This morning on Twitter, Buzzfeed editor Miriam Elder asks the following question:
Possibly stupid question: is the Signal desktop client as secure as the mobile app?
— Miriam Elder (@MiriamElder) March 3, 2017
No, this is not a stupid question. Actually it’s an extremely important question, and judging by some of the responses to this Tweet there are a lot of other people who are confused about the answer.
Since I couldn’t find a perfect layperson’s reference anywhere else, I’m going to devote this post to providing the world’s simplest explanation of why, in the threat model of your typical journalist, your desktop machine isn’t very safe. And specifically, why you’re safer using a modern mobile device — and particularly, an iOS device — than just about any other platform.
A brief caveat: I’m a cryptographer, not a software security researcher. However, I’ve spent the past several years interacting with folks like Charlie and Dan and Thomas. I’m pretty confident that they agree with this advice.
What’s wrong with my laptop/desktop machine?
Sadly, most of the problem is you.
If you’re like most journalists — and really, most professionals — you spend less than 100% of your time thinking about security. You need to get work done. When you’re procrastinating from work, you visit funny sites your friends link you to on Facebook. Then you check your email. If you’re a normal and productive user, you probably do a combination of all these things every few minutes, all of which culminates in your downloading some email attachment and (shudder) opening it in Word.
You can’t tell journalists “just don’t open attachments.” They will ignore you. Journos open attachments from strangers for a living.
— Eva (@evacide) September 12, 2016
Now I’m not trying to shame you for this. It’s perfectly normal, and indeed it’s necessary if you want to get things done. But in the parlance of security professionals, it also means you have a huge attack surface.
In English, this means that from the perspective of an attacker there are many different avenues to compromise your machine. Many of these aren’t even that sophisticated. Often it’s just a matter of catching you during an unguarded moment and convincing you to download an executable file or an infected Office document. A compromised machine means that every piece of software on that machine is also vulnerable.
If you don’t believe this works, head over to Google and search for “Remote Access Trojans”. There’s an entire commercial market for these products, each of which allows you to remotely control someone else’s computer. These off-the-shelf products aren’t very sophisticated: indeed, most require you to trick your victim into downloading and running some executable attachment. Sadly, this works on most people just fine. And this is just the retail stuff. Imagine what a modestly sophisticated attacker can do.
I do some of those things on my phone as well. Why is a phone better?
Classical (desktop and laptop) operating systems were designed primarily to support application developers. This means they offer a lot of power to your applications. An application like Microsoft Word can typically read and write all the files available to your account. If Word becomes compromised, this is usually enough to pwn you in practice. And in many cases, these applications have components with root (or Administrator) access, which makes them even more dangerous.
Modern phone operating systems like Android and iOS were built on a different principle. Rather than trusting apps with much power, each app runs in a “sandbox” that (mainly) limits it to accessing its own files. If the sandbox works, even a malicious application shouldn’t be able to reach out to touch other apps’ files or permanently modify your system. This approach — combined with other protections such as in-memory code signing, hardware secret storage and routine use of anti-exploitation measures — makes your system vastly harder to compromise.
Of course, sandboxing isn’t perfect. A compromised or malicious app can always access its own files. More sophisticated exploits can “break out” of the sandbox, typically by exploiting a vulnerability in the operating system. Such vulnerabilities are routinely discovered and occasionally exploited.
The defense to this is twofold: (1) first, run a modern, up-to-date OS that receives security patches quickly. And (2) avoid downloading malicious apps. Which brings me to the main point of this post.
Why use iOS?
The fact of the matter is that when it comes to addressing these remaining issues, Apple phone operating systems (on iPhones and iPads) simply have a better track record.
Since Apple is the only manufacturer of iOS devices, there is no “middleman” when it comes to monitoring for iOS issues and deploying iOS security updates. This means that the buck stops at Apple — rather than with some third-party equipment manufacturer. Indeed, Apple routinely patches its operating systems and pushes the patches to all supported users — sometimes within hours of learning of a vulnerability (something that is relatively rare at this point in any case).
Of course, to be fair: Google has also become fairly decent at supporting its own Android devices. However, to get assurance from this process you need to be running a relatively brand new device and it needs to be manufactured by Google. Otherwise you’re liable to be several days or weeks behind the time when a security issue is discovered and patched — if you ever get it. And Google still does not support all of the features Apple does, including in-memory code signing and strong file encryption.
Apple also seems to do a relatively decent job at curating its App Store, at least as compared to Google. And because those apps support a more modern base of phones, they tend to have access to better security features, whereas Android apps more routinely get caught doing dumb stuff for backwards compatibility reasons.
