 This is Think Tech Hawaii, Community Matters here. Welcome back to The Cyber Underground. I'm your host Dave the Cyber Guy. Thank you for joining us. If you're like everybody else in almost the entire world, you own one of these devices, a smartphone. And when you're out there trying to find out which smartphone is right for you, which environment is which more secure, I think is the biggest question a lot of us have. How do I keep secure on my mobile device? Which one is right for me? We need to answer those questions. So that's what today's show is about. Android is one of the most popular operating systems heads, 74% of the market share. And iOS has about 20%. And with me here today, Andrew, the security guy, is going to discuss this with me. And we're going to go over, how do we stay safe? Andrew, the security guy has just one quick piece of advice. None of these devices are safe. That's about my extent of mobile security advice. But thanks for having me, brother. Well, hey, good to have you back. Right on. Yeah, none of them are safe. I mean, safety is an interesting word. So what do you mean by safe? You're never safe. They're safe. They're secure. There's identity. There's where's the person at, finding people. All this kind of stuff. I don't think you can never be completely safe. Safe. Like, it's going to blow up. Like, you can't eliminate all the threats in your life. No. There's no way. No. All you can do is work to see them coming at you. And then maybe mitigate the vulnerabilities associated. Layer. There we go. Layer your defenses. Layer your defenses. Make it so that there's so many layers between you and the threat that they choose somebody else. Yeah, I route all my calls through Dave's phone. It's okay. No, Andrew's not here. How can I help you? No, just through it. I get it. You're just using me as a proxy. I'm proxy so that the malware stays on your phone and then I just get the call. You know, that's a good idea. I should do that to others. We can open that up as a service. Dave's phone, the proxy. Well, I don't know. They sell everything. We have. I just make a million dollars. I worry, I worry about these because it's the, we use iPhone at our office. We always have, I don't know how they got chosen. And whereas I know like Samsung has product like Nox sort of baked into the hardware, they've got some security baked into that device which would be an Android operating system on a Samsung phone, for example. iPhone's relying on Apple. You know, we rely on whatever the technology they baked in for security, which apparently is pretty good because, you know, they're thwarting the FBI, those guys from like someone getting the data that's on the phone, right? These are, what's on your phone? Pictures? What do you got? Your contracts for your will? I don't know what people have on their phone. I'm not going to say. We're on the air. You're already proxied. So yeah. But anyway, the safety, when we talk about safety, that's the things I think about, right? So what's on the device itself that someone could get? There's the getting, owning your device and getting the stuff off it, your contacts maybe or whatever. Then there's the data that might be on it that some documents that you have that are valuable. Maybe now you can capture checks and send them to your bank account. Well, I mean, if somebody could hijack that, for example, like maybe they're sending them to their account and you think they're going to your account, whatever. That kind of stuff. You know, taking over the picture, the camera, taking over the audio, right, stealing the conversations. It goes further than that, though, I mean, that's on the local device, right? Right, as I said, so that's part of it. Every single phone now is connected to some kind of cloud storage. Oh yeah. Especially with the, if you use the iCloud, right, now if you have an iMac or a MacBook Pro and you have the iPhone. Now if you write a note, it's here, it's on your iMac and it's on your laptop. It replicates. So if I were able to infect that note on your phone, can I push that infection to those other places? Conceivably. But you'd have to go through the cloud. So if Apple security isn't robust enough, yeah, you can do that. Okay. Yeah. That's an interesting transmission mode. The cloud connects all these devices, though you're not secure and also the data that you put on your device at home, nowadays, the laptops are coming out with a very small hard drive. Yeah. And so you use more cloud storage space, which hooks up to your Android phone or your iPhone. And so you're sharing that space in the cloud. And now if someone hacks your phone, they have access to that data and you might have typed it into your laptop at home, but it's accessible through your mobile device. Like your Dropbox? Yeah, it's like your Dropbox and people have access to it. So this insane amount of vulnerabilities out there and multiple vectors to get at you. And let's talk about the options that we have. So I, too, use an iPhone. By the way, Apple, you tricked me. I went in to get a new battery and walked out with a brand new iPhone. Good job, Apple. Yeah, good job, Apple. Talked me into it. They're known for that. Great salespeople. You