in the cloud, I think it's a good idea to mention [EncFS](https://security.stackexchange.com/questions/83292/is-encfs-secure-for-encrypting-dropbox) – Display Name Mar 11 '16 at 20:00
  • Don't look for a cloud provider which encrypts your data. It's essential that you encrypt the data by yourself before uploading it. It's also dangerous to upload any decryption key, even if it's secured by a password. – Noir Mar 12 '16 at 13:50
  • @SargeBorsch Can you provide a source? – Noir Mar 12 '16 at 13:51
  • 7
    @Noir Oh yeah. https://github.com/cernekee/WinXP – Display Name Mar 12 '16 at 17:11
  • 3
    @SargeBorsch Does that still work? Because it hasn't been updated in two years, and you would *hope* that the XPrivacy devs would have fixed it by now? – Martin Tournoij Mar 12 '16 at 19:53
  • +1 for the "security against the device manufacturer" part. If there's *one* thing to look for, it's the ability to replace the firmware on the device with something that you can trust (i.e. no manufacturer/vendor backdoors) and which meets your other security requirements. If you can replace the firmware, then you can add pretty much any security functionality required (to the extent permitted by the hardware of the device - e.g. you can't add fingerprint unlocking if the hardware doesn't include a fingerprint reader). – Micheal Johnson Mar 12 '16 at 21:48
  • @Noir I wouldn't recommend against using encrypted cloud services altogether. Rather, it depends on the user's needs. If they don't trust the government or other businesses, by all means they should manually encrypt their data (I do this for my online backups). But many people also need to have security/protection against themselves (ie user error), so an automatic backup to an encrypting service can be a good tradeoff between security and usability. – Stephen Schrauger Mar 13 '16 at 01:43
  • 3
    @Carpetsmoker I've seen the developer [saying that they don't want to deal with these issues](http://forum.xda-developers.com/showpost.php?p=54111452&postcount=10580) as they are too time consuming. – Display Name Mar 13 '16 at 08:39
  • 2
    @MichealJohnson: If YOU can replace the firmware on your phone, then any hacker can replace it as well. – gnasher729 Mar 13 '16 at 09:59
  • You should need physical access to the phone to replace it, and I believe that most if not all Android implementations will wipe the user's data when you replace the firmware exactly to avoid circumvention of the security measures implemented in whatever firmware the device is running when the attacker gets hold of it. – Micheal Johnson Mar 13 '16 at 17:53
  • 1
    I think something you forgot is security against physical theft / device loss. E.g. features to secure wipe data remotely, or to locate your phone. – Jason C Mar 13 '16 at 20:08
  • Oh, also, in addition to the good advice about checking app permissions above (and don't be afraid to ask around before downloading an app to clarify permissions you raise an eyebrow at), always be sure to only download apps from official sources, and check user reviews and download counts too -- not a perfect indicator but it can sometimes be enlightening to see if other users have pointed out issues. And remember, the biggest risks are from things like, you don't have a pin code on your phone and you leave it on the bus with your amazon.com password saved in your browser, etc. – Jason C Mar 13 '16 at 23:40
  • Good to know about Android 6.0. I'll have to check that out! Thank you. – Mark Buffalo Mar 13 '16 at 23:43
  • 1
    On an iPhone 5S or later you can use a short PIN only and nevertheless keep your data very secure - the SecureEnclave-coprocessor limits brute-forcing the PIN: The encryption-keys are stored in the SecureEnclave and encrypted with your PIN; any attempt to decrypt the keys must occur within the SecureEnclave and takes ~5 seconds (hardware-limited), so you would need up to 15 years to brute-force an 8-digit-PIN. Extracting the key and brute-forcing it anywhere else is VERY hard/expensive and can also be prevented by choosing a stronger password; it's the same principle as it is with smart cards. – K. Biermann Mar 14 '16 at 00:39
  • 1
    @K.Biermann [Correction](https://www.apple.com/business/docs/iOS_Security_Guide.pdf): SE stores a Unique ID. The PIN, along with this UID, is used in the _derivation_ of decryption keys. Only the SE has access to the UID and SE is tamper-resistant, so only SE is capable of operations involving it. SE rate-limits itself at one PIN every **80 ms**, so a 6-alphanum PIN will withstand at most 5 years. If I'm not mistaken it can also be told to blow up its UID after 10 failed attempts, at which point anything stored on the device is useless (because the key to the data can no longer be derived). – Iwillnotexist Idonotexist Mar 14 '16 at 05:07
  • Newest Android devices with fingerprint scanners (e.g. my Nexus 5X) will ask for a PIN/password during boot (if encrypted storage), at first login after boot, then every 48 hours, while allowing fingerprint unlocking at other times. – pgs Mar 16 '16 at 23:08
59

One of the key aspects to consider for this is the support/patching policy of your mobile device vendor. If you're planning to keep the phone for say 2-3 years you don't want it to go out of support after 18 months.

Unfortunately this can be quite tricky information to come across with many vendors not providing published support lifecycles.

