Don't use a mobile authenticator app on an old smartphone, because the app is only as secure as the operating system in which it's running, two security researchers said at the RSA Conference here earlier this week.
Aaron Turner and Georgia Weidman emphasized that using authenticator apps, such as Authy or You do not have permission to view the full content of this post. Log in or register now., in You do not have permission to view the full content of this post. Log in or register now. was better than using SMS-based 2FA. But, they said, an authenticator app is useless for security if the underlying mobile OS is out-of-date or the mobile device is otherwise insecure.
And he warned the audience to stay away from one well-known Android brand.
"[German phone häçker] Karsten Nohl showed that Samsung was faking device updates last year," Turner said. "Stop buying their stuff."
To be fair, Samsung was far from the worst offender among phone makers in the study Turner cited, and You do not have permission to view the full content of this post. Log in or register now. regarding Samsung's issues, without going into further detail. (You do not have permission to view the full content of this post. Log in or register now. are available on the RSA website.)
The problem is that if an attacker or a piece of mobile malware can get into the kernel of iOS or Android, then it can do anything it wants, including presenting fake authenticator-app screens.
"One of my clients had an iPhone 4 and was using Microsoft Authenticator," Turner said, indicating another authenticator app. "All an attacker would need to do is to get an iPhone 4 exploit. My client was traveling in a high-risk country, his phone was cloned and then after he left the country, all sorts of interesting things happened to his accounts."
![view](https://phcorner.net/"https://securepubads.g.doubleclick.net/pcs/view?xai=AKAOjstAD2o4gTDLs9zX3-iCy3RdudTUE8bGlG-pNwx6KjWcegNeKMG8xPUL2phwJuQ2LQQ6UEJHggV2tCcEeXTkg4PQywux5BWYNbxznwHt6xRTxcvygt5agnuL4MIphCGeBQN1_jJ_Pi1421gM3oHGKPSwI5zptqONDh49MwJItAG8drmOgzqMgxtnyS7Grttgo5J0gZ2_Bu8V9nXbuyDW7zv-rQ-3K7SxMb4GF0i0_l9XNGH8nUV7KGUIHf46Nz2yOC4cUSZa8qd95kqRWHo&sai=AMfl-YSc55Ftp2JmaJIO_mZlqHNgwtdYkQTwXuyqYECLTglqmSm0FZGYE0uS3V575A33W41FQz40vlr6smsFGzKVD6ZGp4fWsXZ4Re0vdkwV5-bJ&sig=Cg0ArKJSzDKhgD1QQva0EAE&urlfix=1&adurl=")
{"uid":0.843536470621028,"hostPeerName":"You do not have permission to view the full content of this post. Log in or register now.","initialGeometry":"{\"windowCoords_t\":0,\"windowCoords_r\":360,\"windowCoords_b\":616,\"windowCoords_l\":0,\"frameCoords_t\":4950,\"frameCoords_r\":330,\"frameCoords_b\":4951,\"frameCoords_l\":30,\"posCoords_t\":2429,\"posCoords_b\":2430,\"posCoords_r\":330,\"posCoords_l\":30,\"styleZIndex\":\"\",\"allowedExpansion_r\":60,\"allowedExpansion_b\":615,\"allowedExpansion_t\":0,\"allowedExpansion_l\":0,\"yInView\":0,\"xInView\":1}","permissions":"{\"expandByOverlay\":true,\"expandByPush\":true,\"readCookie\":false,\"writeCookie\":false}","metadata":"{\"shared\":{\"sf_ver\":\"1-0-37\",\"ck_on\":1,\"flash_ver\":\"26.0.0\",\"canonical_url\":\"https://www.tomsguide.com/uk/news/mobile-auth-app-häçk-rsa20\",\"amp\":{\"canonical_url\":\"https://www.tomsguide.com/uk/news/mobile-auth-app-häçk-rsa20\"}}}","reportCreativeGeometry":false,"isDifferentSourceWindow":false,"sentinel":"0-2157709377527821896","width":300,"height":1,"_context":{"ampcontextVersion":"2002200031230","ampcontextFilepath":"You do not have permission to view the full content of this post. Log in or register now.","sourceUrl":"https://www.tomsguide.com/uk/amp/news/mobile-auth-app-häçk-rsa20","referrer":"","canonicalUrl":"https://www.tomsguide.com/uk/news/mobile-auth-app-häçk-rsa20","pageViewId":"8348","location":{"href":"https://www.tomsguide.com/uk/amp/news/mobile-auth-app-häçk-rsa20"},"startTime":1583078656082,"tagName":"AMP-AD","mode":{"localDev":false,"development":false,"minified":true,"lite":false,"test":false,"version":"2002200031230","rtvVersion":"012002200031230"},"canary":false,"hidden":false,"initialLayoutRect":{"left":30,"top":2429,"width":300,"height":1},"initialIntersection":{"time":1800026.600000001,"rootBounds":{"left":0,"top":0,"width":360,"height":616,"bottom":616,"right":360,"x":0,"y":0},"boundingClientRect":{"left":30,"top":-92,"width":300,"height":1,"bottom":-91,"right":330,"x":30,"y":-92},"intersectionRect":{"left":0,"top":0,"width":0,"height":0,"bottom":0,"right":0,"x":0,"y":0},"intersectionRatio":0},"domFingerprint":"387235829","experimentToggles":{"pump-early-frame":true,"chunked-amp":true,"amp-ad-ff-adx-ady":false,"amp-consent-v2":true,"swg-gpay-api":true,"canary":false,"amp-story-v1":true,"hidden-mutation-observer":true,"fix-inconsistent-responsive-height-selection":false,"a4aProfilingRate":false,"version-locking":true,"amp-auto-ads-AdSénsé-holdout":false,"layoutbox-invalidate-on-scroll":true,"as-use-attr-for-format":false,"AdSénsé-ad-size-optimization":false,"blurry-placeholder":true,"amp-playbuzz":true,"flexAdSlots":false,"amp-action-macro":true,"fixed-elements-in-lightbox":true,"amp-access-iframe":true,"amp-nested-menu":true,"amp-mega-menu":true,"doubleclickSraExp":false,"swg-gpay-native":true,"amp-sidebar-swipe-to-dismiss":true,"doubleclickSraReportExcludedBlock":false,"ampdoc-closest":true,"amp-story-responsive-units":true,"ios-fixed-no-transfer":false,"amp-auto-ads-no-op-experiment":false,"amp-consent-geo-override":true},"sentinel":"0-2157709377527821896"}}" height="1" width="300" data-amp-3p-sentinel="0-2157709377527821896" allow="sync-xhr 'none';" frameborder="0" allowfullscreen="" allowtransparency="" scrolling="no" marginwidth="0" marginheight="0" sandbox="allow-top-navigation-by-user-activation allow-popups-to-escape-sandbox allow-forms allow-modals allow-pointer-lock allow-popups allow-same-origin allow-scripts" class="i-amphtml-fill-content" id="google_ads_iframe_1" style="margin: auto; padding: 0px !important; border: 0px !important; font: inherit; vertical-align: baseline; display: block; height: 1px; max-height: 100%; max-width: 100%; min-height: 0px; min-width: 0px; width: 300px; transform: translate(-50%, -50%); top: 0px; left: 0px; position: absolute; bottom: 0px; right: 0px;">Some Android phones are safer than iPhones
And don't think iOS devices are safer than Android ones -- they're not. There are just as many known exploits for either one, and Weidman extracted the encryption keys from an older iPhone in a matter of seconds onstage.
The iPhone's Secure Enclave offers "some additional security, but the authenticator apps aren't using those elements," said Weidman. "iOS is still good, but Android's [security-enhanced] SELinux is the bane of my existence as someone who's building exploits."
"We charge three times as much for an Android pentest than we charge for an iOS one," Turner said, referring to an exercise in which häçkers are ρáíd by a company to try to penetrate the company's security. "Fully patched Android is more difficult to go after."
Aaron Turner and Georgia Weidman emphasized that using authenticator apps, such as Authy or You do not have permission to view the full content of this post. Log in or register now., in You do not have permission to view the full content of this post. Log in or register now. was better than using SMS-based 2FA. But, they said, an authenticator app is useless for security if the underlying mobile OS is out-of-date or the mobile device is otherwise insecure.
- You do not have permission to view the full content of this post. Log in or register now.: Protect your smartphone
- The You do not have permission to view the full content of this post. Log in or register now. you can buy
- Just In: You do not have permission to view the full content of this post. Log in or register now.
And he warned the audience to stay away from one well-known Android brand.
"[German phone häçker] Karsten Nohl showed that Samsung was faking device updates last year," Turner said. "Stop buying their stuff."
To be fair, Samsung was far from the worst offender among phone makers in the study Turner cited, and You do not have permission to view the full content of this post. Log in or register now. regarding Samsung's issues, without going into further detail. (You do not have permission to view the full content of this post. Log in or register now. are available on the RSA website.)
The problem is that if an attacker or a piece of mobile malware can get into the kernel of iOS or Android, then it can do anything it wants, including presenting fake authenticator-app screens.
"One of my clients had an iPhone 4 and was using Microsoft Authenticator," Turner said, indicating another authenticator app. "All an attacker would need to do is to get an iPhone 4 exploit. My client was traveling in a high-risk country, his phone was cloned and then after he left the country, all sorts of interesting things happened to his accounts."