Finally, every recent Apple device (starting with the iPhone 5S and up) also includes a specialized chip known as a “Secure Enclave Processor“. This hardened processor assists in securing the boot chain — ensuring that nobody can tamper with your operating system. It can also protect sensitive values like your passwords, ensuring that only a password or fingerprint can access them.
A few Android phones also offer similar features as well. However, it’s unclear how well these are implemented in contrast to Apple’s SEP. It’s not a bet I would choose to take.
So does using iOS mean I’m perfectly safe?
Of course not. Unfortunately, computer security today is about resisting attacks. We still don’t quite know how to prevent them altogether.
Indeed, well-funded attackers like governments are still capable of compromising your iOS device (and your Android, and your PC or Mac). Literally the only question is how much they’ll have to spend doing it.
Here’s one data point. Last year a human rights activist in the UAE was targeted via a powerful zero day exploit, likely by his government. However, he was careful. Instead of clicking the link he was sent, the activist sent it to the engineers at Citizenlab who reverse-engineered the exploit. The resulting 35-page technical report by Lookout Security and Citizenlab is a thing of terrifying beauty: it describes a chain of no less than three previously unpublished software exploits, which together would have led to the complete compromise of the victim’s iPhone.
But such compromises don’t come cheap. It’s easy to see this kind of attack costing a million dollars or more. This is probably orders of magnitude more than it would cost to compromise the typical desktop user. That’s important. Not perfect, but important.
You’re telling me I have to give up my desktop machine?
Not at all. Or rather, while I’d love to tell you that, I understand this may not be realistic for most users.
All I am telling you to do is to be thoughtful. If you’re working on something sensitive, consider moving the majority of that work (and communications) to a secure device until you’re ready to share it. This may be a bit of a hassle, but it doesn’t have to be your whole life. And since most of us already carry some sort of phone or tablet in addition to our regular work computer, hopefully this won’t require too much of a change in your life.
You can still use your normal computer just fine, as long as you’re aware of the relative risks. That’s all I’m trying to accomplish with this post.
In conclusion
I expect that many technical people will find this post objectionable, largely because they assume that with their expertise and care they can make a desktop operating system work perfectly safely. And maybe they can! But that’s not who this post is addressed to.
And of course, this post still only scratches the surface of the problem. There’s still the problem of selecting the right applications for secure messaging (e.g., Signal and WhatsApp) and finding a good secure application for notetaking and document collaboration and so on.
But hopefully this post at least starts the discussion.
A Few Thoughts on Cryptographic Engineering 
This sounds sane at the beginning and moves on to total insanity to the end.
‘ If you’re working on something sensitive, consider moving the majority of that work (and communications) to a secure device until you’re ready to share it.’
If by secure device you imply an iOS/Android Device to handle very senitive data you got to be out of your rockers.
One problem you fail to adress is that while iOS/Android have sandboxing by default all those devices speciifically in apples case are very homogenous at hard and software level.
this means while an exploit might cost you a million bucks that exploit can own all devices running the same system in contrary to a computer with all its abbrevations in hardware and software.
the only sane advice therefore can only be to move all work regarding sensitive information to a computer without any kind of persistence and with all critical hardware (microphone/camera/network) removed and which is only ever used for sensitive work.
the guardian managed that, the spiegel managed that too so why implying to move all sensitive data to an opaque hardware device like an iPad because there is that one idiot journalist that doesn’t manage what some reknown news agency managed when they worked on highly sensitive information like the snowden documents and the panama papers…
This gotta be a joke…
“the only sane advice therefore can only be to move all work regarding sensitive information to a computer without any kind of persistence and with all critical hardware (microphone/camera/network) removed and which is only ever used for sensitive work.”
All kinds of things are possible when you have access to a team of experts who can design a custom, task specific package of hardware and software. The problem is most journalist and the companies they work for don’t have that luxury. Most don’t even know where to begin. For better or worse most of them are stuck working with the same off-the-shelf hardware and software the rest of us use.
I agree that Matthew’s advice is probably a little too off-the-cuff. There are simply too many variables. While I don’t think it is necessarily bad advice, I also know that all most people are going to hear is “buy an iPhone” and assume everything will be fine. That unfortunately will do little to solve the problem.
From what I can tell, what would be more helpful is for a group of journalists and security experts to get together and prepare some type of “best practices” guidelines. A simple list of recommendations that outlines what hardware and software is best to use in a given situation and, most importantly, a basic set of procedures every journalist should follow to remain secure. It would at least give most of them a solid floor to stand on.
I suspect there are already a number of similar documents used in other fields that just need to be updated to reflect the unique needs of journalists. I doubt anyone needs to reinvent the wheel.
