Why treating your phone as a computer is becoming a mistake

[Couperin47]

I realize this is going to enrage or anger many here, but the situation regarding most mobile phones, both Android and iOS is becoming increasingly dangerous:
 
http://www.zdnet.com/article/mobile-malware-evolves-adware-now-breaks-and-roots-your-phone/?tag=nl.e539&s_cid=e539&ttag=e539&ftag=TRE17cfd61
 
The problem is simply that now malicious apps and sites are, increasingly, able to download and install rooting malware even without specific consent, in some cases even 'drive bye' adware when you just visit a site. protection is difficult because:
 
1. Both iOS and Android have far less protection than our desktop operating systems.
2. Phones have less memory and lower power cpus, so there tends to be far less complex and effective anti-malware available for these devices and most of you are less likely to
     have such software installed.
3. Rooting of phones is becoming much easier and effective with the latest malware and once rooted, it's almost impossible to remove especially since there is no effective way to
     'boot' into a phone independently of it's existing kernel...while this can easily be done on a real computer.
4. Once 'root infected' there is little evidence even the best anti-malware can clean most phones.
 
I no longer treat my phone like a computer:
 
1. My phone browser no longer maintains any passwords (There is no browser I know of that has good enough security to be trusted to maintain passwords)
2. Living in a Windows/Android world I've been using LastPass to handle passwords/log on and I do NOT have it installed on my phone.
3. I know this means I don't/can't basically use my phone to log into my banking and other sites... that's exactly what I want.
 
I simply do that stuff at home on a real computer where I can trust layers of real protection and universal use of ad blocking under a real OS to provide security.
 
I fully realize this attitude may come across as old fart paranoia. YMMV.
 
For reference I'm running Lollipop 5.1 on a 1st Generation Moto X and do have Webroot Security Anywhere installed.

 

[Marceline]

It's absolutely not old fart paranoia...the risks are pretty serious and I think your approach is good - storing passwords or logging into banking sites from your phone is just a bad idea.
 
The risk of apps doing things with data on a phone that we don't know about is pretty huge, and there's a ton of it out there:
 
http://arstechnica.com/security/2015/11/user-data-plundering-by-android-and-ios-apps-is-as-rampant-as-you-suspected/

 

[BaseballJones]

I just got a separate wifi hotspot with Verizon. Supposedly it has built in protection that my phone does not. Wasn't too expensive and I think it's worth it, given the security issues raised here.

 

[Oil Can Dan]

So in reading the linked article it seems that you're not likely to have any issues so long as you only download apps from the Google Play store and/or iOS.  I don't doubt that all you wrote is true, but I'm not really seeing any of that in either linked article.  Or am I missing something?

 

[Marceline]

I just got a separate wifi hotspot with Verizon. Supposedly it has built in protection that my phone does not. Wasn't too expensive and I think it's worth it, given the security issues raised here.

 
That doesn't really solve the security issues being discussed here.
 
Your phone still has apps whose behavior isn't fully accounted for, and those apps can send private information to places that you probably don't want them to send it, or do lots of other stuff you might not want them to do, regardless of whether you are on a hotspot or on your home wifi.

 

[BaseballJones]

That doesn't really solve the security issues being discussed here.
 
Your phone still has apps whose behavior isn't fully accounted for, and those apps can send private information to places that you probably don't want them to send it, or do lots of other stuff you might not want them to do, regardless of whether you are on a hotspot or on your home wifi.

Ok. Then I guess it's not that helpful.

 

[Couperin47]

So in reading the linked article it seems that you're not likely to have any issues so long as you only download apps from the Google Play store and/or iOS.  I don't doubt that all you wrote is true, but I'm not really seeing any of that in either linked article.  Or am I missing something?

 
Besides the fact that in the last 6 months literally hundreds of apps in both Google's and Apple's stores were found to be infected ? And that you can browse in either OS via any browser to completely 'innocent' mobile sites and be fed poisoned adware that infects and roots your phone without you ever 'clicking' anything at that site ?

 

[Oil Can Dan]

 
Besides the fact that in the last 6 months literally hundreds of apps in both Google's and Apple's stores were found to be infected ? And that you can browse in either OS via any browser to completely 'innocent' mobile sites and be fed poisoned adware that infects and roots your phone without you ever 'clicking' anything at that site ?

I'm a iOS guy so can't speak to Google Play store, but the article you linked literally said that this problem exists among third party non-Google Play store sites.  So I was going off that.
 
On iOS, if you're saying that there are thousands of apps that have been found to be infected that could be on my phone then that's also news to me, as my understanding is that there were a limited number of apps available in the Chinese specific Apple store that had malware.
 
I'm not trying to derail the discussion because it's a good one and I'm sure you're right - probably just a matter of time until these issues hit mobile phones harder than they have in the past. I'm looking to better understand the situation, and was hoping the article you linked went deeper on the things you cited but to my eye it didn't, so I asked about it.

 

[Marceline]

I'm a iOS guy so can't speak to Google Play store, but the article you linked literally said that this problem exists among third party non-Google Play store sites.  So I was going off that.
 