didn't have to wait in line. I did not. I walked right up to the desk and so it was a wonderful experience right up until they took my money. And today you have buyer's remorse? Is that the problem? No, I love the device really. Oh, you showed your wife. So you have wife's buyer's remorse. That was a bad part. Yeah, I showed my wife. And why did she need a new phone? Good job, Lee. So let's talk about Android now. But Android is an operating system that shares 74% of the market share because of two things. I didn't know that. It's open source and it can port to multiple hardware vendors, Samsung, LG, Google, you name it. Oh, if it's not Apple, it's Android. Almost all of them. So Nokia still has its Symbian operating system, I think is still out there and there are Windows phones. No, trust me, there's really a couple of Windows phones out there. There's a few orders. I know. I know. There's one or two people. Sorry, Windows. I love you but not on the phone. It just didn't work out well for Windows. But there's some good parts and there's some bad parts and people should know. First of all, the bad parts. As an operating system for an individual user like you and I, just buying on the civilian market, the Android operating system in general is less secure than the iPhone. So you can compare the statistics from last year and the vulnerabilities that popped up on the map and our scanning is becoming better now. So in 2016, we had a good map of how many threats were detected and indicators of compromise or IOC. So in the Android world. In the Android. And it's done via all the phone providers and that kind of stuff. So they go out there and they survey, there's also a couple, Symantec does this. And we have some statistics. So in the Android operating system, there were 316 IOCs or threats that were actually attacked in one year versus the iPhone there was 89. So that's one and a half a day. That's a lot. Versus one every three days. Right. You're getting a better deal with the iPhone for security. More secure deal. Right. And currently the FBI has to hire out to hack into your iPhone. Apparently. Apparently. But that's a different thing. So are you, I think you're, are you talking to those 300, you're talking about apps that you downloaded that had malware embedded or, or just vulnerabilities on the phone that it was susceptible to things. Now that's everything. So that's total reported vulnerabilities. Blue jacking, blue snar thing. Okay. Malware. Blue tooth vulnerabilities. Right. And protocol. Everyone's got the WPA2 vulnerability now. Right. Right. We still haven't fixed that. So that, that one was shared across both platforms. But not Windows. Not Windows. Well, they, because they knew about it ahead of time and got to patch it, but I bet they didn't patch their phone OS. You know what is funny about Windows, the crack attack we're talking about, WPA2, they fixed it, I think by mistake. They implemented the standard more securely than the standard. Nice. Was supposed to be implemented. Maybe they knew something we didn't know. Maybe, but they, they put a couple more steps in there that made them not susceptible to that attack. So a lot of Windows devices weren't hammered with this attack. As long as they had done their updates, right? As long as they'd done their updates. That was from May or something, I remember. That's, yeah. Yeah. Right about there. So. So let's get back to Android. Let's talk about Android and iOS. Yeah. So let's go keep on with Android. I like this. Okay. So Android, if you bought a Samsung phone because it's an open source environment, Samsung writes an Android kernel or the operating system specifically customizes it for that Samsung phone. For their hardware. For that hardware. To optimize it. Right. Okay. LG's going to do the same. Google's going to do the same and so forth. And for the show, I'll just pick on those three. I don't want to pick on Microsoft too much. But when you need an update, you know, you go from the Android Jelly Bean to the new Oreo, whatever the update is called. You have to wait for Samsung, the manufacturer, to come out with an update for your phone. Is that model specific? Potentially? Like if you had a two year old phone versus a one you just bought, okay. I got this. So some of the older phones, they won't ever produce an update for them. Because that becomes a waste of money for them. I got you. Right. And it's also a, what do they call that, planned obsolescence? So your older phone can't ever get the Oreo update. So it's less secure. So you go out and buy a new phone. It's pretty free anyway. On those phones. It seems like when you get an Android phone, they're almost given away. Most of the time. But vendors like Samsung can take up to nine months to give you that update. And you do. Which if it was a security vulnerability, now you're waiting this long to get that update. Okay. Potentially that could be a big problem. That could be a big problem, right? What we don't see is that behavior is not in Google Pixel phones. Is not in there? Not in Google Pixel phones. They customize their Android for Google Pixels. But that Pixel phone is actually the fastest to give you updates. And it's the most