The Lie That Phones are More Secure than Desktops

Jul. 30, 2022 [technology] [proprietary] [phones] [privacy-security]

The Hated One has recently pivoted into doing mobile phone content. I actually respect most of his work, although his recent video Why phones are more secure than desktops has me wondering if a brain parasite has taken over his mind. He goes on to argue how anyone concerned with privacy and security should be using phones instead of desktops, making some contradictions along the way. I’ll try to keep my interjections to a minimum.

If you want to maximize your digital privacy and security you should use your phone. … The modern phone security model allow for a much greater protection of your sensitive data than any desktop offers today. … Any issue you can criticize a modern phone for is several times worse on a desktop equivalent of it so let’s tackle some of these myths real quick.

Hmm, interesting. Let’s explore some of these myths.

You might have heard plenty of times how these mobile devices were designed to track all of our movements and activities and that’s all they do but this is a factually wrong assumption because the exact opposite is true. If you believe this notion you probably don’t know that android apps have no access to your phone’s hardware identifier since android 10. You can revoke background location access or even foreground location access if you haven’t noticed any of these ubiquitous ad permissions prompts you see in the pop-up dialogues in your phone all the time are virtually non-existent on any desktop. If you go to your phone’s privacy settings you will find plenty of toggles that allow you to harden your security and limit what data apps can access. It’s amusing and tragic at the same time how many people suggest linux as a privacy alternative to phones when no such extensive privacy settings exist on pretty much any linux distro. Even windows has implemented more permission toggles and that system is a data collection hub.

From this we can glean that he definitely is talking specifically about desktops running Linux. Here’s the thing about privacy permission toggles: they only need to exist on platforms which actually collect your data. Since the vast majority of Linux distros don’t, there is little reason to present the user with a privacy settings panel. And those who are interested in battening down the hatches will dive into the internals for things like sysctl, custom kernels, mandatory access control and so on.

Also, just because individual mobile applications can be cutoff from location data (assuming one can even trust those software toggles) does not mean that the phone itself isn’t tracking location in realtime. And good luck preventing that as long as the baseband processor is present. It is disingenuous to claim that phones don’t track movement activity. False claim, dubious supporting info. Next.

Both android and ios were designed with a thorough threat model in mind. For example android’s threat model assumes your device could be stolen or the police might want to unlock it against your consent. To mitigate this threat, android developed a secure keystore implementation that generates and stores your undevised encryption keys in a tamper resistant hardware. This hardware bound key implementation was designed so that it is impossible to extract your cryptographic keys without your lock screen passcode so not even a full kernel exploit or system compromise can access your secret keys. All modern phones are encrypted by default most desktops don’t even offer it as an option and those that do have no or limited mitigation against brute force or cold boot attacks. Full disk encryption has been abandoned since android 7 due to its limitation of not being able to protect the encryption keys. There is virtually no protection of your desktop encryption once someone has physical access to it.

The Hated One hasn’t heard of LUKS? It is available on pretty much all distros and offered at install-time in many. He conveniently switches the focus from “Linux desktops” to “most desktops” to make this point. And what happens when somebody has physical access to the phone, like those police in the android threat model? They clone its image and then effectivly gain unlimited unlock attempts at the phone’s lock screen passcode. Physical access compromise is not unique to desktops. In fact, it is more likely that a mobile phone will come into the physical possession of an adversary.

Modern mobile operating systems implement defense in depth mechanisms that eliminate the ability of malicious software to access your sensitive data much of this is done via exploit mitigation, attack surface reduction and isolation. Isolation and containment is where the differences between desktop and mobile security models are most visible to the end user. For instance when I install a password manager app on my phone I can reasonably assume no other app is going to be able to access this data or log the keystrokes during password prompts. This is ensured with the application sandbox that strictly limits how apps can communicate and share data with each other and the system. If my password manager doesn’t allow a certain ipc mechanism no other app can reach it. This straight permission model enforces this consent. If I use the same password manager on my desktop machine, the only defense mechanism I have is the encryption of the password database. It’s easy for malicious apps on my desktop to steal my password database and brute force it locally. There is no permission model that would restrict other apps access to my password manager database.