On iOS, if you're saying that there are thousands of apps that have been found to be infected that could be on my phone then that's also news to me, as my understanding is that there were a limited number of apps available in the Chinese specific Apple store that had malware.
 
I'm not trying to derail the discussion because it's a good one and I'm sure you're right - probably just a matter of time until these issues hit mobile phones harder than they have in the past. I'm looking to better understand the situation, and was hoping the article you linked went deeper on the things you cited but to my eye it didn't, so I asked about it.

 
Yeah, there are really a couple of issues here which are tangentially related. The first is the risk of apps that will act as malware, root your phone, etc. This is stuff that *should* be weeded out by Google Play, Apple/itunes store, etc. But it's certainly possible that stuff slips through the cracks undetected. However most well known apps that have large numbers of downloads from Google/Apple are pretty safe from this risk I would think.
 
The secondary risk, which is a somewhat smaller risk, but is much more pervasive and tougher to combat, is privacy related issues with apps transmitting personal data off your phone without your knowledge. This is detailed in the Ars article I linked above.
 
For example, if you stored passwords on your phone, and they weren't stored securely, and you install another unrelated app, that app could have permissions (which can be either obfuscated or not entirely clear at the time of install) which allow it to transmit this data to some external server somewhere. Or on a lesser level, it could easily transmit all your contacts and other personal info out there without your knowledge.

 

[SumnerH]

Part of the problem is that it's simply not practical to have nothing sensitive on the phone for a lot of people--Uber, for instance, is something you often need on your mobile.  So I kind of take a hybrid approach; I have only about 5 apps that are at least relatively trusted installed, and I don't follow random links in emails on the phone.  I don't use the phone for my banking, but it does have some things like Uber that have payment possibilities (though at least in theory Uber isn't storing the CCN locally, and it can only be used to pay for Uber rides).  It's not ideal; even limiting it to somewhat trusted sites there are a zillion possible problems (e.g. Javascript injection through advertisements).  To me it's worth that risk for the benefits I get from the phone.

 

[Rudi Fingers]

 
1. Both iOS and Android have far less protection than our desktop operating systems.

 
There are plenty of reasons to be vigilant about computer and smartphone security, and personal data wherever it may reside, but item 1. is not one of them.  
 
You will likely be surprised by enterprise adoption of devices like the iPad Pro over the next couple of years.  One of the specific selling points: the fundamental architectural restrictions around the system resources addressable by individual iOS applications.

 

[NortheasternPJ]

Part of the problem is that it's simply not practical to have nothing sensitive on the phone for a lot of people--Uber, for instance, is something you often need on your mobile.  So I kind of take a hybrid approach; I have only about 5 apps that are at least relatively trusted installed, and I don't follow random links in emails on the phone.  I don't use the phone for my banking, but it does have some things like Uber that have payment possibilities (though at least in theory Uber isn't storing the CCN locally, and it can only be used to pay for Uber rides).  It's not ideal; even limiting it to somewhat trusted sites there are a zillion possible problems (e.g. Javascript injection through advertisements).  To me it's worth that risk for the benefits I get from the phone.

 
The most sensitive thing on my phone is my corporate email. There's a lot of sensitive information in there, that can't be avoided.
 
And in terms of the following do you really trust your "real computer"? I certainly don't. There's not much we can do about it, but Endpoint AV is only so effective and most people aren't doing anything more advanced than that one a home PC. They're not running Carbon Black, Bromium or another similar type product and even those have holes in them.
 

I simply do that stuff at home on a real computer where I can trust layers of real protection and universal use of ad blocking under a real OS to provide security.

 

[SumnerH]

 
The most sensitive thing on my phone is my corporate email. There's a lot of sensitive information in there, that can't be avoided.
 
And in terms of the following do you really trust your "real computer"? I certainly don't. There's not much we can do about it, but Endpoint AV is only so effective and most people aren't doing anything more advanced than that one a home PC. They're not running Carbon Black, Bromium or another similar type product and even those have holes in them.
 

 
I don't read company mail on my phone, largely because I'd come under the company policy on BYO electronic devices if I did.
 
I trust my home computer far more than my Android phone, but I'm in a much different boat from most people there (I run Linux on the desktop and have significant experience securing Unix/Linux machines).  I have no illusions that it's perfectly safe, but it's a lot better than the phone.

 

[Couperin47]

 
The most sensitive thing on my phone is my corporate email. There's a lot of sensitive information in there, that can't be avoided.
 
And in terms of the following do you really trust your "real computer"? I certainly don't. There's not much we can do about it, but Endpoint AV is only so effective and most people aren't doing anything more advanced than that one a home PC. They're not running Carbon Black, Bromium or another similar type product and even those have holes in them.
 

 
You're entitled to your opinion but my home computer is behind a decent router, runs comprehensive ad blocking on all my browsers reducing the 'drive bye' infection from poisoned ad servers  to nil, layered anti-malware from 3 sources and keeps all my passwords/logons via LastPass which is relatively well-encrypted end to end.
 
