It turns out that 2FA is only as good as the operating system you’re running – and most Android phones are WAY out of date.
Security researchers at the RSA Conference in San Francisco this week warned against using mobile authentication apps on old smartphones.
Chief Security Officer of HighSide, Aaron Turner, and Chief Technology Officer of Shevirah, Georgia Weidman, emphasised that authentication apps like Google Authenticator or Authy were a lot better than SMS based 2FA which are vulnerable to SIM swap attacks, like the Chinese whale who lost $45 million in Bitcoin and BCH last week.
However they warned that authenticator apps are useless if the underlying mobile operating system is out of date or otherwise insecure.
To put that in perspective, as of 2019 almost 60 percent of Android devices were not running the most up to date version of the operating system, meaning that most users are vulnerable.
Turner said that iPhone users should only use authentication apps on iOS 13, which is the most recent version of the operating system.
“You don’t want the risk associated with 32-bit iOS,” said Turner.”In Android, use only the Pixel class of devices. Go to Android One if you can’t get Pixel devices. I’ve had good experiences with Motorola and Nokia Android One devices.”
Samsung is faking device updates?
Curiously Turner suggested that Samsung had been faking device updates, citing German phone hacker Karsten Nohl as evidence. “Stop buying their stuff,” he said.
The danger with old operating systems is they are vulnerable to exploits and malware that enables hackers to put up fake authenticator app screens.
Turner said he had a client using an iPhone 4 and Microsoft authenticator who was hacked.
“My client was traveling in a high-risk country, his phone was cloned and then after he left the country, all sorts of interesting things happened to his accounts.”
Weidman demonstrated how easy it was to extract encryption keys from an iPhone in just seconds onstage.
Android is actually safe than iOS
Interestingly enough, despite perceptions to the contrary, a fully patched Android device is much safer than an iPhone.
Turner said they charged three times as much for an Anroid penetration test as an iPhone pen test as Android was “more difficult to go after”.
Turner also said he didn’t believe that biometric authentication such as fingerprints or facial recognition, was the answer.
“I am fundamentally opposed to using biometrics because it’s non-revocable,” he said, citing a case in which a Malaysian man’s finger was cut off to steal his biometric protected car. “Fingerprint readers are biometric toys,” he said.
Instead he suggested that a hardware authentication device such as a Yubikey or Google Titan key was the best security currently available.