He’s pretty much insinuating that exploit mitigation, attack surface reduction and isolation are not a thing on Linux, which is also completely false. Attack surface reduction is best achieved by installing only what you need, which is nearly an impossible feat on mobile OSes. Try uninstalling that facebook app. Go on, I’ll wait lol. And isolation is one of Linux’s fortés with tools like AppArmor, which can be made to confine all userspace programs in the same way that mobile OSes do, SELinux (which Android quietly uses for sandboxing, but The Hated One doesn’t tell you that) and Firejail. Users seeking even more extreme software isolation can even look to implementations like Qubes. Lastly, libre desktop operating systems seldom deploy software which tries to snoop on user input so there historically hasn’t been as much need for Linux desktop users to worry about this.

Privacy oftentimes balances between anonymity and security and sometimes trade-offs have to be made. For example the most secure way to install apps is through an official app repository. This is due to multiple reasons, mainly because of the app sign-in requirement which makes sure the app is coming from the developer and not an untrusted party. Various repositories have submission checks or a vetting process that eliminates the presence of malicious knockoffs. For instance the problem is that the only way google and apple allow you to use their app stores is after you sign in with a real phone number. At best, this is going to be pseudonymous because it’s hard or impossible to obtain an anonymous sim card and phone numbers will always be tied to an approximate location. This allows app stores to collect your app usage data or by the very least your app list which can be used to fingerprint you. On linux, on the other hand, you can also install apps from a repository but you’re not required to create an account. This is beneficial because the only identifier left pretty much is your ip address which can be obfuscated with a vpn or tor but that’s where the benefits end because linux app stores have no permission manifests and all linux apps you install are immediately granted access to all user data based on your logged in account. So while you can’t expect to be anonymous on a stock mobile app store you’re at least reasonably secure and private. On a desktop repository you could maintain anonymous to a limited extent but everything else is subject to a huge amount of trust in every single app you install.

The video transcription originally had “app repository” as “ad repository” which I found rather fitting. So he pretty much admits that mobile software stores are a panopticon but it’s somehow okay because “at least they’re vetted so you can trust them”. O rly? 1 2 3 4. Most distro repositories do have uploader and maintainer guidelines, with signatures made to mitigate against tampering on it’s way to the end user. And this whole notion that privacy and security are somehow at odds is complete misdirection. It is often impossible to achieve one without the other.

Many zealots in the privacy community, if such a thing even exists, do not make a distinction between services and platforms.

Services and platforms are often one in the same. The real distinction is between platforms and protocols, about which I made an entire writeup contrasting the two.

Android means a lot of completely unrelated things to a lot of different people but in reality android is just a free and open source mobile operating system. It has no google apps or services, no pre-installed bundles or bloatware it is a very clean and user-friendly operating system that’s available for everyone for free. It’s important to make this distinction because it’s possible to use an android device without any privacy invasive apps and services. The android’s model allows for it. Android is private and safe by default. It’s best if you can use it without privacy invasive services such as the google play store. This is best achieved on graphene os. But even if you can’t use your phone without them, it’s not all lost. You should still go through the privacy settings of each of these services and disable all the location you’re not comfortable with. What’s neat is that that even stock android allows you to create multiple user profiles. You can use these profiles to compartmentalize your online identities and have separate profiles for work, personal life and online banking, for instance. Much of your privacy depends on how you use the tools at your disposal.

“Android is great, guys, really but use graphene OS instead” *hand rubbing*. This is admission that he knows he’s peddling bullshit. The stock Android build is pretty much never what you get as an end product. Vendors load their images up with all kinds of crap.