secure. And Google's got a vested interest in this because most of their income comes through advertising rather than the hardware. So their hardware is supposed to add game. Whereas Samsung LG hardware supports itself. So Google's got a vested interest in keeping your device up to date all the time. So they can serve you advertising. Right. Right. And that's the malware in some people's mind. Could be. Could be. Is it malware that comes from your manufacturer? How many CPU cycles have you given over to looking at the ad that we want you to see because someone's paying us to make you look at it? That's an interesting point, right? They give you, say they give you 100 CPU cycles. This is to demonstrate this. And that's this year. And two of those cycles are used for advertising. It's not even dropping the bucket. But then all of a sudden they go up to 60 cycles of advertising. You're down to 40% of your CPU. For what you want to do. Right. So that's going to be an impact. So they come out with a better phone. So they give you a thousand... So they can give you more advertising. Right. So now they give you all this more power, but they use a whole bunch more up on advertising. So you think you're getting a boost, but in reality, you could have got a tremendous boost. But a lot of it maybe... Of processing power are used to, because they sell you that by, isn't it by... I have an unlimited. I don't know how people... But there's other people that pay for the amount of... Well, that's a data plan. Yeah. So if there's advertising data coming through there, you're paying for that. Right. Right. And it's not just about advertising right now. And it's not free. Especially with people like Google, though, people like Google. The companies like Google are all about statistics. Okay. They want data about you. What makes you you? Why are you doing what you do? Why do you shop the way you do? Why do you browse the way you do? And once they identify... Because they think I know. I don't think that you know it's all subconscious. So they want to... They're building a subconscious model of like the typical person. Yeah, yeah. You know, not just in Andrew, but... To find out how to market to them better. Exactly. It's all about marketing. How much phone will you buy so we can sell you as much advertising as you'll possibly buy so... It must be working because I bought quite an iPhone and I... Google's made a lot of money, so... Google's made a ton of money and they've diversified, which is kind of brilliant. But their phones, the Pixel is the most secure. Okay. When you go out there and you read this... I'm sorry. Is there an Android operating system called Pixel or is it... Is it like Oreo or has it got some other flavor? Also, you're looking at the Google Pixel phone, that's a hardware, and then it's the Android operating system. Right. And then there's a variant of Android, which is Oreo. I think that's the one. It's probably the one that's... But Oreo may not be on the Samsung or probably they're both running the same version in 2018 or whatever. It could be they're running both versions. So older phones might not ever get Oreo, but when Oreo comes out for Samsung, they'll let you know and you can upgrade. I got you. Okay. But it's all up to Samsung. And I don't know much about Android operating. So is security patching and vulnerability a big feature of theirs or are they more about getting more games and more stuff you can do with the phone? Built-in security, into the operating system, into the kernel and into the hardware. So in several different places, when you're going out to get an application by an app, you go to the Google Play Store and that's my advice, you go to some place that's reputable to get your apps. Get a download an app. Right. Sure. If you download for some place outside of these stores and it downloads to your phone, your phone's going to check it for known malware variants. They have signatures of what's the stuff look like and they're going to check it against that stuff. But if it's a zero day, it's on your phone. Now if you launch that app, your phone again checks what's this app trying to do. It says it's a web browser. Is it also using these other ports and protocols that aren't associated with a web browser? If so, it's a security risk. Is it trying to invade some other memory space on your phone? Security risk. It'll shut it down. So Android and iOS both put those features in the operating system and on their hardware. So you know how many of the apps you have to go and tell it to, you can't use my microphone, you can't use my camera, you can't and then you'll need to. So then it'll tell you to enable it and you can turn it on and off. Is that typical to the Android as it is for the iPhone? The same features exist. Okay. Yeah. You can do the same thing. The theory of good app is supposed to request utilization of other things on the phone and then you can allow them or deny them. Now that's the theory. That's the theory. Apps have been let in and we'll discuss this after the break, how apps can actually get onto your phone undetected and even through Apple's security system, they've gotten onto the system into the, in here and Pegasus was