Most of the above is unavailable for most phones. Yes I basically 'trust' my home computers for the same reason Sumner does: we really have no choice.
 
I will take the opportunity to mention one recent addition to my phone security which may be of interest:
 
Ad Guard blocks ads in a manner fundamentally different from most others for Android: the paid version blocks ads on all apps, not just on your browser and does so without requiring root of your Android phone. It accomplishes this by setting up a vpn locally on your phone and running  everything thru the vpn. The vpn being local means the app isn't transmitting your usage to any 3rd party and in over a month of usage I have not seen any significant slow-down of my 1st Gen Moto X. The author is very responsive to users and is very fluent in english. The downsides: he wants $9.95/year for the pro version which covers more than the free version (only works inside browsers) and he is Russian based in Moscow.

 

[edoug]

No banking on my android phone (or tablet), no credit card or paypal account associated with my google account. I do log on to some sites. So if some really stupid posts shows up under my user name, you know I've been affected. Anything about Windows phones? 

 

[santadevil]

Am I still good to watch porn on my phone though?

 

[Couperin47]

Am I still good to watch porn on my phone though?

 
Sure, but you do understand some pr0n sites are the most popular to serve you up poisoned ads that can drive-bye root your phone with malware....

 

[SumnerH]

Am I still good to watch porn on my phone though?

 
Only if you use this:
http://www.monoprice.com/product?p_id=14397

 

[teddykgb]

I think this is completely backwards. At least from an iOS perspective. The entire design of the OS is to reduce the risks you're describing. There are ways for apps to get out of their own sandbox and I to others but it's not trivial and Apple is supposed to check it. The App Store serves as the AV check up front, apps shouldn't be a problem for most people if they aren't jailbreaking.

Now the browser is a slightly different story. Mobile Safari runs with privileges other apps can't get so any exploits that are found in the browser stand a better chance of breaking through. There have been countless hours spent searching for these types of exploits and by and large they've been hard to find. Certainly much less prevalent than on the desktop.

For your average user, I'd probably much rather have them use an iOS device than any other device they can buy on the market. The more technical among us can absolutely setup something that at least stands a chance at picking up on a few more exploits on some UNIX based system. But that's probably more the exception than the rule and if we are being honest with ourselves then we probably have to accept that the sophistication of the governments who are doing this stuff means we are pretty unlikely to catch it on our own.

Anyway the bottom line to me is that I'd rather have my theoretical mother on a phone and iPad far more than any other device. I have no doubt that the mobile world will be a massive vector of attack moving forward but I generally feel good about the state of iOS app segregation to where I thin the risks are minimal. In android, all bets are off, the customization comes at a cost.

 

[crystalline]

 
You're entitled to your opinion but my home computer is behind a decent router, runs comprehensive ad blocking on all my browsers reducing the 'drive bye' infection from poisoned ad servers  to nil, layered anti-malware from 3 sources and keeps all my passwords/logons via LastPass which is relatively well-encrypted end to end.
 
Most of the above is unavailable for most phones.

Endpoint AV is basically a crap bandaid solution that was forced on the world in the early 2000s when Microsoft didn't care about security. Now they do care about security marginally but they don't exactly want to eliminate AV companies and people's AV security blanket, so it still exists. It still is useful but people rely on AV and anti malware as if its a first line defense. A good OS and good browser are your front line defense.

"Behind a decent router"- what security cross section specifically does this reduce? What you probably imply here is NAT that isolates your computer on a private subnet and prevents incoming connections.
Phones on phone company data nets are essentially on a private subnet.

Ad blocking- the main security risks here are on Windows. And there are few threats here, escalation to administrator is difficult.

Lastpass- password managers exist for phones that keep the disk file encrypted and have memory separation.



Your premise is right- there are a lot of security threats on phones that haven't been fully recognized. But most of the computer security that you list is theater at worst and a poor time-benefit investment at best.


A better solution is to run Mac OS X / Linux, keep up to date, and avoid running untrusted code (don't open unknown attachments, don't install apps except from trusted companies). Windows security stuff is a terrible waste of time. Thanks Microsoft...I mean Obama.

 

[NortheasternPJ]

I'd also recommend using OpenDNS if you don't already.

 

[Couperin47]

Endpoint AV is basically a crap bandaid solution that was forced on the world in the early 2000s when Microsoft didn't care about security. Now they do care about security marginally but they don't exactly want to eliminate AV companies and people's AV security blanket, so it still exists. It still is useful but people rely on AV and anti malware as if its a first line defense. A good OS and good browser are your front line defense.

"Behind a decent router"- what security cross section specifically does this reduce? What you probably imply here is NAT that isolates your computer on a private subnet and prevents incoming connections.
Phones on phone company data nets are essentially on a private subnet.

Ad blocking- the main security risks here are on Windows. And there are few threats here, escalation to administrator is difficult.

Lastpass- password managers exist for phones that keep the disk file encrypted and have memory separation.



Your premise is right- there are a lot of security threats on phones that haven't been fully recognized. But most of the computer security that you list is theater at worst and a poor time-benefit investment at best.


A better solution is to run Mac OS X / Linux, keep up to date, and avoid running untrusted code (don't open unknown attachments, don't install apps except from trusted companies). Windows security stuff is a terrible waste of time. Thanks Microsoft...I mean Obama.

 
The perfect is the enemy of the good.  I've been running Windows with the 'terrible waste of time' measures for 25 years, go to seriously dangerous sites and have never been infected even once, but I wouldn't want my reality to intrude on your beliefs. I also need to run a wide range of software that can't be run on Linux and has options/analogs for OS X that i do not care for, besides those options are not available on any phones.
 
Time benefit ? Exactly how long do you think it took me to install my software, lock down my router so it can't be run remotely, make sure it's a new enough model that it's user/password options can't be easily compromised (yes we had several generations of routers from many/most of the home equipment providers that were so easy to compromise control it was laughable), turn off UPnP and other obvious vectors to compromise and do a decent audit of accounts and otherwise close backdoors ? All of that had to be done exactly once. I'm going to guess that if Chinese military hackers want to target the 4 boxes running here they can probably get in, as to the sort of current malware that plagues the average user today including ransomware and related hacks...2 hours spent setting stuff up years ago and keeping my software updated and expending less than $25/year has allowed me to operate for over 2.5 decades without a single issue.
 
YMMV

 

[NortheasternPJ]

You're believing in fools gold if you really think you are fine with a router and desktop AV. You may have not been hit yet but there's thousands of variants coming out every day of malware. I got hit on my ,Windows laptop 18 months ago doing a google image search for a PowerPoint logo and did nothing outside of search.

Layering three signature based AV or Malware products is good but they generally are useless against new threats for a number of days.

The biggest things I recommend are run OpenDNS, don't install stuff you don't know where it came from, use an ad blocker, remove or click to flash and disable HTML rendering in your email.

You want paranoid? I Personally have a Mac with an ad blocker Sophos and Cisco AMP Endpoint on it, a Palo Alto firewall and OpenDNS. The desktop AV catches nothing. AMP gets stuff occasionally and the PAN and OpenDNS see a ton of stuff and block it before it gets to the network. The PAN is taking in 3 different threat feeds as well to block malicious domains and IP addresses.

The router isn't doing you much outside of not being another point of attack.

 

[BaseballJones]

You guys are scaring me to death here. Now I am thinking that the best thing to do is stay off the internet altogether and just have a land line phone or an old school flip cell phone.

 

[crystalline]

 
The perfect is the enemy of the good.  I've been running Windows with the 'terrible waste of time' measures for 25 years,
 

True. My rant was probably uncalled for, and in any case is really directed at Windows.

For me personally the amount of time and brain cycles needed for Win security is too high. I use a Mac and a disposable VM for Windows stuff I need.

In my first line defense notes above, I forgot to list Flash. Click to Flash is essential as is keeping Flash up to date. (Also a huge waste of time to upgrade every few weeks. Google is fighting the good fight with HTML5)




As long as we are on security- I got the best phishing email I have ever seen yesterday. It impersonated a real Eversource email which arrived a few hours later. NStar just became Eversource so people aren't yet familiar with Eversource branding. I bet thousands of people entered their NStar passwords on the linked logon page.

 

[Couperin47]

You're believing in fools gold if you really think you are fine with a router and desktop AV. You may have not been hit yet but there's thousands of variants coming out every day of malware. I got hit on my ,Windows laptop 18 months ago doing a google image search for a PowerPoint logo and did nothing outside of search.

Layering three signature based AV or Malware products is good but they generally are useless against new threats for a number of days.

The biggest things I recommend are run OpenDNS, don't install stuff you don't know where it came from, use an ad blocker, remove or click to flash and disable HTML rendering in your email.

You want paranoid? I Personally have a Mac with an ad blocker Sophos and Cisco AMP Endpoint on it, a Palo Alto firewall and OpenDNS. The desktop AV catches nothing. AMP gets stuff occasionally and the PAN and OpenDNS see a ton of stuff and block it before it gets to the network. The PAN is taking in 3 different threat feeds as well to block malicious domains and IP addresses.

The router isn't doing you much outside of not being another point of attack.

 
Nothing is perfect.  End point AV is a crude way of handling this stuff, no disagreement. 0 day exploits are a serious issue, but it's not quite as bleak as you imply... if it were there would be untold millions of infected Windows boxes..and yes there are, but we're going to discount the ones running unpatched XP with absolutely no AV and not even behind a router. Heuristics applied very aggressively can stop a decent amount of 0 day exploits, especially today when the majority of such stuff is assembled by script kiddies and their ilk and constructed of bits and pieces that are slight evolutions of prior malware code.
 
I know my laptop is safe atm, it's sitting in the corner turned off.
 
