GeekNights Monday - How to Not Suck at Smartphone Security

Tonight on GeekNights, we reveal the secrets of How to Not Suck at Smartphone Security. There is a lot of drama that can arise from mishandling your smartphone. Tonight we'll walk you through a simple set of rules that, if you follow them, will nearly guarantee such drama does not befall you.

In the news, KakaoTalk loses millions of users after a massive outage not only cuts people off from their primary means of communication but reveals sensitive personal information related to multiple profiles. This is on the heels of Google taking their cut and has now led to calls for a monopoly probe. Also Leica has a new camera for a lot of money and Scott has written about it in the forum.

Things of the Day

Episode Links

Live Stream:

On Patreon:
https://www.patreon.com/posts/73735592

You guys are a bit ridiculous with “no one ever touches your phone unlocked, not your spouse not your…”

If I can’t trust my partner why am I with them?

I mean, it’s security advice, not relationship advice.

1 Like

I trust my partner completely. We never mess with each other’s phones. Ever.

Let’s say you have two people. They both trust each other 100%. They are both also completely worthy of that trust. They never betray each other and never willingly do anything to hurt each other. They have absolutely no jealousy, curiosity, envy, or any other negative feeling between them. Two peas in a pod. The best couple in human history.

Sounds good, right? Both people can share all their passwords, phones, whatever.

Absolutely not!

The attack surface has just been doubled along with the target value. A third party malefactor can now choose just one of two people to compromise to gain access to both. How awful would it be for someone to have their stuff compromised even though they did everything right? Their partner had one slip up forgetting to lock the phone. The partner got socially engineered. The partner installed a malware. Now they’re both screwed. They could have protected each other from the rest of the world by keeping their things separate.

Circumstances change. People change. People have deep dark secrets. Trust levels change. People get married and trust each other completely and then surprise, they’re stuck in abusive relationships. This is sadly extremely common. The people it happened to once trusted their partners completely. I’m not saying to be paranoid, that’s just going to be a self-fulfilling prophecy. I’m just saying that these security practices are low effort common sense, like locking your house. Even when risk is low, it’s not zero.

There are also many scenarios that are unlikely, but not unrealistic. Partner was actually an international spy? Partner was a thief playing the long game to get access to bank accounts? Partner gets interrogated by law enforcement and coughs up the passwords? It happens more than never. Very unlikely, but protecting against it is so easy to do. No reason not to.

Strict digital separation also serves as a canary in the coal mine. Imagine instead of phones two partners each had one safe each. They trust each other completely, so neither should ever have any reason to suspect the other is keeping anything untoward in their safe. They would never even think to ask for the key or combination to the other person’s safe. Even just inquiring about the contents would be a signal that they are having feelings of suspicion, or worse. There’s absolutely no legitimate reason either would ever need to access the other person’s safe. As long as neither partner has ever even begun to attempt to access the other’s safe, that’s living proof of their trust for each other much greater than if both of them shared a single safe. If anyone does go near that line, it’s a helpful red flag that the relationship may be turning sour.

Lastly, it’s just a matter of the reverse question. You ask “Why not let your partner use your phone?” I say “Why do they need to?” There is no legitimate reason for these things to be shared. Everything that needs to be accomplished can be done without sharing. The cost of sharing is a reduction in security. What is the benefit? None. None benefit. Why reduce security for no benefit? Foolishness that will one day result in drama.

I mean, live your own life I guess. Married with 2 kids there’s lots of times being able to access each other’s phones for mundane stuff is just easier. Grocery list, shopping clothes for kids, etc. Just quick “hey can you write this down for me while I deal with this baby’s poop diaper”.

I get your point that obviously it’s more secure to just always lock and never share. Just as practical living advice it’s a little silly.

There are trivial technological solutions to all of those things. Also, don’t you both always have your cell phone? It would be more hassle to find Emily’s than use the one that’s literally always in my pocket at all times…

We absolutely intend this as 100% earnest practical living advice.

I know almost nobody who shares smartphones. Computers and other devices maybe, but smartphones? That’s nuts.

2 Likes

Use Google Keep and created shared notes. That’s what we do. Problem solved.

There are many other equivalent apps as well. You can collaborate on Apple notes with iCloud.

Having shared cloud notes is also great since everything is backed up and accessible from any device. I can even check the shared notes on my Desktop and my Apple watch and my iPad and so on.

