If talking about digital security and best practices wasn’t hard enough already, it is a few notches harder talking about mobile security. With smartphones increasingly becoming the platform of choice for most people to communicate and work over the Internet, journalists, activists, and human rights defenders embraced them too. Especially in certain regions where DSL lines, and laptops, are not available or are unaffordable. With this change, security concerns of individuals at risk have shifted as well over the years.
However, recommendations coming from the cyber security community tend to come across confusing and conflictual. This is partly because the mobile world is in constant evolution, and partly because recommendations explode in reaction to latest news of attacks and exploitation in the wild, which 2019 was in no shortage of. While for those working in tech the moment the latest iOS or WhatsApp hack hits the news is an opportunity for Twitter banter, targeted communities instead enter panic mode and look for immediate guidance. Unfortunately, news tend to outpace the ability of the receiving ends of those recommendations to change their behavior over and over.
To give a banal example: is Android or iPhone more secure? The eternal question. Activists hear and rely on the perceived consensus from cyber security experts, the more vocal on social media and press above all. I can assure that the observable commentary seeds confusion.
To some degree this is inevitable because, as said, digital security always mutates, and because, when recommending best practices, capturing the nuances takes experience. At the same time, folks just want to hear an answer, not more questions.
Wherever the needle points at the moment, whether to Apple or Google, today the answer generally boils down to digging into the wallet for serious money to spend on a new phone. And this is the essence of the problem I want to address here.
Apple, who for long enjoyed cyber security experts’ blessing, regularly releases new price-record-breaking models. Today, with a fresh iPhone 11, you look at separating yourselves from at least 850 euros, give or take. A decent configuration carries you over the 1000 euros in no time. Google has been catching up in recent years with their Pixel line, now hitting the 4th generation, also sporting a 800 euros base pricetag. None of them offer any mid-range model.
Almost each new iPhone or Pixel generation comes with important new exploit mitigations or security improvements, increasingly dependant on the hardware and the chipset. They are not what dictates the exhorbitant prices though. You could instead attribute that to capitalism, shining through the lenses of brand new Triple Cameras or a Super Retina XDR display with a gazillion colors. Gadgetry is what sells.
Mobile security has become a luxury for the rich, because smartphones were turned into luxury items, while at the same time having become necessary survival accessories for daily life. What a great hack. And while this is a larger consumerism problem for society, it grows into an unbearable barrier for those in need of affordable, modern and secure devices.
Indeed there is a mid-range market of third-party Android phone manufacturers, but those have traditionally been disappointing from a privacy and security perspective. They often come with intrusive additional software, and lag lightyears behind Android patches. And although Android One devices now might be better options, they are still not comparable to their higher-end cousins.
I don’t doubt many would happily renounce the Triple Cameras for a modern and secure mid-range phone, but I am equally sure the economic incentives are not there for companies like Google and Apple to even consider producing it. Older models still receiving software updates are not the answer either, as they still lack important hardware hardening. This presentation breaks down very well the progression of exploit mitigations (such as PAC, PPL, etc.) over recent generations of iPhones.
And while some would like you to think that cyber security is primarily a concern for the rich, because “they have the most to lose” (LOL), the real sorry state of the existing mobile ecosystem is that it disadvantages consumers from the lower class and from developing countries, who are the same who would most benefit from the latest security features we all like to geek on. Privacy and security might as well be trumpeted as these corporations’ core values (LOL), but really they don’t matter much if they are made unaffordable.