Also complicating the picture is that some device combinations have long "support chains" where multiple companies have to collaborate to produce patches. So for example an O2 Samsung Android phone, might need 3 companies (Google, Samsung and O2) to co-operate to provide a patch. This kind of process inevitably leads to slower patching.

Likely the best approach to this would be to choose a device which has the smallest possible chain, so either an Android device from Google, an iOS device from Apple or a Windows Phone device from Microsoft, and in all cases an unlocked device is likely to get faster patches than one from a carrier.

Rory McCune
  • 60,923
  • 14
  • 136
  • 217
  • 24
    At this point I think this may be the most important thing to consider for a new phone in terms of security. I had no idea how BAD the situation was until Stagefright. My phone STILL isn't patched, even though I called the manufacturer and they released the patch to my carrier about a month after it was available to them. So yeah: for Android at least, I'd say go with a really big-name phone from a really big-name company with a history of frequent patches, or go with a Nexus. The rest are the equivalent of using IE for your browser back in the early 2000s. – Ben Mar 10 '16 at 17:19
  • 12
    Apple phones get software updates at the same time and you're not at the mercy of your carrier. There's also no custom modifications made by a third party, so I like your point about "smallest possible chain". – JPhi1618 Mar 10 '16 at 18:19
  • 13
    The only other option is to root and take responsibility for updating your phone yourself. Cyanogenmod, for example, patched Stagefright rather quickly after the vulnerability was revealed. – Ajedi32 Mar 10 '16 at 21:09
  • Thanks, this is a really important point and well explained. The only reason I'm not accepting it is that some others cover more angles. – James Bradbury Mar 11 '16 at 15:00
37

The other answers regarding encryption are great. I'm going to approach this question from the tinfoil / dissident angle, as I believe it's valid for nearly every scenario... but I still want to explain my reasoning, and how I came to these conclusions.

All of the problems I'll discuss are routinely exploited by criminals, and repressive governments. In some countries, being a member of a certain religious order, or the wrong race, is enough of a reason for the authorities to schedule your unapproved organ donation:

There are reports of systematic torture, illegal imprisonment, forced labor, organ harvesting and abusive psychiatric measures, with the apparent aim of forcing practitioners to recant their belief in Falun Gong.


A removable battery is a must

This is at the top of my list: you want a smart phone that has a removable battery.

Why? Because there are a million ways to hack you and listen in on your conversations. Imagine making sweet love to your significant other, and some sick bastard from a repressive government, or even a criminal, decides to listen in and get their kicks:

“In the course of their daily work they stumble across something that is completely unrelated to their work, for example an intimate nude photo of someone in a sexually compromising situation but they’re extremely attractive,” he said. “So what do they do? They turn around in their chair and they show a co-worker. And their co-worker says: ‘Oh, hey, that’s great. Send that to Bill down the way.’ ”

Mr. Snowden said that type of sharing occurred once every couple of months and was “seen as the fringe benefits of surveillance positions.”

There are also many ways to pretend that your phone is turned off when it really isn't off:

Your phone basically becomes a bug that tells the NSA everything going on around you. Any conversation you have or any embarrassing thing you do, the NSA will have it recorded.

The worst part is that even if you turned the phone off to be safe, it wouldn't really be off. The app makes your phone pretend to be off — it turns off the screen, ignores incoming calls and doesn't respond to button presses — but the spying will still be going on.

As we see from the above example, your privacy is not even respected by the NSA. Criminals and repressive governments can also hack your phone and listen in on your conversations. So why wouldn't you want a phone with a removable battery if you feel you're being targeted?


Find a device that's easily moddable

Free apps on Android can easily allow a form of backdoor access to your phone in it's entirety. You know all those creepy permissions you keep accepting because you like "free stuff"? Yeah, those. "This application wants access to your: contacts, microphone, camera, etc." No thanks.

It's even worse when governments and advertising companies use ultrasonic tricks that link your devices together. A removable battery, along with Cyanogen's Privacy Guard, will go a long way towards combating this.

How can you expect to keep information secure if your phone is constantly sending information about your usage patterns to marketing companies, and governments? Don't forget CISPA. The government wants to request that data legally, even though they already have it.

The government can't even keep it's own information secure, so why should they be allowed to keep your information? Companies can't seem to keep their data secure either. Why should you trust either of them?

I would suggest a phone that can be modded. For example, you can Install CyanogenMod, and use their Privacy Guard feature to disable app access to your important information.

You also have much more control over your phone than with the stock crap.


Carrier locked phones are worthless in the USA, and China

You don't want a phone that's locked to a carrier. There are often severe delays on security updates, some taking years. One of my phones was carrier locked, and I couldn't update it until four years later. Meanwhile, it was vulnerable to almost everything, but it proved to be an excellent honeypot for reverse-engineering purposes. I suspect you may not want something like that.

This is still a problem with a lot of carrier-locked phones. You'll notice you entirely missed out on updates that everyone else is getting. Not good.