If the grocery list is only on person A’s phone and person B does the grocery shopping what do you do? Take their phone with you? Preposterous!

1 Like

Lol no, the list is on the phone if whoever is going to the store.

I really recommend trying the collaborative cloud-sync list. It’s such a simple thing that can make life very very convenient.

2 Likes

Or just texting the other person the list (or whatever).

2 Likes

I never fully believe these stories on /r/AmItheAsshole/. I just treat them as stories. Whether they are true or false doesn’t matter. What does matter is that this story could be true. There’s nothing unrealistic here. Oh, and what is this? A person’s entire social life was devastated because they let a very trusted person, their own sister, borrow their phone quickly just to order pizza.

NEVER let ANYONE touch your phone when unlocked EVER. PERIOD.

I’m so glad I have a relationship where I don’t have to worry when they use my phone. The “alternative face” for Face ID is super handy, so she can unlock it by just looking at it. I’m

So glad I live a life where there is zero drama, and nothing on my phone would cause any drama anywhere if anyone was to look at it, in passing or by going digging.

You sound like crazy people with the “two safes shows more trust” analogies.

Life is for living. Just get on with it.

That said, shared notes in Apple notes for shopping lists and to-do lists is an amazing tool that every couple should use.

2 Likes

I am just as confident in the trust inherent in my current, almost entirely drama-free, personal circumstances as you are.

The difference between us is that I look at other people who were at one point in time equally justified, but were later screwed. I simply lack the arrogance to believe it couldn’t happen to me.

2 Likes

From my largish pool of anecdotes (low hundreds I would guess?) Most of the drama sparked from people sharing access to stuff is not due to direct access of phones but things like messages syncing to the old iPad or the family iMac. Things that wouldn’t happen if the people involved knew how their tech worked and were making conscious decisions about it. Like if you know that your data is backed up and how you’re already doing better than almost everyone who is getting into drama over crap on their phone.

Because I deal with trying to access dead people’s stuff a lot I tend to be more worried about my partner being locked out of my accounts than them being able to access my DMs or whatever. My personal solution to that is to keep some onetime passwords in a safe deposit box. You can accomplish the same thing with tighter controls through a lawyer or set up various account inheritance features that vary between services.

Also if you want some mostly real world informed suggestions for phone security vs cops etc. I have some opinions.

I can’t imagine any situation where Emily would need to access my phone for anything or vice versa. We have apps and accounts that share all the info we need to share on-device.

Wanting to use someone else’s phone is already a weird situation that I can’t imagine being in. Even physically grabbing someone else’s phone would be more hassle than just… grabbing my own phone?

Yeah, basically the only two situations that have ever come up that require my partner or I to touch each other’s phones are 1)taking a photo with the other person’s phone(And we both normally just use the camera shortcut from the lock screen that doesn’t require unlocking the phone, or gives access to anything other than the camera), and 2)interacting with the other person’s phone when it’s hooked up to the car, for the purpose of something like changing the navigation, or searching out a particular song.

A small compromise in security, but a largely harmless one. If either of us were fast enough and good enough to compromise a phone unnoticed in those extremely short circumstances, while the other person is RIGHT there and often looking, then neither of us are good enough to stop that person regardless of allowing them to touch or briefly use their devices or not.

The car use case was definitely the most common for me but that’s been largely negated due to improvements in Android Auto, it’s a limited access situation a bit like camera from lock screen.

I think probably the most common (though maybe not most compelling) serious circumstance is that you die in such a way that the last activity on the device is relevant. An easy one is that insurance tries to say you were doing something on your phone and thus liable for whatever happened. Cell provider side data generally doesn’t help and it is now basically the default in commercial vehicle crashes to claim people must’ve been on their phones.

Depends on who’s car we’re in, really. For example, it happens more in my partner’s car(which doesn’t have Android auto, just an older-style bluetooth hookup) than mine(which has Android auto*, with a mid-size screen in the dash). And, of course, whose phone is connected - if I’m on DJ duty in her car, I don’t need to touch her phone to do anything, because it’s my phone on deck.

*- But not wireless android auto, come on how Hyundai, the hardware is already there, it’s just a firmware issue now.

That’s not a use case for ready access. That’s a use case for, at most, a breakglass capability or escrow of credentials.