This type of thing obviously won’t stop a determined attacker with unlimited resources (I’m not sure anything can). But it would probably go a long way toward deterring a good chunk of all the other black hats.
I disagree with your conclusion because you can ensure a desktop computer is offline and unable to transmit sensitive data, however it’s extremely impractical to remove the wifi and gms antenna from a mobile device so there’s no guarantee of being offline.
How about using Subgraph OS on Laptop/Desktop with some best practices around hardware access and for mobile using something like Copperhead OS.
Advice for people who aren’t techies needs to be stuff they can do. “Buy an iPad that’s only used for things you need to keep secret, don’t download any apps to it that aren’t directly needed for the work you’re doing, and don’t browse the internet from it for fun” is advice a non-techie can follow successfully–it’s probably within both his technical competence and his budget.
Nice Post
I use to work on sensitive data by using an device never connected to network and with only one usb port active and protected. It was safe for a period when every two days someone in the office got infected.
Get Qubes OS for desktop
How do you feel about chromebooks? My understanding is that they are sandboxed, and the OS is signed and frequently updated.
Chromebooks are safe because while you can download stuff, it won’t be able to run in Chrome OS. Same for clicking on infected links, they won’t be able to infect the chromebook because they can’t run the infection code.
Have you considered using a remote browser like Silo? It’s a secure, virtual browser that runs in the cloud, giving users 100% isolation from all web code, but still offering a usuable and high-performing environment to open attachments, view documents, and interact with web apps.
For journalists, you also benefit from a secure TLS connection (like a VPN) plus an IP address that can’t be traced back to you (like a proxy), and there’s no residue or temp files left on your device. Censorship and surveillance measures are bypassed.
Full Disclosure: I work for Authentic8, the company that makes Silo.
I’m surprised to hear you equate fingerprints to passwords. My understanding is that fingerprints make good usernames and lousy passwords. (You leave copies of them on everything you touch at the office , it’s pretty tough to switch to a new set of fingerprints, etc.) I thought that consumer grade electronics only use biometrics because they’re what consumers want to see, not because they’re actually good security. So the harm in Apple and Journalists referring to fingerprints as valid security is that it teaches and reinforces users bad habits. (Disclaimer: I rarely know what I’m talking about so I could be wrong here. I’m just saying that I was surprised to hear you say that.)
Which computer OS do you recommend? I assume Windows and macOS is out of the question, so what do you recommend exactly? Chrome OS? Is that on a mobile level of security?
It’d be interesting to see how this post would be updated after the Vault7 wikileaks release. Seems like the perfect place to talk about it.
In addition, you want to consider whether the business model of the company making your device includes collecting and selling information about your usage habits to advertisers. Even your network carrier (ATT, Verizon, et al.) tracks connection patterns. This information is anonymized and aggregated before being delivered to advertisers for conversion into ads, but the anonymization has to be reduced in order to increase the relevance of the ad and maximize its revenue. Unfortunately Google is the leader in advertising, and Android and Chrome have diminished trustworthiness because of this. Microsoft is working hard to knit advertising deep into the structure of Windows. Only Apple and open source OSs like Qubes don’t have this business motivation to compromise security in subtle ways.
In theory, a business-class Windows 10 PC, with TPM-based secure boot and bitlocker full-disk encryption, and with features like Isolated User Mode and Device Guard, is one of the most secure OS’s ever fielded. But in practice, it takes first-class security and operations teams to configure and deploy these very complex capabilities reliably and uncompromisingly. And the almost unimaginably enormous attack surface of Windows, when you include Active Directory, ensures that you can never be confident that all the holes have been closed & securely patched.
MacOS has a smaller attack surface, and Qubes’ is remarkably small, but every Intel CPU chip contains a Management Engine that allows remote control of the PC even when it is powered down! This is very handy for system admins, but a severe security risk if backdoored or misconfigured. Qubes on a next generation high-end ARM chip like some future Raspberry Pi 4 would be something to look forward to.
In the end, an iOS phone or tablet ends up being the most trustworthy platform. The recommendation for an iPad Pro that the journalist keeps in airplane mode except for those few minutes when uploading stories to a secure portal almost writes itself…
One point that has not been mentioned is that even in the iOS ecosystem, you have to be prepared to decommission your device and purchase a replacement one when it becomes old enough that Apple no longer provides OS updates for it, which you should expect to happen every 3 years or so.
Unfortunately Apple does not make it clear to the end-user when this has happened: it simply says, rather misleadingly, “Your software is up to date” when it fact it should say “Newer software is available, but your device cannot run it and is now obsolete”. Staying abreast of iOS updates and hardware support status is probably the technically most challenging thing for the target audience of this recommendation.