In case you use OpenPGP on a smartphone ...

Stefan Claas sac at 300baud.de
Mon Aug 10 17:14:25 CEST 2020


ಚಿರಾಗ್ ನಟರಾಜ್ via Gnupg-users wrote:
 
> 10/08/20 09:07 ನಲ್ಲಿ, Stefan Claas <sac at 300baud.de> ಬರೆದರು:
> > 
> > Matthias Apitz wrote:
> > 
> > > El día domingo, agosto 09, 2020 a las 10:06:13p. m. +0200, Stefan Claas escribió:
> > >
> > > > > This article showed up today, when I did a Google search again:
> > > > >
> > > > > <https://tech.firstlook.media/how-to-defend-against-pegasus-nso-group-s-sophisticated-spyware>
> > > > >
> > > > > Trustworthy source.
> > > >
> > > > Mmmhhh, it is getting 'better and better' for smartphone users.
> > > >
> > > > https://www.androidauthority.com/government-tracking-apps-1145989/
> > > >
> > >
> > > One can use a Linux mobile phone running UBports.com (as I and all my family do)
> > > or the upcoming Puri.sm L5 (as I pre-ordered in October 2017).
> > 
> > Yes, people gave me already (not from here of course) good advise for other OSs
> > which one can use. The question is how long will those OSs been unaffected ...
> > 
> > > Stop whining, stand up and fight and protect yourself.
> > 
> > I am not whining ... I only wanted to let the people know. Also very
> > interesting that only one person in this thread replied, besides you ...
> 
> I was wary of storing my private GPG keys on my phone (if only because of theft/loss/etc), so I set up my keys on a Yubikey
> and use that to decrypt stuff on my phone. From what I understand, even if they were to obtain secrets decrypted by the
> Yubikey or exfiltrate private files, they would not be able to actually decrypt them given that the key resides on the
> Yubikey (if the private key were on the phone itself, they'd "just" have to crack the passphrase or whatever, which would
> presumably be much easier...).
> 
> Just another way to mitigate the risk of stuff like this.

Well, I do have YubiKeys and a Nitrokey too, but I would say while they can't obtain your private key they will for sure
know the passphrase (PIN) used and the content you encrypted/decrypted on your smartphone.

I came up yesterday with the idea to use an additional offline laptop[1] connected to my smartphone via a USB OTG cable
and an FTDI USB to USB cable, costs for both less then 20 USD. When both devices are connected one uses on the laptop
CoolTerm (cross-platform) and on the Android device serial usb terminal, available on the PlayStore.

As of my understanding (please someone proofs me wrong) an attacker would have a hard time to know the encrypted content
created on the offline laptop.

[1]I have to check out if they are mobile and inexpensive Raspberry Pi solutions available for purchase.

Regards
Stefan

-- 
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion



More information about the Gnupg-users mailing list