one of them that attacked the phone last year. So we'll talk about that after the break. Let's go away, pay some bills for about a minute and we'll come right back until then. Stay safe. I am Andrea, I am from Italy and I've been studying and working here in Hawaii for more than three years for my PhD. Hawaii is home to a truly fantastic community of middle and high school students. And did you know some of them are currently out there right now using their free time to invent new quantum computers? And did you know some of them are exploring cybersecurity and the new frontiers of robotics? I am just always amazed as I talk to them at science fairs. Oh, but there's more. Did you know that these students are coming here on Think Tech Hawaii to share their story with us? Come and join the new young talents making way show and discover how these students are shaping our future. Coming on February the 6th every Tuesday at 11 a.m. only here at Think Tech Hawaii, Mahalo. Welcome back to Cyber Underground, I'm Dave the Security Guy here with me, Andrew the Security Guy. Wait, I'm Dave. I'm most security guy today brother. Am I Dave the Security Guy? You're the Professor. I'm the Cyber Guy. I'm the Professor. That's what I'm talking about. I get my nicknames all mixed up. I'm forgetting names. We just had too many shows. It's hard to keep it straight. So we were talking about apps on mobile phones and how you can as a hacker hack an app and get it onto a system without the security features being enabled, which is getting in there under the radar, that's your goal. Last year, 2015 and 2014, a Chinese developer used a tool called Xcode, which is the developer tool to create apps for the iPhone. If you use Xcode and you get a developer license, I think it's $99 a year, you pay, Apple checks you out, and you can upload into the app store for Apple, your application, and they check it out. Because they used Xcode, they were able to change Xcode in such a way that when it compiled, their malware wouldn't show up to the security features being checked in the app store. Not only did they do that, that same hack. So they intentionally created this, they utilized a flaw they knew would show up when the code they submitted was scanned, they knew that it would execute but not show this malware that they invented. Essentially, using Apple's own tools. So they took the developer tool and changed that. So when the developer tool Xcode was modified, it actually accepted this new app as okay and applied a signature to it and when it was uploaded to the app store, it passed right through Google or Apple sensors. Oh, to a signature on it or something. Yeah. Oh, I got it. So they just hacked the tool. They had locally. I thought you meant they hacked like Apple. No, no, they hacked the local tool that Apple distributes. Now, not only did they do that, they put it on a few websites for download. So if you were a developer and you wanted Xcode and Apple site was a little slow to download that day, you can go out there and say, oh, look, it's over here in China. I'll just download it over here real quick. And it was a bad version. And everything you make, even though you're an honest person, it includes their malware. So that's pretty good. There were a dozen or so apps that made it into the app store. I remember that, but I didn't know this background about Xcode. That's how they got through the back door. So Apple's been taking care of that. But what did they do? These actually phone home a lot. They can phone home. They actually do a phone to what calls a CNC service or command and control that can use your phone as a bot. And you know what the bot is for the Android. You were just talking about it before the show. The biggest bot for the Android right now, if your phone's taken over, what do they want to do with it? Mine cryptocurrency. Mine cryptocurrency with your phone. So that can be one of them. So you think Apple's doing that? I don't know if Apple's doing that right now, right? No, I don't think so. This last one could actually activate your camera, see where you are, take files, phone home, get statistics from you, steal data, use you to attack other things. So that's what they embedded. If you use their version of Xcode and you built an app, you're just building an app like an honest app developer and you put it up there and all of a sudden. So do you know anything about how Apple handled the people that uploaded those bad versions? You know, that's the thing. I don't know what happened to those people. Yeah, what do they do to them? There's not much you can do. It's across international boundaries. And in China, there is no patent law that applies to us. Well, so if something's over in China, they can pirate the heck out of it. So Apple can just take it off the store. That's all they can really do. That's all they can really do. If you're an honest developer, say, here's the real tool, rebuild your thing and send it to us. Which would be a piece of cake. If you had the source code, compile it in the new Xcode and upload it. Then it's clean. Overnight you're done. Not much working on it. Why you think it'd be simple to have like a parody check? You ought to be able to know what your building's not the right size is the thing that. They say they've handled this now. They did not announce how they handled it. And that's typical Apple, right? They don't tell you how they're handling it. They can't because then you'll hack that. Exactly. Actually, that's a pretty good one, right? And you can't tell you how I'm going to win the war, but I'm going to tell you I'm going to win the war. Yeah. Right? I'm not going to tell you I'm going to attack you over here at night. That was called, that was Pegasus. I believe that was Pegasus. Was the actual mower. Right. Well, yeah. I pretty much presume they're following me, listening to me, watching me all the time. And I don't know who they are. That's the safest way to live. They had to be bored to do it. Just be a little bit paranoid in the back of your head at all the times. Right? Someone's listening to me. I say this all the time. This thing, the lowest tech word you can use for this thing right here is a radio. Yeah. It's a radio. It's unencrypted transmitting data in all directions all the time. Especially on that cellular bandwidth, right? Right. You don't want to get in here and your text messages and say, yeah, let's kill them tonight. I'll meet you at seven o'clock and bring the gun. You know, it's... It's open. It's in the open. It's unencrypted and it's transmitting everywhere. Yeah. So just don't do it. And even if you're using, like, signal. No. It's all broken. It's all broken. The worst thing is that people think that when they're using an app that includes encryption, that they're completely protected, encryption only handles the data in transit or the data at rest. Not when it's going from at rest to transit. There's a transition that happens. It comes off the hard drive through some channels before it's encrypted and goes to you. Yes. If I have put a bad app on here that can get into that, I'm going to grab that data before it's encrypted and it goes to you. So you get an encrypted message, I get the message in the clear. Yeah. That's the best way to get it. And aren't even the cell tower guys, like there's, what's the thing, Sling Shot or whatever the north there, those guys, the cops are using like false, false towers to pull the data in. No, that's brilliant. That's stingray. Because they're stingray, but they're deprecating your protocols, right? Right. So that it strips away all the stuff that they don't want to see so that they can see the clear. And your phone thinks they're part of the... Yeah, they think it's on the server network. Yeah, it doesn't know. So as long as they stay within range, your phone's going to think, well, that's the easiest channel to get. Yeah. So I'm going to use less power to contact that instead of the cell tower up on the building. Right. So you talk to them. That's pretty smart. That is really smart. I like when the good guys can outsmart some bad guys. Yeah. I like that. I do too. You know, whoever invented stingray, good job, man. That was Harris. Harris. Yeah. Okay. Well done. They've always been good guys. So use iPhone, you've always used iPhone? Yeah. Yeah. I mean, I had a thing. I had a Motorola once years ago. Motorola? Actually, we had blueberries. I had our blackberries. Blackberries? I had blueberries. I love blueberries. I had blackberries back quite a while, quite a long time ago. Now, that's your old nothing. Maybe did Sprint have them or I don't remember who had them. But over all the years, yeah, I think blackberry then, I don't know, when I, whenever probably iPhones came out, I got into those at some point. No. I mean, I had those phones back when we were on real phone, no day. They weren't smartphones. That was the old old days. Yeah. The Nokia's and those. Yeah. I had some of that stuff, but they were stupid. But these are like intelligent. I mean, I, these are pretty amazing. How many times today do you walk away from this thing, this is a computer, and go on your phone and do something? It's just easier. It is. Yeah. I'm sorry. Yeah. Sometimes. And I think that part of that security thing leverages that. People are on their mobile all the time. The mobile's easy. And also, you know, like you, you know how we teach people about, for phishing and stuff to read the headers and look, you know, hover over the links with your mouse. Right. You don't do that on your phone. You don't. You just click stuff. I mean, you shouldn't, but you know. Yeah. And you're just as susceptible. In fact, do you run antivirus of any kind on your phone? No. That's what I'm saying. We're looking for that now. I'm trying, I gotta do something. We need something. Minimally VPN, like a VAST or whatever, you know. You used to be safe. Yeah. And now it's not, and you know, I was gonna, I was gonna mention when people do the research about the security of the operating systems, many of them actually, they come out with these pieces of research that you read. Do some research into who's coming out with the research. Because sometimes they have an agenda. Yeah, think. Yeah. There's people that want to knock the Android operating system, which is easy to do, by the way. But they have an agenda. They want to knock them out of the way so they can get their own