My pr0n and warez forays are, these days, all to sites I've known for years. All software gets run through Virus Scan or Jotti sites and vetted by over 40 AV companies.  I do fairly often get infected attachments from other attorneys, but since 98% of these are Word or Excel documents, my AV always catches these. I have yet to encounter an infected pdf.
 
Complete images of my boot drives and copies of all major work and billing files are made at least once a week and are on at least 2 usb 3.0 drives (not self contained compact drives, actual 3.5" drives in fan equipped enclosures) which are not online and boot images using 3 different programs (Macrium Reflect, Easus ToDo and Paragon HD Manager) are made every other day to secondary drives on all 4 boxes.
 
If these posts don't get me hit by my first infection ever within the next 30 days...Murphy is dead or the Blood of the Lamb smear and the Mezuzah on my front door really work.

 

[Bunt4aTriple]

The only mobile banking I do is deposit the odd paper check I get. Is it risky to use an app from a bank as big as TD?

 

[Couperin47]

True. My rant was probably uncalled for, and in any case is really directed at Windows.

For me personally the amount of time and brain cycles needed for Win security is too high. I use a Mac and a disposable VM for Windows stuff I need.

In my first line defense notes above, I forgot to list Flash. Click to Flash is essential as is keeping Flash up to date. (Also a huge waste of time to upgrade every few weeks. Google is fighting the good fight with HTML5)




As long as we are on security- I got the best phishing email I have ever seen yesterday. It impersonated a real Eversource email which arrived a few hours later. NStar just became Eversource so people aren't yet familiar with Eversource branding. I bet thousands of people entered their NStar passwords on the linked logon page.

 
Eversource is what PSNH (Public Service of NH) has just morphed into here. I grew up in NYC and gloried in the day I finally escaped Con Ed. Then PSNH went bankrupt thanks to their Seabrook adventures in nuclear power, and got acquired by Northeast Utilities, a holding company for....Con Ed. I realize now that I will never escape their clutches.

 

[B H Kim]

 
Eversource is what PSNH (Public Service of NH) has just morphed into here. I grew up in NYC and gloried in the day I finally escaped Con Ed. Then PSNH went bankrupt thanks to their Seabrook adventures in nuclear power, and got acquired by Northeast Utilities, a holding company for....Con Ed. I realize now that I will never escape their clutches.

 
ConEd and NU are not affiliates.  They tried to merge in 2001 but the deal fell through.

 

[canderson]

I got hacked three yeas ago when I was working on redesigning a client's site. Old webmaster installed a Trojan in a file on the FTP. It was a key grabber and stole our bank info, credit card info and passport info.

Thank god it didn't access Vanguard's info.

If I find that webmaster I probably run him down with the car.

 

[barbed wire Bob]

Okay, so which is safer: watching porn on an iPad or watching porn on a PC with a good anti virus program?

 

[Couperin47]

 
ConEd and NU are not affiliates.  They tried to merge in 2001 but the deal fell through.

 
I was unaware, so...I did escape....one of life's minor victories

 

[Couperin47]

Okay, so which is safer: watching porn on an iPad or watching porn on a PC with a good anti virus program?

 
probably on the iPad, it is true that the majority of malware is targeted at the larger share of the total computer population.

 

[garlan5]

Anything in particular one can look for on android to determine if there is any suspicious shit on my phone. I've had viruses on an old xp system before. I've used SUPERAntiSpyware and free av as my two defenses. I'm sure there are more but it's time consuming enough updating those and running system checks. I always get a few hundred potential threats from SUPERAntiSpyware and never anything from Avg. What can I look for to find unknown bugs on android. The pc would always slow down when I had a bug. Android doesn't seem to have any known issues. I tend to navigate to shady sites on android and keep things clean on the pc.

 

[Couperin47]

Anything in particular one can look for on android to determine if there is any suspicious shit on my phone. I've had viruses on an old xp system before. I've used SUPERAntiSpyware and free av as my two defenses. I'm sure there are more but it's time consuming enough updating those and running system checks. I always get a few hundred potential threats from SUPERAntiSpyware and never anything from Avg. What can I look for to find unknown bugs on android. The pc would always slow down when I had a bug. Android doesn't seem to have any known issues. I tend to navigate to shady sites on android and keep things clean on the pc.

 
I assume you're using the free versions of Super and AVG and these days both are worth just about what you are paying for them. You effectively have virtually no protection and 3rd rate ability to scan/find existing infections and neither is very effective at removing infection.  Today malware has mostly moved on from just annoying you and slowing down your computer to stealing info that can be sold/used for profit, using your computer as a bot for denial of service attacks or locking your computer and it's files for ransom. Quality malware does not slow down the infected machine or otherwise alert you, unless it's ransomware. AVG now active markets any info they have about you to 3rd parties and this alone puts them at the bottom of the barrel.

 

[Time to Mo Vaughn]

 
The most sensitive thing on my phone is my corporate email. There's a lot of sensitive information in there, that can't be avoided.
 
And in terms of the following do you really trust your "real computer"? I certainly don't. There's not much we can do about it, but Endpoint AV is only so effective and most people aren't doing anything more advanced than that one a home PC. They're not running Carbon Black, Bromium or another similar type product and even those have holes in them.
 

