Best Android for Security, both offense and defense

So Sup Forums, I'm an aspiring CyberSecurity engineer. And if you don't know or understand anything about security you can fuck right off because this thread isn't for you.

Now, from my research it seems that pretty much every android smartphone has shit security. Shit hardware. Shit updates. Popular modding brands like OnePlus seem to have a mixture of all manner of security holes. Some of which are clearly intentional, and others... well, their security updates are typically issued Quarterly, and even the most dangerous updates - the time before you get it is measured in months. 0day my anus. Google seems to be the best choice in that regard, and when combined with copperheadOS, it takes it to a whole new level. However, 1.1k for a phone is about twice my price range. Fuck.

Therefore, I'm thinking about what I can do. Make the best with what I can, etc etc. For my personal use-case, I'm planning to set up Kali in a chrooted environment. "Offense mode" and have it normally in a solid defense mode. In defense mode it needs to work as a phone.

But that's just me, ITT we discuss how to secure our devices, so that some skid can't metasploit our faces off

Other urls found in this thread:

slashgear.com/apple-essential-google-had-fastest-security-updates-securitylab-28521560/
techdirt.com/articles/20111015/20563516374/company-thanks-guy-who-alerted-them-to-big-security-flaw-sending-cops-bill.shtml
ibtimes.com/security-researcher-who-stopped-wannacry-ransomware-arrested-us-2574157
theregister.co.uk/2016/05/09/researcher_arrested_after_reporting_pwnage_hole_in_elections_site/
armis.com/blueborne/
twitter.com/NSFWRedditImage

>'m an aspiring CyberSecurity engineer

AKA i'm a turboloser in my basement that plays videogames all day

AKA I'm studying for my computer science bachelors, am an officer in a cybersecurity club at my college, and about to do research in cybersecurity over the summer.

>and I don't even play videogames

yeah sure buddy

is someone who's on track for their career really that hard for you to believe?

Just because you're shit and your life is shit doesn't mean everyone else's is

>phone
>security

>stil in college
>on track for their career
>muh secret cluba

Oh i am laffin

Lmao whatever buddy


Just buy an iPhone and stop being poor.

Compile LineageOS from source without Gello and LockClock apps.
Don't enable root and use only fdroid approved apps.

Don't visit shit sites, don't download malicious apps and most importantly, stop being a fat autist.

>am an officer in a cybersecurity club at my college

Yeah, I realize, just trying to make it as secure as possible.

LineageOS doesn't seem to be that secure actually. It doesn't receive frequent security updates, for one.

And I need to enable root, sadly, that's the reason why hardening is a must.

its not really a big deal, but it looks great on a resume. Equally important is that it put me in touch with the cybersecurity professor at my college, which is how I landed my research.

>LineageOS doesn't seem to be that secure actually. It doesn't receive frequent security updates
They usually fix security issues faster than what google does with their retarded monthly security patches.

google releases security updates daily?
slashgear.com/apple-essential-google-had-fastest-security-updates-securitylab-28521560/

*in days* rather, not "daily"

You need one for offense (running kali nethunter)
and one for defense (running copperheadOS)

>I need to enable root, sadly, that's the reason why hardening is a must.
rooting literally unhardens the device why do you need to root?

Is this guy for real?

Probably yes.
Kek

>And if you don't know or understand anything about security you can fuck right off because this thread isn't for you.
I read on Facebook that security is important and that evil russian hackers are constantly hacking me.
Can I join your club?

If you want a safe phone just get an iphone like Bruce Schneier, they're way safer than Android security-wise

>android
No, avoid. Buy Librem 5

>bachelors

If it ever gets released

well, it means that its possible for someone to "own the box," so yeah it does unharden it some. But I don't have enough money to buy two new phones so this is what I have to do.

yes it's open to literally everyone (fuck me), but you can still fuck right off

don't have enough for two phones. Also, fuck iOS.

it's the only useful degree. Anything above bachelors is pointless unless you're going into the public sector(or government contractors for the public sector)

That kinda makes me wanna get an Essential phone, hopefully their next phone isn't as shitty as the first one was

why not use a laptop for offensive and just have a phone, also you can't have a phone for great offensive and defensive, just not possible

Absolutely none, you LARPer faggot. Go play hackerman somewhere else. You don't even know about the cellular modem isolation problem. I bet you don't even know about the Intel ME or AMD PSP in desktops, and you think running some Kali Loonux shit as root makes you secure. Eat shit, nigger.

that's the problem though. Both Google and Essential have shit hardware, but get better software support and security updates.

I want to get the nice hardware of OnePlus but locking that down may be impossible. I'm okay with being vulnerable to attackers who have physical access to the device (only CopperheadOS x Pixel 2 seems to have adequate defense against this), however, defense from remote attackers is a must.

I'm wondering if just getting a well supported mainstream OS, and then modifying it to shit with root is better. Bunch of separate partitions, etc etc. Ideally, I would only be able to access root at boot. "turn on phone, decrypt, decide root or not. If you pick not, rooting is impossible until you restart"

something like that.

>he's not a government contractor

just get a used iphone se for $350, they're supported for like five years anyway

Bitch please. All you have to do to dump iOS is kick it into DFU mode and plug it into P2 Commander. Android requires you to somehow bypass the lock and enable USB debugging.

you've still not said why you need to root the device?

Your """offensive""" and """defensive"""" plastic toy wont do shit against a shovel.

>implying it won't
Stop spreading FUD

it seems like having all the offensive stuff disabled except at certain times is a good balance. Yes its not ideal but nothing in security is.

Laptop for offensive is nice, but then I have to carry a laptop around/type on it in public and that's suspicious in some circumstances. Maybe having a laptop in backpack x antenna, and sshing into said laptop from phone is the way to go. I was under the impression that I could perform SMS attacks and the like from a phone though, so I'm wondering about its features.

>cellular modem isolation problem
explain
and no I don't think kali makes me secure. Quite the opposite. However, its an excellent attack OS and running it occasionally is necessary

what are you even planning on hacking? seriously why does being covert matter, you're not a pentester

He's Tom Cruise.

rooting to use it offensive, to start. AFAIK the default android encryption implementation has vulnerabilities and can't be trusted. Same goes for a lot of the other software on the device. I can't de-botnet it/de-backdoor it without root.

That's why I discussed copperheadOS in the OP. Its open-source and security-minded. Unlike android which is security-dick

I don't buy phones often, and I am starting to learn pentesting. I will be a pentester by time I need to buy a new phone.

There really is no point outside of basic security principles in securing a phone. After all with most android phones, the systems being tied to googles botnet if your google account gets compromised then you have a C&C built into the phone at its most basic use.

Sure you can put antimalware solutions and "secure" a phone. But at the end of the day if your google account gets fucced then prepare for the attacker to be able to track your every movement, and be able to download whatever the fuck they want onto your phone though googles cloud services.

Being a jerk on Sup Forums will get you nowhere. Telling people to fuck off who don't want to talk about an oddly specific set of principles gets the replies you have been getting, lighten up, be nice, and ask better questions.

but copperhead is unrootable you need at least two devices if you want to go into pentesting
t. pentester

the absolute cheapest method would be raspi running kali in your backpack, then control it via SSH from a copperheadOS phone, you then have offensive and defensive - but to be honest you're starting to sound like a script kiddie, people have told you you need two devices and you still want a magic answer that involves one device

you're not a pentester just because you have certs, you're a pentester once you've successfully been hired to and completed a pentest

in the OP i discussed flashing CopperheadOS, so I hope you realize that a core point of this is to prevent that exact scenario you described. I'm going to de-google my phone nomatter what option I choose.

And security is not an oddly specific set of principles, its a massive industry. 1 trillion a year in cybercrime already. Going to go up to 7.2 trillion by 2020. World GDP is 76 trillion, so that means in 2 years about 10% of all wealth will be stolen and tossed around by cybercriminals.

Everyone needs to understand security, and especially the likes of Sup Forums

How secure is your virginity?

Why not use the instructions and open source code of CopperheadOS and compile your own build? That is the point of the current licensing model is to get non corporate users to self compile and contribute to the code base.

nah I acknowledged in that two devices is probably what's needed.

But, security is always a balance between functionality and safety. If that particular trade-off is definitely not worth it, then why?

that's what I might do, actually. However, as copperheadOS states, the insecure lower level software of most phones is shit, so I'm not sure what I would be losing because of this.

My point was more if you actually want to be a hacker or pentester you need to invest in hardware, two phones are under £500 you should be able to afford that, do you have a job?

> if you actually want to be a hacker or pentester you need to invest in hardware
very true

>do you have a job?
student, so yes but not a good one yet.

part of the reason why I'm thinking of offensive capabilities is because of a possible side-hustle. Scare some small-business owners about the dangers of cybercrime, and then offer to analyze their network. "You'll only have to pay if I find something"

>I'll probably just vulnerability scan it with nessus or the like
>if the scanner finds vulnerabilities, I tell them about the dangers of what I found, and that if they pay I'll give them a report
>yeah that's some skid shit but I'm just looking at the easy money

>Scare some small-business owners about the dangers of cybercrime, and then offer to analyze their network. "You'll only have to pay if I find something"
you know businesses only hire firms not individuals right? unless you walk in with your resume and a firm they won't accept you to do fuck all -- theres too much red tape, even if they wanted to hire you they couldn't

Well if you're willing to consider an unproven OS on in development hardware, there is the librem 5 and its hardware kill switches to physically disable access to the device. You can install other linux distros on it, too.