Unfortunately, this usually means shelling out full price for an unlocked phone. It's definitely worth it, as you can update the phone far easier - especially if you're using CyanogenMod. When the phone is entirely in your control, you can do more with it. You can apply security updates faster, and you don't need to wait for the carrier to update it.


Too Long, Didn't Read

My top three recommendations:

  1. Removable battery (apps/hacks can fake your phone being off when it's really still on)
  2. Moddable with Privacy Guard (Cyanogen Mod, for example)
  3. Unlocked phones, no carrier locks.
Mark Buffalo
  • 22,498
  • 8
  • 74
  • 91
  • Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/37013/discussion-on-answer-by-mark-buffalo-what-security-features-are-important-when-b). – Rory Alsop Mar 15 '16 at 16:11
16

Trying to avoid recommendations, to keep your phone safe an secure I will break it down into 3 levels:

Applications

When looking for applications to place on your phone you need to look at the permissions they ask for and ask yourself, Does this chess game really need access to my contacts, bluetooth and internet? NO it does not, an app to me is suspicious if it asks for anything that makes very little sense (though you will find most apps will ask to see your photos/files, but I still do not trust that)

Software for your phone

You need to look for a generic software version compatible with your phone, the best kind of option to go for would be to browse for open source android platforms (android is open source but trying to get programmers to review ROMs made by corporates is hard). All phones will use specific OS from your service provider for example: O2 (english telecoms) handle their own upgrades, and package their own stuff in with it. You need a clean compatible version with what ever phone you buy.

Hardware

Now this is the most difficult to answer, hardware is hardware but you can encrypt your device so it's safe on your hardware. This is all I can offer you as far as information.

Other Tips

You are able to get applications which secure your traffic, you just have to remember the person on the other side needs to be able to decrypt your information. You can also have hidden volumes on your phone to keep only certain bits of information safe.

You can try using web calling and having external Services to handle your traffic, such as anonymous VPNs. There are also lots of options for applications and services for the TOR network. Just remember you can keep your information safe on your device easily. (dont forget to use a secure password) but keeping the communication safe but yet accessible by the desired receiver requires them to also have the ability to decrypt it.

Using TOR or encrypted services in junction with web communication on your phone will mean that you can have your device decentralised from you. The source of the traffic being hard to pin point. But seeing as it is your phone, it's still not impossible to find the source.

Need anything specific? Comment and I will update my answer.

TheHidden
  • 4,265
  • 3
  • 21
  • 40
  • WhatsApp is only encrypted (OTR / Axolotl) for direct person-to-person communication on android devices. Group chats are not encrypted. Communication with non-android devices is not encrypted. – SEJPM Mar 10 '16 at 10:22
  • updating my answer @SEJPM – TheHidden Mar 10 '16 at 10:25
  • @SEJPM actually, there's an app called CoverMe that uses strong encryption for individual and group messaging, as well as VoIP calls, and also works with its counterpart in the iOS app store. – Matt Mar 10 '16 at 23:01
  • @Matt I was referring specifically to WhatsApp. There are other apps that do indeed allow encrypted group chats, encrypted cross-platform chat and encrypted VOIP with Signal probably being the most famous one. – SEJPM Mar 10 '16 at 23:04
6

First of all: There's a good guide from the TOR project about hardening Android. You can deduce all criteria you have to look for from it.

Second: I can't believe that nobody here even mentions the biggest backdoor which circumvents most security measures as long the telephone is turned on: the baseband processor.

There were already some vulnerabilities discovered and since the firmware of all available baseband processors is closed source and not even an interface specification is available, it's very hard to find backdoors and bugs.

Noir
  • 2,523
  • 13
  • 23
-1

You need to know your requirements, which depend on your situation.

Do you want to protect against everyday hackers who are going to attack random people, where you are not a specific target but just a random victim?

Are you a potential target, like an important person in a company, some minor or major celebrity? Will people try to attack you personally?

Are you either a criminal, who will have law enforcement with search warrants after them, or someone who is inconvenient to their government, who will also have law enforcement with search warrants after them?

Number 1: Get an iPhone with fingerprint sensor, use a six digit passcode, use two factor authentication, turn on "find my phone" so you can lock it if it disappears, use a password for your AppleID that cannot be easily guessed and is not the same password that you use elsewhere.

Number 2: Same as 1, use an eight digit passcode, use a password for your AppleID that doesn't use any information that a determined hacker can find out about you, and that is impossible to guess (for example five random words).

Number 3: You are asking the wrong person.

There was other advice here, but you need to ask yourself whether you have the talent, and the time, to make your phone more secure than a standard phone from a large manufacturer who uses security as a selling point. And you need to ask yourself how much inconvenience you are willing to accept for added security. As an example, insisting on a removable battery means today that you can't use a phone by any of the major manufacturers, which means there is a potential already to end up with a less secure phone.

And there are compromises: For example the fingerprint sensor does in fact reduce security if everything else is equal (because every different way to enter your phone is a potential risk), but it encourages people to use longer passcodes which would be very inconvenient if you used them all the time.

gnasher729
  • 1,823
  • 10
  • 14