Another common misconception that’s extremely damaging, yet too popular, is that iphones are just inherently more private and secure than any and all android phones. But this, again, is not true. There is nothing that iphones do fundamentally differently than android phones when it comes to protecting your private data on your phone. Especially protecting them from third-party data collection. The “what happens on your iphone stays in your iphone” is a disgustingly misleading campaign. Android protects their data just as well as ios. Where iphones generally trade better security updates, which are important but more and more android vendors are starting to catch up, especially pixel phones, that in many cases beat iphones in hardware security. If you’re buying a phone for privacy, pixel phones from google or the latest generation iphones are going to be your best bet. Pixel phones will let you go miles further than iphones if you decide to flash graphene os on them. That way your phone will be significantly protected against even unknown vulnerabilities and zero-day exploits and it will completely anonymize your device. But, other than that, this whole myth that ios is just infinitely more secure or private than android is just a gross lack of understanding of the security models of these systems.

I had to recompose myself from a bout of laughter after reading the phone recommendation. “Protected against even unknown vulnerabilities” that’s an interesting hypothesis. “Completely anonymize your device” even though you just admitted it’s a surviellance panopticon in the software repository argument? We don’t get any eloboration on those.

Mobile operating systems are constantly improving their security with every new release

And desktop distributions aren’t?

Their ultimate goal is to make individual vulnerabilities impossible to exploit

Good luck with that, also their ultimate goal is to track and advertise. Where are you getting this ridiculous delusion?

and increase the number of vulnerabilities required to bypass the security model. And, to a large extent, they have already achieved this goal. It usually takes a chain of exploits to hack a mobile device, both with physical access or remote code execution. The market prices for zero day exploits illustrates vividly how much ahead phones are as opposed to desktops.

Or it just reflects just how many more targets are now using mobile…

Android exploits are currently the most expensive ones followed by ios exploits both costing millions of dollars. Compare that to desktop exploits and you’ll immediately see the difference. It’s night and day. More privacy shouldn’t come at a cost of security. Phones aren’t going to be perfectly private out of the box. There is still plenty of room for hardening to do

So he’s arguing about the theoretical ceiling, not the defaults, making the whole premise even more dubious.

but the base features of mobile security are years if not decades ahead of desktop os’s. It’s easier to take advantage of mobile security while understanding where you need to take steps to safeguard your privacy than blindly trust much more inferior desktop systems that offer no substantial defenses. This channel has an extensive library of videos that will teach you a lot about online privacy, anonymity and security and I will be updating them with new videos that go even further on my patreon page. I dedicate two weekly episodes to discussing these issues even further and going even more in depth with my research. All of my work is free from corporate influence

Everything I just read above suggests otherwise.

“Just get a backdoored scrying mirror to be safe from hackers, bro!” I even went back through his videos to check whether he’s talked about mandatory access control before, so he cannot claim ignorance. Almost all of The Hated One’s videos since this upload have been shilling for phones in some way. Smartphones, in their current form, simply cannot be taken seriously as a privacy/security platform. His conclusion is basically telling people to get a Goolag phone, which cannot be trusted at the hardware or firmware level, and praying that replacing the OS and applications will somehow fix this. Let me share some insight:

The “stack”:

Any compromise in the stack below a given component automatically invalidates any trust those resting above might have had. Tell me, which phones are running auditable, open, user controlled hardware and firmware?

And, in this mythical threat model, he keeps coming back to privacy and security somehow standing in opposition to one another. This couldn’t be further from the truth. Hardening a system is going to unavoidably increase privacy as well. The only other places I see security and privacy being billed as a “trade-off” are mainstream tech publications and REEddit-tier discussions. Something isn’t right here.

I can’t help feeling that The Hated One has begun falling off and I can no longer confidently point interested learners to his channel out of concern that they encounter such misdirection. Maybe it would be different if the works were presented more honestly like “Hey guys, phones are terrible and should be avoided, but if you absolutely must use one here are some bandaid solutions that might make them a little less tyrannical”. I speculate whether he might only be pivoting to phones in an effort to increase viewership. Hopefully he comes around on the issue since it would be a shame for one of the stronger voices in privacy and security to become just another big tech shill.