undefined | Better HN

0 pointswpdev_638y ago0 comments

Do people really need to worry about other than national states with android and ios? Exploits/Viruses in these OSes are extremely rare in comparison to the desktop OSes and they're just getting harder to exploit. It's gettting to the point where you need the resources of one of the cyber superpowers to exploit these OSes. Their permissions based security model is great and hopefully will make their way to desktop.

My theory is that there is a backdoor into these OSes. It's the path of least resistance and there's precedence of this. Obviously Apple/Google are going to vehemently deny this as this and these backdoors would be able to provide the most precise form of surveillance ever created.

0 comments

3 comments · 1 top-level

busterarm8y ago· 2 in thread

There are relatively easy tutorials out there, some on freaking YouTube ffs, about how to connect to the JTAG pins on most Android phones and pull data right out of memory.

These are barely above trivial attacks that don't require a nation state to pull off, just a talented engineer.

wpdev_63OP8y ago

I don't think most people care about physical access exploits. If you did you would have some specialized software which would remotely wipe it upon being tampering with. Common sense.

What really matters security wise is who is this security for? If it's for state actors(vault7) then it's useless. It's known that copperheados doesn't do much to defend against them as the phones are exploited on a hardware level. All this extra security is pointless as the people you are most worried about, has access.

busterarm8y ago

> If you did you would have some specialized software which would remotely wipe it upon being tampering with. Common sense.

If somebody physically attaching to your device isn't doing so in an environment that doesn't also block radio signals, they've already failed... and you can't be wiping your phone every time it loses signal.

The threat model of a personal computer and the threat model of something that literally follows you everywhere and knows everything you do are very different.

Physical access is much easier to obtain exposes you to way, way more. Getting a divorce? Your phone is probably something you want to guard extremely closely. You can get someone to pin your android phone for low-double digit thousands of dollars -- or even free if it's the right kind of person with the wrong kind of morals. IMO, if you have any meaningful assets to protect, whether they're yours or your company's, buying an Android phone with JTAG pins is _insane_ (or simply poor risk analysis).

But what do I know? I've only JTAG'd a phone before, scraped the RAM, obtained the unlock code and all of the user data. Random thought: how many people do you know whose phone unlock code is also their ATM pin number?

j / k navigate · click thread line to collapse