{"uid":0.843536470621028,"hostPeerName":"You do not have permission to view the full content of this post. Log in or register now.","initialGeometry":"{\"windowCoords_t\":0,\"windowCoords_r\":360,\"windowCoords_b\":616,\"windowCoords_l\":0,\"frameCoords_t\":4950,\"frameCoords_r\":330,\"frameCoords_b\":4951,\"frameCoords_l\":30,\"posCoords_t\":2429,\"posCoords_b\":2430,\"posCoords_r\":330,\"posCoords_l\":30,\"styleZIndex\":\"\",\"allowedExpansion_r\":60,\"allowedExpansion_b\":615,\"allowedExpansion_t\":0,\"allowedExpansion_l\":0,\"yInView\":0,\"xInView\":1}","permissions":"{\"expandByOverlay\":true,\"expandByPush\":true,\"readCookie\":false,\"writeCookie\":false}","metadata":"{\"shared\":{\"sf_ver\":\"1-0-37\",\"ck_on\":1,\"flash_ver\":\"26.0.0\",\"canonical_url\":\"https://www.tomsguide.com/uk/news/mobile-auth-app-häçk-rsa20\",\"amp\":{\"canonical_url\":\"https://www.tomsguide.com/uk/news/mobile-auth-app-häçk-rsa20\"}}}","reportCreativeGeometry":false,"isDifferentSourceWindow":false,"sentinel":"0-2157709377527821896","width":300,"height":1,"_context":{"ampcontextVersion":"2002200031230","ampcontextFilepath":"You do not have permission to view the full content of this post. Log in or register now.","sourceUrl":"https://www.tomsguide.com/uk/amp/news/mobile-auth-app-häçk-rsa20","referrer":"","canonicalUrl":"https://www.tomsguide.com/uk/news/mobile-auth-app-häçk-rsa20","pageViewId":"8348","location":{"href":"https://www.tomsguide.com/uk/amp/news/mobile-auth-app-häçk-rsa20"},"startTime":1583078656082,"tagName":"AMP-AD","mode":{"localDev":false,"development":false,"minified":true,"lite":false,"test":false,"version":"2002200031230","rtvVersion":"012002200031230"},"canary":false,"hidden":false,"initialLayoutRect":{"left":30,"top":2429,"width":300,"height":1},"initialIntersection":{"time":1800026.600000001,"rootBounds":{"left":0,"top":0,"width":360,"height":616,"bottom":616,"right":360,"x":0,"y":0},"boundingClientRect":{"left":30,"top":-92,"width":300,"height":1,"bottom":-91,"right":330,"x":30,"y":-92},"intersectionRect":{"left":0,"top":0,"width":0,"height":0,"bottom":0,"right":0,"x":0,"y":0},"intersectionRatio":0},"domFingerprint":"387235829","experimentToggles":{"pump-early-frame":true,"chunked-amp":true,"amp-ad-ff-adx-ady":false,"amp-consent-v2":true,"swg-gpay-api":true,"canary":false,"amp-story-v1":true,"hidden-mutation-observer":true,"fix-inconsistent-responsive-height-selection":false,"a4aProfilingRate":false,"version-locking":true,"amp-auto-ads-AdSénsé-holdout":false,"layoutbox-invalidate-on-scroll":true,"as-use-attr-for-format":false,"AdSénsé-ad-size-optimization":false,"blurry-placeholder":true,"amp-playbuzz":true,"flexAdSlots":false,"amp-action-macro":true,"fixed-elements-in-lightbox":true,"amp-access-iframe":true,"amp-nested-menu":true,"amp-mega-menu":true,"doubleclickSraExp":false,"swg-gpay-native":true,"amp-sidebar-swipe-to-dismiss":true,"doubleclickSraReportExcludedBlock":false,"ampdoc-closest":true,"amp-story-responsive-units":true,"ios-fixed-no-transfer":false,"amp-auto-ads-no-op-experiment":false,"amp-consent-geo-override":true},"sentinel":"0-2157709377527821896"}}" height="1" width="300" data-amp-3p-sentinel="0-2157709377527821896" allow="sync-xhr 'none';" frameborder="0" allowfullscreen="" allowtransparency="" scrolling="no" marginwidth="0" marginheight="0" sandbox="allow-top-navigation-by-user-activation allow-popups-to-escape-sandbox allow-forms allow-modals allow-pointer-lock allow-popups allow-same-origin allow-scripts" class="i-amphtml-fill-content" id="google_ads_iframe_1" style="margin: auto; padding: 0px !important; border: 0px !important; font: inherit; vertical-align: baseline; display: block; height: 1px; max-height: 100%; max-width: 100%; min-height: 0px; min-width: 0px; width: 300px; transform: translate(-50%, -50%); top: 0px; left: 0px; position: absolute; bottom: 0px; right: 0px;">Some Android phones are safer than iPhones
And don't think iOS devices are safer than Android ones -- they're not. There are just as many known exploits for either one, and Weidman extracted the encryption keys from an older iPhone in a matter of seconds onstage.
The iPhone's Secure Enclave offers "some additional security, but the authenticator apps aren't using those elements," said Weidman. "iOS is still good, but Android's [security-enhanced] SELinux is the bane of my existence as someone who's building exploits."
"We charge three times as much for an Android pentest than we charge for an iOS one," Turner said, referring to an exercise in which häçkers are ρáíd by a company to try to penetrate the company's security. "Fully patched Android is more difficult to go after."
