Comment by londons_explore
1 year ago
Your options are iPhone or Android if you want a reasonably usable phone in 2025. And iPhone is considerably more secure than Android against both script kiddies and nation state attackers.
1 year ago
Your options are iPhone or Android if you want a reasonably usable phone in 2025. And iPhone is considerably more secure than Android against both script kiddies and nation state attackers.
Just make sure nobody ever sends you an SMS or 'iMessage' as those have a wild history of enabling remote 'zero-click' take-overs. If you doubt this just search for 'imessage vulnerability' or 'imessage cve'. Android has far fewer of these problems, partly due to it being a more diverse system where any single vulnerability is less likely to apply to all Android installs. Of course this diversity also means there are more chances to find problems but the reach of those problems is smaller.
> And iPhone is considerably more secure than Android against both script kiddies and nation state attackers.
Posting this in a thread about a HW backdoor in iPhone seems strange. And there are also a lot of noclick exploits in the Apple ecosystem: NSO comes to mind.
My main issue with Apple is that they, internally, do not do any security research. They just close the holes, if, and after, they are discovered.
If they really need the security, considering how the other party spent such trouble to hack their phones, this is probably true, then they should not allow any smart phone into the facility.
This has been done many times before by other companies. Huawei used to do a lot of closed door development -- every one of the team lives in a hotel for a few months without phones and cannot get out. If your adversary burnt so many zero days and maybe also pulled some strings to hack you, you absolutely should do this.
It's possible someone wants to hack you more than you want to defend against it.
Or it's possible you are using your development processes more like a honeypot to trap the attackers. I suspect that was the case here - it's awfully hard to analyze a modern exploit unless you manage to get it to install on a phone you are already monitoring.
(all new exploits are 'single install' - ie. the exploit will retrieve most of its code from a server which will only send the data once, and then immediately after use the exploit code will be deleted. That makes recording the exploit hard).
Correction, non-US nation state attackers. (this comment is mostly a sarcastic joke)