-
Experts discarded the myth that iPhones are more secure than Android devices, unless your iPhones is run by the latest iOS 13.
-
They also suggested users to stay away from Samsung phones.
-
Experts were also against the use of biometrics as means to secure a phone.
Cybersecurity experts Aaron Turner and Georgia Weidman the certain caveats that come with the two-factor authentication, even though they concurred that it was the way to go, and biometrics as the means to securing one's phone. The two experts were speaking at the in San Francisco.
The two warned users against using a mobile authenticator app on an old smartphone because the app is only as good as the operating system in which it's running. They emphasized that using authenticator apps, such as Authy or Google Authenticator, in was better than using SMS-based 2FA. But, they said, an authenticator app is useless for security if the underlying mobile OS is out-of-date or the mobile device is otherwise insecure.
The problem is that if an attacker or a piece of mobile malware can get into the kernel of iOS or Android, then it can do anything it wants, including presenting fake authenticator-app screens.
"One of my clients had an iPhone 4 and was using Microsoft Authenticator," Turner said, indicating another authenticator app. "All an attacker would need to do is to get an iPhone 4 exploit. My client was traveling in a high-risk country, his phone was cloned and then after he left the country, all sorts of interesting things happened to his accounts."
What's Safer? iPhones or Androids
Aaron Turner discarded the myth that iPhones are more secure than Android devices unless your iPhones is run by the latest iOS 13. He said, "You don't want the risk associated with 32-bit iOS."
Amongst android smartphones, he praises Pixel devices, and shares that he has “had good experiences with Motorola and Nokia Android One devices.”
In Android, use only the Pixel class of devices. Go to Android One if you can't get Pixel devices. I've had good experiences with Motorola and Nokia Android One devices.
- Aaron Turner, President and CSO, HighSide
He also suggested users stay away from well-known Android brands.
Stay Away From Samsung Phones
Turner had some strong opinions about Samsung phones. “Karsten Nohl showed that Samsung was faking device updates last year. Stop buying their stuff," Turner said.
To be fair, Samsung was far from the worst offender among phone makers in the study Turner cited, and the study authors later said "they got it wrong" regarding Samsung's issues, without going into further detail.
Some Android phones are safer than iPhones
iPhones and Androids have just as many known exploits, and Weidman extracted the encryption keys from an older iPhone in a matter of seconds onstage.
iPhone's Secure Enclave offers some additional security, but the authenticator apps aren't using those elements. iOS is still good, but Android's [security-enhanced] SELinux is the bane of my existence as someone who's building exploits.
- Georgia Weidman, Founder and CTO, Shevirah Inc.
"We charge three times as much for an Android pentest than we charge for an iOS one," Turner said, referring to an exercise in which hackers are paid by a company to try to penetrate the company's security. "Fully patched Android is more difficult to go after."
READ MORE:
The Underlying Part Of The Mobile OS
Authenticator apps beat SMS texted codes as 2FA second factors because app codes can't be intercepted over the air, aren't tied to a phone number and never leave the device. But authenticator app codes can be stolen in , and as we saw yesterday, by Android malware in screen-overlay attacks.
However, even the best training against phishing attacks and the best won't stop attacks that come from the kernel, the underlying part of the mobile operating system to which the user doesn't have access.
"What could possibly go wrong when installing a user-mode application with sensitive cryptographic key materials on a platform with kernel vulnerabilities?" Turner asked rhetorically.
Kernel vulnerabilities also can be used to hack two-factor push notifications, which Google uses for its own accounts and which can't be phished.
In short, "we need to move away from usernames and passwords," Turner said.
'Biometrics are Non-revocable'
Both the experts weren't biometrics enthusiasts.
When asked about biometric authentication such as fingerprint readers and facial recognition, Weidman said that "it's better than nothing when used in addition to passwords."
Turner wasn't so sure.
Citing a famous case from Malaysia in which a man's index finger was cut off by a gang to steal the man's fingerprint-protected Mercedes, Turner said, "I am fundamentally opposed to using biometrics because it's non-revocable. Fingerprint readers are biometric toys."
The only form of two-factor authentication without security problems right now, Turner said, is a hardware security key such as a Yubikey or Google Titan key.
"I've got two Yubikeys on me right now," Turner said. "Hardware separation is your friend."
READ MORE: