How to Maximize Security with New Smartphone?
April 27, 2019 7:29 AM   Subscribe

As my 3G Samsung is reaching the end of its useful life, I'm reassessing my smartphone use. In the past, in order to maximize security and privacy, I have NOT connected an email address to my phone or used my phone for anything other than the occasional call (i.e., personal or sensitive conversations reserved for a landline) and the occasional text. Going forward with a new 4G phone, I would like to see emails in my phone without compromising my primary email account. What is the best approach to this and security overall?

Although I accept the reality that any system is vulnerable to a determined hacker, I'd like to avoid being "low hanging fruit" and minimize the risk of being compromised.

For starters, I understand that Apple's security is superior to that of Google / Android phones primarily because Apple (allegedly) exercises more oversight on apps posted to its app store. (Is this in fact true?) So I'm planning to go with an Apple phone unless anyone here can make a strong argument to the contrary.

As to email security, my tentative plan involves a series of email hops between my primary email address and a new email address to be associated with the phone. Something like this:

Main email address to forward to ==> email hop 1 ==> email hop 2 ==> email address assigned to the phone.

My primary aim is to view emails but NOT to respond to them from the phone. Anything urgent will be responded to from the more secure main computer or laptop or by telephone.

FYI: I use outlook.com for email.

FYI: For employment purposes, my strategy has always been to use an employer's phone for work-related email and for nothing personal.

FYI: I am technically adept but don't find "technology" particularly interesting beyond its utility.

Is my scheme naive? Is there another approach I should take or anything else I should be thinking about?

I figured that if folks anywhere had something useful to say on this matter, they would be here on the Green. Any suggestions and recommendations would be greatly appreciated! Thanks all!
posted by cool breeze to Technology (22 answers total) 5 users marked this as a favorite
 
Increasing the number of email systems your communication goes through seems like it would increase your exposure rather than limit it. What purpose do you see those hops serving?

Are you worried mostly about hackers or also about large companies mining your email. I haven't looked into what Outlook.com says about what they do with your email, but you might want to look into it and consider another option.

But if your main concern is someone gaining access to your primary email account, the phone itself is going to be one of their least likely avenues. Don't re-use passwords and be scrupulous about the apps you install.
posted by ODiV at 7:59 AM on April 27, 2019 [9 favorites]


What's your threat model? (ie: what type of attacker/attack are you trying to protect against)? It's hard to tell from your description.

On first look, agree with ODiV -- this "multi-hop email" thing is convoluted and adds no security value that I can see. Use strong passwords and passcodes, and two-factor authentication (2FA) when available. Use service providers you trust. Just add your email account to your phone.
posted by Alterscape at 8:10 AM on April 27, 2019 [3 favorites]


Your hops do nothing but add additional points of vulnerability.

For starters, I understand that Apple's security is superior to that of Google / Android phones primarily because Apple (allegedly) exercises more oversight on apps posted to its app store. (Is this in fact true?) So I'm planning to go with an Apple phone unless anyone here can make a strong argument to the contrary.

This seems irrelevant since the only things you want to use your phone for are calls and now emails. How secure or insecure the 3 million other apps your are not installing might be doesn't make any difference. The Outlook app for mobile, which is the only app you care about, is now DOD compliant.
posted by DarlingBri at 8:28 AM on April 27, 2019 [3 favorites]


For starters, I understand that Apple's security is superior to that of Google / Android phones primarily because Apple (allegedly) exercises more oversight on apps posted to its app store. (Is this in fact true?)

Partly. Mainly the difference is that Google is more interested in spying on you than Apple is.

My current phone is the world's shittiest old Huawei running Android 2.3 (not upgradeable); it's not signed into a Google account, and all I do with it is make calls, exchange texts and use it as a stopwatch, spirit level and occasional very temporary wifi hotspot. I expect I'll eventually replace it with a Purism Librem 5.

For those who can't see the value in not allowing the email app on your phone to log into your primary email account: the threat I perceive from doing this involves inadvertently giving other apps running on the same phone access to that account as well. I remain unconvinced that marketing-driven decisions about integration between apps pay anywhere near enough attention to security as they ought to.

