|
There's a lot about cellphone OS security that I don't know. Is this a reasonable place to ask some basic questions? For example, a lot of sites do 2fa through apps like Google Authenticator or Duo Mobile in lieu of hardware token like an RSA hardware token. How secure is 2fa through a phone in comparison, and are there distinct weak points to be aware of? Let's assume an unrooted phone with encryption enabled, using a strong passcode. There's always a chance of sec fuckups in general computing environment compared to a simple security token, but are there known weaknesses, say, if a malicious app is accidentally installed, or your phone connects to a hostile network? If anyone happens to know about iPhone/TouchID security in particular, I'm curious how that ties in to device encryption. When the phone is shut off completely it requires the passcode for access (and again every few days for good measure). Otherwise it can be unlocked more conveniently with TouchID. Consider the following three iPhone states: 1) iPhone just turned on and is asking for device passcode to continue, 2) iPhone is locked and can be unlocked with TouchID, and 3) iPhone on for >2 days and is now locked and requiring password reentry to unlock. Is there a difference between these 3 states relating to the security of the full device encryption? For example does a phone being unlockable via TouchID (or generally being on with background processes running) indicate that a decryption key could be recovered from RAM more easily? If this is a dumb question, feel free to let me know; I have very little knowledge of this security architecture.
|
#
¿
Dec 29, 2015 02:56
|
|
|
|
| # ¿ May 6, 2024 23:39 |
|
|
apseudonym posted:Between 2 and 3 as far as I know of iOS's encryption model the keys are still in RAM, so all those hardware attackers are equally applicable. The first boot requirements and passcode logic isn't so much about the keys as it is a bunch of other things. Thanks for the info. Practically speaking, how hard is that kind of attack for an unrooted phone? Assuming you're not a target of a TLA is it reasonable to ignore?
|
|
#
¿
Dec 29, 2015 05:19
|
|
|
apseudonym posted:Depends the attacker, the device, and you. Sorry, I guess I was unclear. I meant how hard is it to, for example, grab whole device encryption keys from RAM on an unrooted iPhone. My understanding is that this kind of thing is mostly theoretical and it would be beyond the capabilities of non-government adversaries. Is this about right? e.g. if there was some grey-market Chinese kit for owning smartphone encryption then there probably wouldn't be those anti-encryption political rants floating around recently...
|
|
#
¿
Dec 29, 2015 06:28
|
|
|
E: Apparently Lastpass security is already a discussion in the Infosec thread, so I'll avoid cluttering up this thread with the same arguments.
Dixie Cretin Seaman fucked around with this message at 20:03 on Dec 29, 2015 |
|
#
¿
Dec 29, 2015 19:30
|
|