Well of course they're not running Bromium. That shit won't run for anyone.

 

[garlan5]

 
I assume you're using the free versions of Super and AVG and these days both are worth just about what you are paying for them. You effectively have virtually no protection and 3rd rate ability to scan/find existing infections and neither is very effective at removing infection.  Today malware has mostly moved on from just annoying you and slowing down your computer to stealing info that can be sold/used for profit, using your computer as a bot for denial of service attacks or locking your computer and it's files for ransom. Quality malware does not slow down the infected machine or otherwise alert you, unless it's ransomware. AVG now active markets any info they have about you to 3rd parties and this alone puts them at the bottom of the barrel.

whats everyone's solid suggestions for both mobile and pc for protection...other than stay away from shady sites.  i used to frequent computer hope forums for my old xp problems and pretty much the thought there was use a free super, avg or avast, and malwarbytes and update frequently.  Which I do.  I got nothing on my phone for scanning- used malwarebytes mobile for a while but it never seemed to work right and always annoyed me with notifications i couldn't get rid of. 

 

[crystalline]

I think this is completely backwards. At least from an iOS perspective. The entire design of the OS is to reduce the risks you're describing. There are ways for apps to get out of their own sandbox and I to others but it's not trivial and Apple is supposed to check it. The App Store serves as the AV check up front, apps shouldn't be a problem for most people if they aren't jailbreaking.

Now the browser is a slightly different story. Mobile Safari runs with privileges other apps can't get so any exploits that are found in the browser stand a better chance of breaking through. There have been countless hours spent searching for these types of exploits and by and large they've been hard to find. Certainly much less prevalent than on the desktop.

For your average user, I'd probably much rather have them use an iOS device than any other device they can buy on the market. The more technical among us can absolutely setup something that at least stands a chance at picking up on a few more exploits on some UNIX based system. But that's probably more the exception than the rule and if we are being honest with ourselves then we probably have to accept that the sophistication of the governments who are doing this stuff means we are pretty unlikely to catch it on our own.

Anyway the bottom line to me is that I'd rather have my theoretical mother on a phone and iPad far more than any other device. I have no doubt that the mobile world will be a massive vector of attack moving forward but I generally feel good about the state of iOS app segregation to where I thin the risks are minimal. In android, all bets are off, the customization comes at a cost.

What do you think the problems with Android are?

Last I checked, Android was running each app with a separate interpreter VM instance, separate process, separate username to control permissions. Apps don't share native code either, correct?

That kind of sandboxing can be circumvented by bugs in Android or the kernel but that's a small threat surface and historically aggressively patched. A malicious app thus can't read another app's memory.

The one thing that comes to mind is that many apps request permission to read the whole SD card so perhaps some data could leak that way?

The fact that apps are curated through the Play store means some malicious apps may get through but they will be eventually found and removed.

Android is now pushing forward with granular app permission rejectability.

Given all this I might feel better about security with an android phone than a Mac/Win PC. Tell me why that's wrong?

 

[Marceline]

What do you think the problems with Android are?

Last I checked, Android was running each app with a separate interpreter VM instance, separate process, separate username to control permissions. Apps don't share native code either, correct?

That kind of sandboxing can be circumvented by bugs in Android or the kernel but that's a small threat surface and historically aggressively patched. A malicious app thus can't read another app's memory.

 

 
Nothing is "aggressively patched" in android unless you have a Nexus phone, because most of the carriers take forever to get updates out.

 

[Couperin47]

 
Nothing is "aggressively patched" in android unless you have a Nexus phone, because most of the carriers take forever to get updates out.

 
Which is why Google/Android is promoting the idea of getting the carriers out of the phone selling business. Updates are slow and inconsistent from the big carriers, others are worse: My Moto X 1st Gen was basically available as branded models from 2 carriers: Verizon and US Cellular. They were otherwise identical except for bands used. Motorola made the update to Lollipop available roughly 14 months ago and Verizon pushed the update over a year ago. US Cellular (my carrier) finally made the update available...2 months ago. Motorola/Lenovo is now selling their latest greatest Moto X Style ONLY directly and both Verizon and US Celluar are both, grudgingly, revising their policies to actually activate non-branded phones. They were both also dragged, kicking and screaming, to allow Nexus phones.

 

[Couperin47]

whats everyone's solid suggestions for both mobile and pc for protection...other than stay away from shady sites.  i used to frequent computer hope forums for my old xp problems and pretty much the thought there was use a free super, avg or avast, and malwarbytes and update frequently.  Which I do.  I got nothing on my phone for scanning- used malwarebytes mobile for a while but it never seemed to work right and always annoyed me with notifications i couldn't get rid of. 

