In general, smartphones have never been designed with security in mind. The emphasis has always been on features and capabilities while security is usually relegated to the back burner. And, while no internet-connected device is 100% secure, a few smartphones stand out as the best contenders for mobile security.
BlackBerry describes the DTEK50 smartphone as the “world’s most secure Android smartphone.” The DTEK50 includes features such as periodic application tracking, which automatically monitors the OS and apps. This feature also notifies you when your privacy could be at risk and informs you as to what actions you can take.
The DTEK50 also has the ‘Password keeper’ app which allows you to store all your important passwords in an encrypted space, which itself is protected by a single password which.
Boeing Black is the fruit of a collaborative effort between Boeing and BlackBerry. Designed with government agencies in mind, Boeing Black is capable of encrypting calls. It also comes with a self-destruct feature which ensures that any attempt to break into the device sets off the auto-deletion of all data and software, making the phone inoperable.
The Turing Phone is made of Liquidmorphium, an amorphous alloy of zirconium, aluminium, copper, silver and nickel. According to its manufacturer, the Turing Phone is “unbreakable.” It runs Android 5.1 Lollipop, along with Turing’s own security-focused UI on top, for end-to-end encryption.
Released by Silent Circle, the Blackphone 2 is the company’s Silent OS, an operating system based on Android, but with enhanced privacy features.
The Economic Times reports that the “OS offers an ‘Enterprise Spaces’ feature that creates multiple, separate virtual devices on one device. The company claims to have the ‘world’s fastest vulnerability management,’ which raises critical vulnerabilities within 72 hours of their detection or reporting.
The updates and patches come directly from Silent Circle, with no carrier delays or waiting periods.Major specifications of the Blackphone 2 include a 5.5-inch Full HD display with Gorilla Glass protection.”
Solarin is manufactured by Israeli startup Sirin Labs and is priced at over $14,000. According to Sirin Labs, the phone features “the most advanced privacy technology, currently unavailable outside the agency world.”
It features 256-bit AES encryption which is similar to what some militaries use to secure their communications. Solarin also has a physical security switch, located on the back of the phone, which can be activated as needed.
Utilizing the same hardware components that are on the Samsung Galaxy S2, this smartphone from cellular company, FreedomPop, is Android-based and focused on privacy. Nicknamed the “Snowden phone,” it features 128 bit enciphering when calls are made and an anonymous browsing process. It can be purchased anonymously with BitCoin.
Definitely not a looker, Sectera Edge nonetheless is a favorite of the U.S. Department of Defense. Created by General Dynamics, it runs a significantly modified version of Windows and features a button-based keyboard and a price tag of over $3000.
Two Popular Phones That Didn’t Make The List
According to Elcomsoft, a Russian forensics company, Apple dropped the ball on password security with its latest iPhone operating system. These professional iPhone hackers said that Apple has made cracking the logins for backups stored on a Mac or PC a lot easier.
Elcomsoft discovered that Apple was using a weaker password protection mechanism, for manual backups via iTunes, than before:
“Thanks to Apple’s mistake, Elcomsoft said it could potentially guess backup passwords 40 times faster using CPU acceleration when compared to the speedier GPU-powered cracking in iOS 9. When using the same Intel i5 CPU for cracking efforts, it was an astonishing 2500 times faster, with 6 million password guesses per second compared to just 2,400. The company thinks it has an 80 to 90 per cent chance of successfully getting the right password with its tools, which can be bought by anyone, not just the cops.
‘We discovered an alternative password verification mechanism added to iOS 10 backups. We looked into it and found out that the new mechanism skips certain security checks, allowing us to try passwords approximately 2500 times faster compared to the old mechanism used in iOS 9 and older.’”
Apple opted for a weaker hashing algorithm for local backups of iPhone files stored on PCs. “Such algorithms turn a plaintext password into a ‘hash’ — a string of numbers and letters. Password crackers attempt to guess the output, or hash, of the algorithm and match it with plaintext; so, the more complex the algorithm and the more complex the password, the harder it is to find a match.”
While there are obstacles to carrying out an attack under these circumstances, it is not outside the realm of possibilities. It simply means a hacker would have to gain access to the computer on which the iPhone files are stored. Additionally, the iPhone user would have also had to have turned on local backups instead of using iCloud. A hacker could access the linked computer either by physically extracting the data or by compromising the machine in some other manner, such as hacking it remotely.
If, however, a hacker has physical access to both phone and laptop, according to Elcomsoft, it is possible to “force a phone into creating a backup on the phone and it may be possible ‘to produce a local backup even if the phone is locked by using a pairing record extracted from a trusted computer.’”
That being said, Google’s highly anticipated and heavily promoted Pixel has already been hacked–by a team of Chinese hackers at the 2016 PwnFest. It took the hackers less than a minute to hack the phone. Google is working on a patch for the vulnerability.
Frustrated with Google’s seeming resistance to providing ample security measures on Android phones, The Tor Project recently announced the release of its prototype for a Tor-enabled smartphone. Ars Technica describes it as “an Android phone beefed up with privacy and security in mind, and intended as equal parts opsec kung fu and a gauntlet to Google.”
Designed by Tor developer Mike Perry, it is based on Copperhead OS, a hardened Android distribution.
Copperhead OS was the obvious choice for the prototype’s base system, Perry explained to Ars Technica. “Copperhead is also the only Android ROM that supports verified boot, which prevents exploits from modifying the boot, system, recovery, and vendor device partitions,” he said in a blog post. “Copperhead has also extended this protection by preventing system applications from being overridden by Google Play Store apps, or from writing bytecode to writable partitions (where it could be modified and infected).”
“’The prototype is meant to show a possible direction for Tor on mobile,’ Perry wrote in a blog post. ‘We are trying to demonstrate that it is possible to build a phone that respects user choice and freedom, vastly reduces vulnerability surface, and sets a direction for the ecosystem with respect to how to meet the needs of high-security users.’
To protect user privacy, the prototype runs OrWall, the Android firewall that routes traffic over Tor, and blocks all other traffic. Users can punch a hole through the firewall for voice traffic, for instance, to enable Signal.
The prototype only works on Google Nexus and Pixel hardware, as these are the only Android device lines, Perry wrote, that ‘support Verified Boot with user-controlled keys.’ While strong Linux geekcraft is required to install and maintain the prototype, Perry stressed that the phone is also aimed at provoking discussion about what he described as ‘Google’s increasing hostility towards Android as a fully Open Source platform.’”
Perry argues that in trying to resolve security, Google is encroaching on user civil liberties and causing Android to be more susceptible to compelled backdoors. He is also concerned about the lack of transparency in Google’s release and development process.
Perry has vehemently stated the Tor Project has no plans to move into the hardware business. He just wants this prototype to inspire innovation.The prototype, nicknamed “Mission Improbable,” can now be downloaded and installed. And, Mission Improbable installation instructions on can be accessed on GitHub.
Written by: CandiceLanier
(Security Affairs – Secure Smartphones, privacy)