What exactly does one do in cyber security club? Do you just go around installing Norton AV on everyone's macbooks

small businesses are different friend. And I can easily set up a firm. First of all, a sole proprietership IS a firm. but if I wanted to make it more professional-looking, I just file for an LLC. Set up a nice website, print some nice business cards. These are all things I've done before, it's not that hard if you know a little marketing/branding. Fake it till you make it.

interesting, I'll look into it.

Huawei's policy of ignoring wakelocks ensures that no malware stands a chance against their retarded battery life management system

>small businesses
they don't hire pentesters mate, you honestly seem to have done no actual research

Then tell me what a rop chain is, I’ll know if you google it skid

lol you could arrested with extortion if you attempt that

we have a lecture-style meeting once the week. Half the time its given by professionals in the industry. Otherwise it's given by our pres, who's walking through the GIAC cert's finer points. Pretty solid learning, usually. 3/4 of the time we have some professional sitting in, which is what I value the most. Good connections.

we also have a team that competes and meets separately, won state-wide last year but who knows how much that matters in my state. Good wargame practice though, and those competitions are excellent places to get hired from.

my dad owns a small business and I've met quite a few of them. The key here is that I won't be offering true "expensive" pentesting services. Just a simple vulnerability scan which comes at much much lower price point. They will go for that because half of business owners are complete fuckwads anyway.

You'd be surprised at what will fly when you sell it right.

are you retarded? I'm not threatening to hack them, just saying that if they want the report they have to pay. I'll make that clear up-front too.

I have a BlackBerry KEYone and Blackberry claims security to be one of the main features of the phone. It encrypts your phone and has guaranteed security updates, and has this DTEK security software. I also have VPN. However I have no idea how much more secure this actually makes it or if it's just marketing drivel.

>comes with google service
Yeah, it is no better than any cheap chink phone.

having read their claims, it seems like a bunch of marketing drivel. They claimed to be doing a bunch of things that everyone else is already doing.

"government-grade encryption" hahahah
"hardware root-of-trust" yeah everyone does that
...etc etc

AFAIK, The problem isn't the lack of secure features, but rather a poor implementation of those features. Holes in security, etc.

>And if you don't know or understand anything about security you can fuck right off because this thread isn't for you.
YOU do not know a thing about security, since you have fuck all in terms of working experience.

sage this bullshit thread

>You'd be surprised at what will fly when you sell it right.
I've been a pentester for 5 years, I know how to sell it, small businesses aren't buying it, plus do you even have the knowledge to actually write a report? you can't just say oh havij found an SQL vuln in your site and attacked it for me, you need to tell them what they do to fix it but go on, how much are you charging and what attacks are you doing? just scanning shit with scripts or going for physical attacks?

I know exactly what you're looking for, but since you're acting like a retarded skid I won't help you.
This is not a tech support board. Don't come here and make a thread just asking for recommendations of what you want.
Fuck off and die.
saged

>am an officer in a cybersecurity club at my college
let me guess? socialising all day and organising (((hackathons))) and kali linux install parties and listening to conferences from (((security experts)))
I have something better for you: focus on your studies, read a lot of books about how computers work (computer architecture, operating systems, ...), learn C, decompile programs for fun, practice reverse engineering, read computer security articles... instead of wasting your time on social shit. that's assuming you want to really learn computer security anyway

You're retarded

Source: I do reverse engineering + exploit dev.

you're never going to manage to be a hacker because you seem to assume you're right and everyone else is wrong you haven't taken a single piece of advice this entire thread

>taking advice from Sup Forums

It's got a bunch of kernel mode bullshit installed to do intrusion detection that's poorly written and any moron could find bugs in

>are you retarded? I'm not threatening to hack them, just saying that if they want the report they have to pay. I'll make that clear up-front too.
I love how you start the thread saying that anyone who doesn't understand security should leave, but you're the clueless one. Take a read faggot:

techdirt.com/articles/20111015/20563516374/company-thanks-guy-who-alerted-them-to-big-security-flaw-sending-cops-bill.shtml
ibtimes.com/security-researcher-who-stopped-wannacry-ransomware-arrested-us-2574157
theregister.co.uk/2016/05/09/researcher_arrested_after_reporting_pwnage_hole_in_elections_site/