 
LOL you're consistent, you have gravitated to all the 'free leaders' all of which are now crap and about as useful as a tissue paper condom.  Avira is probably the only free AV that is any good at all, but real protection requires you spend money. When on sale at Newegg you can purchase year subs to both my favorites for a total of under $30/year and while each is sold for single user, in fact, both are insensitive to being installed on as many as 5 computers. I use ESET NOD32. their offering that does not include a firewall, and Webroot SecureAnywhere. They work well together, are very light on resources and comprehensive. Note that for best protection you do have to go thru rather lengthy setup to turn on and tune the protections provided...no modern AV comes set for max protection out-of-the-box because that can lock down your computer to an extent that everyone will find annoying, but you only need to do the setup once.

 

[teddykgb]

What do you think the problems with Android are?

Last I checked, Android was running each app with a separate interpreter VM instance, separate process, separate username to control permissions. Apps don't share native code either, correct?

That kind of sandboxing can be circumvented by bugs in Android or the kernel but that's a small threat surface and historically aggressively patched. A malicious app thus can't read another app's memory.

The one thing that comes to mind is that many apps request permission to read the whole SD card so perhaps some data could leak that way?

The fact that apps are curated through the Play store means some malicious apps may get through but they will be eventually found and removed.

Android is now pushing forward with granular app permission rejectability.

Given all this I might feel better about security with an android phone than a Mac/Win PC. Tell me why that's wrong?

 
Android has made a lot of progress in this area especially in regards to sandboxing as you noted. Fundamentally I think the problems lie in both the culture of Android and the goals of Google remain the problem.  Rooting is just so commonplace, it's really not a great idea but it opens doors for the bad guys that are extremely exploitable.
 
You combine all of that with sincere attempts at replacement launchers, dialers, and serious inter app communication and you've got a minefield of attack vectors, imo.  The permissions that must be granted to these apps grant the possibility to do an awful lot of negative stuff.  The permissioning is something they've been working on, so it's definitely getting better, but many apps ask you to let them out of their sandbox and this is something that can be exploited.  Plus when you establish these new defaults you run the risk of them having exploitable issues themselves.
 
Above all you then have the fragmentation problem.  It's been noted already up thread but Android has really struggled to get key patches out to devices.  Again, I wrote my post with more of a commoner in mind, and I don't think these devices are seeing updates and getting all the security patches necessary.  They certainly aren't getting the latest versions of Android as it's been a real slog for many devices to even get point upgrades, let alone full upgrades.  
 
All of the partners and hardware configurations leave Android with a more complex and potentially exploitable kernel, a slower upgrade process, and a less consistent security system.  It can absolutely be hardened and a discerning android user who chooses not to root and doesn't install apps from 3rd party sources can probably achieve something like parity with iOS.  I just don't know how many of those users exist.

 

[crystalline]

 
Android has made a lot of progress in this area especially in regards to sandboxing as you noted. Fundamentally I think the problems lie in both the culture of Android and the goals of Google remain the problem.  Rooting is just so commonplace, it's really not a great idea but it opens doors for the bad guys that are extremely exploitable.
 
You combine all of that with sincere attempts at replacement launchers, dialers, and serious inter app communication and you've got a minefield of attack vectors, imo.  The permissions that must be granted to these apps grant the possibility to do an awful lot of negative stuff.  The permissioning is something they've been working on, so it's definitely getting better, but many apps ask you to let them out of their sandbox and this is something that can be exploited.  Plus when you establish these new defaults you run the risk of them having exploitable issues themselves.
 
Above all you then have the fragmentation problem.  It's been noted already up thread but Android has really struggled to get key patches out to devices.  Again, I wrote my post with more of a commoner in mind, and I don't think these devices are seeing updates and getting all the security patches necessary.  They certainly aren't getting the latest versions of Android as it's been a real slog for many devices to even get point upgrades, let alone full upgrades.  
 
All of the partners and hardware configurations leave Android with a more complex and potentially exploitable kernel, a slower upgrade process, and a less consistent security system.  It can absolutely be hardened and a discerning android user who chooses not to root and doesn't install apps from 3rd party sources can probably achieve something like parity with iOS.  I just don't know how many of those users exist.

Got it.
I am on a Nexus phone, I don't root, and I don't install alternative launchers, third party apps I dont completely trust, dialers, text apps, or other system replacement stuff. I also use keepass with a strong password and the file in Dropbox. I'm not worried about someone getting the database and brute forcing it, and I hope keepass is not leaking mem or caching to the sd card. (I do worry that clipboard copies could be read by other apps).

That explains why my personal experience with Android has led me to think security is decent.

 

[derekson]

The only significant malware (so far) on iPhone was the XcodeGhost stuff that came from Chinese developers downloaded an infected version of Xcode from a third party rather than via Apple (apparently due to slow downloads from Apple's servers in China). This vector proved fairly effective, but it's been shut off now. People are constantly seeking out ways to gain root access via Safari bugs, and using them to update new ways to "jailbreak" iOS devices, but Apple is pretty good about closing these holes (and thus people are constantly having to search hard for new ways to jailbreak with new iOS builds). There was news the other day of some team collecting a $1M bounty for an iOS 9.1 jailbreak discovery.
 