I can't see much virtue in using two hops between primary email account and phone account, though. Simply setting up a filter that forwards a copy of everything received at the primary account to the one that the phone is logged into seems adequate to me.
posted by flabdablet at 8:30 AM on April 27, 2019 [3 favorites]


Replying to emails from your phone is no less safe than having the ability to reply to emails from your phone, which is in itself a very low threat risk (bots guessing your email password (or reusing passwords from badly-secured websites) is how your email gets hacked, not replying to emails). Having 3 email accounts involved just makes you 3x more vulnerable to your email getting hacked. Which in and of itself is not that big a deal unless you are a real big deal, and if you ARE a big deal you should use an extra-secure email platform everywhere including on your phone. (My work email does actually use Microsoft's multi-factor business center thingy...on my phone.)

Work doesn't necessarily give you a phone anymore. People who hate having two phones broke that system for the most part.

It feels like you have a little bit of an "evening news" concept of infosec, and there's probably some good blogs or youtube channels out there that would help you understand real security and privacy issues, possibly other posters here can point you to some really good sources.

Get a phone that has the features you want, be judicious about what you put on it (especially especially outside the "app store" infrastructure, which is at least somewhat policed, but see below for caveats), be especially mindful of password usage/recycling/complexity. Do use some forms of phone protection - I refuse to use fingerprint or face, so my work security requirements require a 6-digit PIN which is really frustrating and hard to type on my watch but I live with it. But ultimately if I leave my phone on a table it will be at least complicated and difficult to get into it.

Right now it looks like the biggest ongoing privacy infiltration is (totally legal) data mining, which means you might consider not even installing any social media apps on your phone as they have repeatedly been caught tracking location without permission, mining your searches for ad targeting, spying on your contact lists and messaging. Plus there was that thing where people were noticing they were getting ads for things they talked about in the same room as the phone and everyone said no no that's not possible and then Facebook and Amazon got caught actually doing it, oops, so... Having the phone at all makes you a product that is being consumed but it is difficult to live without one.

There used to be an assumption that Android was more secure, until everyone remembered Google's got their hooks all through it. I think decent security practices are largely platform-inspecific, but email is still the least of your problems.
posted by Lyn Never at 8:53 AM on April 27, 2019 [3 favorites]


Replying to emails from your phone is no less safe than having the ability to reply to emails from your phone

This is a very good point. The main thing I would be concerned about, given some rogue app with access to my primary email account via some side channel on my phone, is its ability to acquire and respond to forgotten-password confirmation messages for other non-email accounts.

If you use Fastmail, as I do, and like me you don't use Fastmail's native mailer app, then the mail app you do use will need to use IMAP and SMTP protocols to collect and send emails respectively. Fastmail's IMAP and SMTP servers don't allow you to log in using your Fastmail account's usual password. Instead, you use Fastmail's web interface to generate a unique long random app password for each of your mail apps.

Each app password you generate has permission levels associated with it, and you can set one up to authorize IMAP access but not SMTP access. This makes it feasible to connect a phone to a Fastmail account in a way that guarantees that the phone can only ever receive messages and not send them, even if the mailer app you're using doesn't support saving different passwords for IMAP and SMTP which most actually do.

If you had your primary email account connected to the phone in this way, I can't think of any remaining threat that you could foil by interposing a second email account in your receive chain.
posted by flabdablet at 9:20 AM on April 27, 2019 [1 favorite]


Is my scheme naive?

Your scheme is naïve.

Nothing is achieved by bouncing your email between multiple providers except increasing your exposure risk via compromise of one of your email hosting companies.

You need to think in concrete terms about what your threat model is & what risks you are trying to eliminate. What exactly do you mean by “compromising my primary email account”? Someone being able to read your email? Someone being able to impersonate you by sending email from your account?

If you want to give your phone read-only access to your email then if your outlook.com account was an organisational Office 365 account I would create another Office 365 user and give that user read-only access to your Inbox. Then the phone gets the credentials for that account & not your personal account.

If you only have a free outlook.com account then that’s not going to work though. You could setup an IMAP server elsewhere that offered read-only access & forward all your email from outlook.com to that server via whatever means you could come up with, but that seems a lot of faff for mediating what is in reality an extremely small risk, especially if you don’t install apps from untrusted sources on your phone (or any more apps from Google/Apple than you absolutely need).

On phone security: Apple has the edge here. If you buy a Pixel phone then you’re getting something equivalent from Google though - it’s the rest of the Android hellscape that’s lacking on this front.
posted by pharm at 9:20 AM on April 27, 2019 [1 favorite]


I like to keep my work and personal stuff separate, so my phone is personal, but sometimes I need to check my work email.

I do this using incognito/private mode in a browser on my phone. It still uses 2FA to let me see my email, but my email account information is then no longer stored on my phone.
posted by jillithd at 9:55 AM on April 27, 2019


The old wisdom for emails is to think of them as postcards - assume anyone can read them on the way unless you've gone to great pains to encrypt their contents. With that analogy, what you're doing with your multiple email hops is instead of sending the "postcard" once through the mail from point A to point B, you're sending it 3 times as far with 3 times the number of systems along the way able to read it. So if it's the contents you're worried about encrypting, there are much better ways. If it's trying to disassociate your real life identity from a single email address - you're now giving your identity 3 identifiers instead of 1.

And you're using outlook.com - ie Microsoft. What makes you think they're any better in protecting you than any of the other players out there, big and/or small?

Use strong passwords, never repeated and changed often, and TFA everything (via an authenticator-type app, NOT SMS). You're right about being Apple better than anyone else, but its a low bar.
posted by cgg at 10:20 AM on April 27, 2019




except when they are compromised or forgotten

and if it's your own brain that's doing the forgetting, you're doing passwords wrong because it should not be your brain that's doing the remembering - except for the master password that lets you into your password vault or (equivalently) the PIN that lets you into your phone. Those, you'll use often enough that remembering a sufficiently strong one is within the capacity of a human being. All other passwords should be unique, long, and generated using a reliable source of randomness such as the one built into every half decent password vault application (i.e. no thinking up "random" words or keyboard mashing allowed).

Also worth noting that 2FA consisting of a long, unique, random password remembered by an app in a phone and an authentication code from another app on the same phone is not really 2FA. You could argue that it is, on the grounds that the phone is the thing you have and its PIN is the thing you know, but if you accept that argument it makes the authenticator app redundant.
posted by flabdablet at 11:22 AM on April 27, 2019 [1 favorite]


I'm definitely no security expert but I'm wondering if cool breeze's email hopping idea is partly a matter of convenience and privacy? Like have one inbox to view work and personal emails? Maybe also one way to limit privacy instrusion. Like yes phone/email app you'll have access to all my recent emails, but you won't be able to access the past 15 years or so of emails. I agree that this setup may not necessarily be more secure.

I think yes, an iPhone with all the recent updates, an email account with 2 factor authentication setup, a strong password, using the phone only to view emails as well as for phone calls and texts (wow that takes discipline!) would be pretty secure from security vulnerabilities. Like others have mentioned, you still will probably have some data mined.
posted by mundo at 1:05 PM on April 27, 2019


Also worth noting that 2FA consisting of a long, unique, random password remembered by an app in a phone and an authentication code from another app on the same phone is not really 2FA. You could argue that it is, on the grounds that the phone is the thing you have and its PIN is the thing you know, but if you accept that argument it makes the authenticator app redundant.

I thought 2FA apps were better than 2FA SMS, because you have to physically have the actual phone as a second factor, rather than a device that receives texts sent to you. 2FA SMS is better than no second factor at all, but it's generally a lot easier to socially engineer most cellphone providers or intercept someone's texts than it is to steal their phone without them noticing. This is extra true for attackers like abusive exes or relatives.

The best 2FA option is a dedicated piece of hardware that only does 2FA (like a YubiKey), but not losing those things and using them with smartphones can both be challenges.

I don't remember what the defaults are for 1Password or LastPass, but IIRC a password manager's vault should require that the password be re-entered once a day at the absolute minimum (so you don't forget it).

I would also add that if an attacker can read your email, and you have any banking or other sensitive accounts that are bound to that email address, they can probably get a password reset link for the other accounts sent to your email address.
posted by bagel at 2:44 PM on April 27, 2019 [1 favorite]


I thought 2FA apps were better than 2FA SMS, because you have to physically have the actual phone as a second factor, rather than a device that receives texts sent to you.

If you're relying solely on long, unique per service, randomly generated passwords that only your phone remembers, and you're relying on your phone's inbuilt encryption and PIN to keep those secrets safe from attackers who gain physical possession of your phone, then you have as much security as you would get from running an authenticator app on the same phone where the passwords are stored.

Long, unique, randomly generated passwords can't be extracted from any password hash database exfiltrated from the service providers you use; nor can they be guessed and only vanishingly rarely can they be remembered. Therefore, the only way to authenticate against a service where you've set up a password like that is to use a device that has it in storage i.e. your phone.

The entire purpose of 2FA is to protect you against attacks from adversaries who know your password but don't have access to your physical second factor. But if the only way to gain access to your password necessarily involves having physical access to your phone then something else on your phone is not a second factor for those passwords, and treating it as such amounts to security theatre. This applies whether you're using SMS or Authenticator or anything else on the phone to prove your physical access to it: such proof is redundant, because your ability to supply the password is already proof of physical access to the phone.

Any app with enough mojo to pull your passwords out of storage by running on your phone is already on the wrong side of the locked steel door, and has also got enough mojo to read your authenticator app's outputs or your SMS messages. And yes, SMS messages are possible to intercept off-device while Authenticator codes are not, but using strong passwords stored securely on-device makes that point moot.

The only way typical phone-based 2FA can actually improve your security is if your phone is not the only device that stores your passwords and the other copies exist somewhere where access is feasible to others: perhaps they're all backed up in a KeePass database whose master password is hunter2, or they're all short enough for a human to remember, or you're sharing passwords across multiple services, or you've written them all down in a little black notebook and left it on the bus.

Personally I resent the extra faffing around that 2FA always involves, so I just choose to do none of those things. I also don't use my crappy Android 2.3 phone for access to services that require passwords, because that's what computers with proper keyboards are for.

My bank requires 2FA to authorize payments to payees it hasn't seen before, and I have a separate hardware dongle on my keyring for that. The MtGox post-bankruptcy compensation scheme requires Google Authenticator 2FA, so I have that on an old Android tablet I use otherwise only for watching movies. Apple calls my landline and synth-voices numbers at me whenever I need to log onto the iCloud account I now manage on behalf of a deceased friend. For everything else I vastly prefer 1FA consisting of a Dropbox-hosted KeePass database full of long, unique, random passwords, itself protected by a very long password that's been muscle memory for a decade now. YMMV.
posted by flabdablet at 3:33 PM on April 27, 2019


I also don't use my crappy Android 2.3 phone for access to services that require passwords, because that's what computers with proper keyboards are for.

Any decent password manager will let you copy and paste your strong passwords on your phone. And as of iOS 12 Apple added the ability to auto fill from a third-party password manager directly in whatever site or app you need to authenticate, either with its master passphrase or TouchID or FaceID.
posted by asterix at 5:09 PM on April 27, 2019


For starters, I understand that Apple's security is superior to that of Google / Android phones primarily because Apple (allegedly) exercises more oversight on apps posted to its app store. (Is this in fact true?) So I'm planning to go with an Apple phone unless anyone here can make a strong argument to the contrary.

As DarlingBri mentioned, the app store issue is almost entirely irrelevant if you're using a small number of well-chosen apps.

It hasn't been mentioned, but the other most significant difference when it comes to security against 3rd party vulnerabilities (eschewing the privacy philosophies of Apple vs. Google) is the frequency of updates and patches, and the duration of that support (important for people who don't get a new phone every year or two). Every Apple device is supported for years with timely updates.

On the Android side, the picture is inconsistent and uglier (with the blame falling as much on manufacturers and carriers as much as Google). For this reason, some people prefer to stick with phones directly from Google--Pixel and Android One designated phones (and Nexus phones before that). Outside of those, flagship phones from other manufacturers tend to be the best supported.

I'm currently using a Pixel 2 and am happy enough with it, but it is pretty damning that this has been an issue for so long.
posted by Pryde at 7:02 PM on April 27, 2019 [1 favorite]


Case in point: my previous phone was the original Moto X from 2013, which I used far longer than I should have because it simply had a great compact form factor for a phone. Its last update was in 2015. I still have and use an iPad Mini 2 that came out 3 months after the Moto X. Its most recent update was about a month ago.
posted by Pryde at 7:29 PM on April 27, 2019


"Landline" is not a magic talisman.

Unless it uses strong, peer-reviewed, end-to-end encryption, it might as well be MeFi chat as far as privacy is concerned.
posted by sourcequench at 8:01 PM on April 27, 2019


I understand that Apple's security is superior to that of Google / Android phones primarily because Apple (allegedly) exercises more oversight on apps posted to its app store. (Is this in fact true?)

Take this as you will, but several years ago I was in a meeting with an upper-level Google security executive. I asked him what he did to secure his Android phone amidst the never-ending slew of vulnerabilities that were coming out.

He didn't say anything, but reached into his pocket and flashed me an iPhone. I haven't bought an Android since.
posted by matrixclown at 12:20 AM on April 28, 2019 [3 favorites]


Response by poster: Dear All:

Many, many thanks for the information and food for thought! I have some homework to do.

The primary perceived threat is a bad actor's ability to hack back through my main email account and gain access to, for example, a bank account or something similarly sensitive. An equal concern is privacy.

I also understand that there is no such thing as perfect security, and just aim to minimize the risks.

Given that my primary use of a phone is / will continue to be calls with the occasional text, my risk profile seems to be low. Any apps downloaded will be few and far between, and downloaded from Apple. I don't / won't use the phone as a web searching device. Otherwise, I'll research and max out any and all privacy settings.

Thanks again for all your thoughtful replies!
posted by cool breeze at 1:47 PM on April 29, 2019


The primary perceived threat is a bad actor's ability to hack back through my main email account and gain access to, for example, a bank account or something similarly sensitive.

The typical process by which this would be done goes as follows:

1. Rogue app running on your phone exercises an "I forgot my password" link on your bank's login page and nominates your account.

2. Your bank sends a confirmation code to the email account they have on record for you.

3. The rogue app, which has permission to access emails on your phone either because you carelessly gave it that permission when you installed it or because it's using an unpatched exploit to gain it, scrapes the confirmation code from the email and completes the password reset process for your bank account. It would also typically need to scrape a second confirmation code from an incoming SMS message to do this (banks are still fucking useless at 2FA and most of them do not use Authenticator or anything similar).

Any process that allows all your incoming email messages to be viewed on your phone would enable this sequence, regardless of how many email account hops you insert.

You could interfere with it by having well tested filters in your main account that simply don't forward messages from your bank to the mirror account your phone uses, but this gives your bank the ability to screw things up for you by changing the format of its confirmation messages.

A stronger approach would be to set up a second email account that you only ever use as a forgotten-password confirmation target, set up no auto-forwarding from that account to anywhere else, only ever get at it via webmail using a browser's Private or Incognito mode so you can be sure it won't stay logged in after you're done with it, and save its login credentials using only dedicated password vault software like KeePass and not in any browser. If you have that, then insulation between apps on your various devices becomes much less of a concern.
posted by flabdablet at 10:32 PM on April 29, 2019


The rogue app, which has permission to access emails on your phone either because you carelessly gave it that permission when you installed it or because it's using an unpatched exploit to gain it

iOS does not allow you to grant this permission. So apps can't get access to the system email client, and if you're using a third-party app to access your email (e.g., the Gmail app), other apps can't get access to the information they have.

It's always possible there's an unpatched exploit that would allow that access. That's a catastrophic breakdown of the OS's security model, though.
posted by asterix at 11:29 AM on April 30, 2019 [2 favorites]


« Older What are the benefits of a short commute that...   |   Suggestions for wedding gifts? Newer »
This thread is closed to new comments.