Can you imagine a hired pentester using their phone to test your security? His certs won't matter when potential clients laugh him off the premises

to be fair the 2nd one just turned out he previously wrote banking malware :^)

>certs won't matter when
certs don't matter. :p

even oscp is just, can you do a buffer overflow and use google

>hello I'm user I'm here to perform the pentest
>pulls out nexus 5 and starts plugging in dongles
>runs a couple of scripts
>is there for less than five minutes
>ok I'll write up your report tonight but I'll need you to print it off because I don't have a printer at home
>report just lists the scripts he ran and their outputs
>ok that'll be 0.006 bitcoin please

t. never been hired

honestly OP maybe that was harsh. I've become the thing I was complaining about, hacking should be about exploring weird machines and having fun, understanding things. The hacking community is dead but that doesn't mean we all have to give up.

I wish you the best but your ego doesn't help the community. Neither did mine there though.

I'm not sure if you meant I've never been hired but I have been. I regularly do RE/Code Review/Vulnerability finding work for companies. :p

They don't care about certs, maybe for traditional pentesting it's a good sign someone has OSCP... but.. they wont make or break you.

If you can't afford a safe phone you don't have anything worth protecting

>I regularly do RE/Code Review/Vulnerability finding work for companies. :p
what companies?

Companies that develop systems that need to be secure.. :p

Multiple Windows 10 kernel memory disclosures + arbitrary writes reported and sorted through my company though.

>>ok that'll be 0.006 bitcoin please

also several years spent running training at Blackhat on finding bugs in native code.

Companies such as Microsoft have attended.

but yet you still haven't posted any proof

If you work for a company, give me your corporate email and I'll email you. Happy to discuss what we can do for you.

Very few companies in this space talk about clients.. because discretion is usually preferred when you're talking about native code vulnerabilities in things like.. BlueZ or the Linux WiFi stack.

I don't work in tech, you could post a timestamped picture of your ID though with the face and name blacked out of course, but you'll make a bullshit excuse

>Then tell me what a rop chain is, I’ll know if you google it skid

Very good, you've watched LiveOverflows videos. Turns out that RE + Exploit dev is only a small section of cyber! o:::

I give up on you all.

What ID? My coprorate ID? Contractor ID?

either

It'll only prove I work at >a company< that has done contract work.. if you still want it though sure.

That's fine, non tech companies have use for our services as well, i'm sure you rely on a specific technology in your industry, we'd be happy to take a look at it.

>BlueZ
Knew it was a good idea disabling that shit

yeah I'm fine with that, it's just you're the first person I've heard say OSCP isn't necessary but I've heard tons say the opposite

We're actually releasing a guide on our website soon on doing basic reverse engineering against C/C++, so dealing with things like RTTI information and object oriented code in disassembly. If you give me a word or a series of words I'll put it on the post? Make them random though.

just a photo of your ID adds enough credibility for me

So in your circlejerk of an industry you hoard 0-days because it drives business?

>taking a risk to try and censor personal information while hoping you didn't accidentally expose yourself just to win an internet argument

I do vuln research, you should be sucking my dick and you should probably start watching live overflow because you obviously don’t know shit about security. if you think anyone gives a rats ass about your fucking smartphone choice then you are mistaken. Nobody has any reason to hack a worm like you. What are they going to find? Your furry porn? Go larp somewhere else skid

Protected by John McAfee

Oh yeah, the linux bluetooth stack is fucked. Excellent paper armis.com/blueborne/

Most of our bugs are reported through to the vendor, only a few aren't. But sadly that's the way the industry is, they hoard 0days to demonstrate capability.

It's not an arguement. I just want OP to understand his ego isn't needed, we're all happy to share what we know, we release papers and writeups and do training, we've done a number of free courses for under represented groups in the industry.

I want the industry to be more welcoming and more about genuine defence and protecting the systems we use.

LiveOverflow is awesome. I didn't ask about smartphone choice, that was OP.

That's very cool! Awesome, what kind of targets? We've been taking a look at WDAG recently, have you looked into it at all?

>>cellular modem isolation problem
>explain
Basically, the modem is poorly isolated from other hardware, such as your main system flash and RAM, and often has unrestricted access to both before the kernel even starts, since the baseband gets initialized by the first or second stage bootloader (depends on whether or not it's the Samshit/HTC one or Qualcomm ABoot). The cellular modems in like 95% of smartphones these days are proprietary hardware made by Intel or Qualcomm and run non-free baseband software that's nearly impossible to replac, since they're total blackboxes. See the Replicant project for more information on why the modem/baseband are such a huge issue.