Meanwhile Android allows not only alternative app stores other than Google Play (which is itself far more permissive and less policed than Apple's App Store), you can also install apps directly from downloading them via the internet or via an email. While this means you can get access to a larger variety of apps, it also means that you're open to different vectors of malware infection. The newest versions of trojan malware for Android are apparently functionally permanent, even surviving factory resets: https://blog.lookout.com/blog/2015/11/04/trojanized-adware/
 
To throw up your hands and say, iOS and Android are equally insecure and both totally susceptible to malware is quite disingenuous. iOS is pretty easily the most secure OS out there for the typical user, and if my mother or someone else as limited in computer literacy is looking for a device, setting them up on an iPhone or iPad is definitely the easiest way to protect them from malware.
 
Apple also offers end to end encryption in services like iMessage and FaceTime, which are easy to setup and use. You can get encrypted services on Android, but you need to specifically seek them out which a typical end user won't do.

 

[Couperin47]

The only significant malware (so far) on iPhone was the XcodeGhost stuff that came from Chinese developers downloaded an infected version of Xcode from a third party rather than via Apple (apparently due to slow downloads from Apple's servers in China). This vector proved fairly effective, but it's been shut off now. People are constantly seeking out ways to gain root access via Safari bugs, and using them to update new ways to "jailbreak" iOS devices, but Apple is pretty good about closing these holes (and thus people are constantly having to search hard for new ways to jailbreak with new iOS builds). There was news the other day of some team collecting a $1M bounty for an iOS 9.1 jailbreak discovery.
 
Meanwhile Android allows not only alternative app stores other than Google Play (which is itself far more permissive and less policed than Apple's App Store), you can also install apps directly from downloading them via the internet or via an email. While this means you can get access to a larger variety of apps, it also means that you're open to different vectors of malware infection. The newest versions of trojan malware for Android are apparently functionally permanent, even surviving factory resets: https://blog.lookout.com/blog/2015/11/04/trojanized-adware/
 
To throw up your hands and say, iOS and Android are equally insecure and both totally susceptible to malware is quite disingenuous. iOS is pretty easily the most secure OS out there for the typical user, and if my mother or someone else as limited in computer literacy is looking for a device, setting them up on an iPhone or iPad is definitely the easiest way to protect them from malware.
 
Apple also offers end to end encryption in services like iMessage and FaceTime, which are easy to setup and use. You can get encrypted services on Android, but you need to specifically seek them out which a typical end user won't do.

 
No one here ever said they were equally insecure, and XcodeGhost isn't as 'shut off' as you suggest:
 
http://www.zdnet.com/article/xcodeghost-ios-malware-leaves-china-strikes-us-enterprises/?tag=nl.e539&s_cid=e539&ttag=e539&ftag=TRE17cfd61

 

[Couperin47]

Manufacturers of Android phones are getting more proactive in directly updating even branded phones: 24 hrs ago I received an update directly from Motorola to patch for Stagefright, it's the first time my phone has ever received any patch that was not from US Cellular.

Also, if this thread has you really paranoid: VTS for Android is a new free test tool that will scan your Android phone for vulnerability to most of the commonly known malware infections:
http://www.zdnet.com/article/is-android-phone-is-vulnerable-to-attack-now-you-can-check/

 

[NortheasternPJ]

Didn't Stagefright come out in August?

 

[Papelbon's Poutine]

Yes

 

[Couperin47]

Didn't Stagefright come out in August?

Sigh, we now have Stagefright, Stagefright 2.0 and...variations. The VTS app I mentioned above tests for vulnerability to 5 versions of it and...bigger sigh, after my installing the patch yesterday directly from Motorola...the app says I'm still vulnerable to one of the variations...

 

[garlan5]

LOL you're consistent, you have gravitated to all the 'free leaders' all of which are now crap and about as useful as a tissue paper condom. Avira is probably the only free AV that is any good at all, but real protection requires you spend money. When on sale at Newegg you can purchase year subs to both my favorites for a total of under $30/year and while each is sold for single user, in fact, both are insensitive to being installed on as many as 5 computers. I use ESET NOD32. their offering that does not include a firewall, and Webroot SecureAnywhere. They work well together, are very light on resources and comprehensive. Note that for best protection you do have to go thru rather lengthy setup to turn on and tune the protections provided...no modern AV comes set for max protection out-of-the-box because that can lock down your computer to an extent that everyone will find annoying, but you only need to do the setup once.

took your advise from reading this and in another posting today/tonight. Got the eset nod32 and webroot secureanywhere.. Got the webroot downloaded and checked the settings and it looks like all things are turned on in the advanced settings. Any suggestions on what else to turn on or look at. Same question for when I set up NOD32. I got both on downloaded versions for one year. ESET was cheapest form eset site at $33/year and Webroot on newegg for $14/year. I'm content witht he price point maybe i'll find a deal next year. Looks like this setup automatically shuts down Windows defender. I uninstalled the avg, mcaffe and norton shit that was preloaded to my laptop. I still have my superantispyware downloaded. Should it uninstall that as well?

Thanks in advance