things done. They're ghostwriting for. It could be a lot of things. Other fruit companies. Like with anything else, go and check your sources. Their sources, yeah. The sources are, you know, you don't want someone from ExxonMobil writing about climate science. Yeah. That's not going to really. Doesn't make any sense. Doesn't make any sense at all. Actually, you should also download only from an app store. Yeah. You know. Always the original source. All the original source. You can't trust anything else. Don't get somebody's, there's all these other sites that have distributed software that can download in a blink of an eye. Or does Apple even have that? Do you get Apple apps not from the app store? I don't even know. I would never. You can if you're a developer. You can put non-certified apps on your phone. Oh. But you have to be a developer. Yeah, I'm not that. But that would be a pretty stupid thing. Yeah. To do that. Sounds risky. It's like finding your favorite program and then saying, I'm going to go on the internet and find the free version. Yeah. Yeah. Let us know how that works out. Just give us a call. I used to go out and look for free versions all the time. Really? When I was a kid. Sure. I loved getting free games. Not today. You know, the EXE for your latest Windows game. Don't download that unless it's from the source. Yeah. Yeah. Yeah. Free. Free. What is free? Free is false. Free means come in so we can give you something to take with it. We can make money with while you're getting your little free thing. Right. There's always a hidden piece of something inside. Yeah. Doing something. Everyone has an agenda. The biggest common agenda right now is botnets. They want to compromise your computer and turn it into what's called a zombie. That they can build a zombie army or a botnet with and execute attacks. Sure. Or do searches. Or right now, we discussed this in the last show, North Korea known as Hidden Cobra or just a couple other names. But Hidden Cobra has Bankshot, which I thought was a really good name. But when basketball is off the rim or off the backboard. Off the glass. And they do multiple proxies to a target. Yeah. So they'll compromise your network but not let you know about it. They just sit in there with a little proxy that opens up a front and back door that they can channel data through. And you never know. Yeah. And they're not doing any harm to your network. But every time they hop out of your network into the next network, your IP address is the one that's associated with that hop. That's right. Channeling it back or trying to track back from an attack to the original. It makes it difficult. It's really difficult. Especially if they start using mobile networks. Oh my gosh. That is amazing, right? And how many things can your phone can connect to? But how much power does it have? It's just odd to me that that's even functional. But I guess it is. It's got a lot more power than you might think. I mean that these are only maybe a couple of years older in processing power than the computers we use on our desktop right now. Which means it's equal to the one on my desktop. It's scarier in that these phones also connect to Wi-Fi and cellular networks of several different types. Then you get 4G, LTE, CDMA, and then you've got Wi-Fi networks and then you've got home network. So it ends Bluetooth. So it just keeps connecting all over the place. So you've got a lot of exposure to networks when you can get onto a mobile node like that with something that's reaching out. It can reach out. Maybe it makes paths of its own. You don't care. You just want to be masqueraded, right? Yeah, that's right. If you're North Korea. So I guess we should do an episode about how to secure the phone that you chose. You just turn it off. Actually completely off and then throw it in the ocean. Throw it in the ocean. I think I'll pay mine off first. Yeah. Before I do that. Well, it'd be fun to talk about it if it's really possible. I know a lot of people don't believe it is even when it's off. It's got things it's doing. So that did be a good show. That would be a good show. I must mention before we go, Android has another feature. It will continuously scan your phone by default for malware. So it just keeps going and looking for things that as known signature types that are doing things that aren't supposed to be getting done by that particular kind of app. So that's another feature built into Android. And again, Google is the one that is at the forefront of those. Nice. So if you're going to buy an Android phone, Samsung does have an awesome phone. But Google, actually, the Pixel is a more secure device. There you go. I think it's updated more often. Well, there's a winner for today. There's a winner. iPhone versus Android. Just going to get you a Pixel. I think they're really inexpensive. They're not as expensive as the new Samsung. Is the Samsung 8 or not? I think the Galaxy Note 8 is like 850 or something like that. Yeah. They're expensive. Well, more good news, everybody. It's good news and good news. Thanks for joining us. Please come back next week. We'll have a guest host and we'll be talking about some early pertinent stuff again. Until then, stay safe.