Sounds like that would not leave much time for actual journalism. Or room for carrying other equipment. And it would make crossing borders very exciting, explaining all those phones to border control or customs.
Just turn on Lockdown Mode on iOS. It was designed to protect against exactly this. It has been confirmed that if Lockdown Mode had been on, this attack would have failed.
Disable iMessage and don't use iCloud at all, for a belt and suspenders approach.
This probably isn’t a bad idea for an open-source project.
Something akin to Graphene OS where there’s a constant drive to narrow the attack surfaces, but also removing any concessions related to installing apps or Google services entirely.
Basically, a phone that has access to encrypted messaging and the camera/mics under very controlled circumstances and that’s about it.
The restrictions would also limit the popularity enough that it would likely never be worth the cost of targeting, but also provide greater protection to the few people that really need that protection enough to make those sacrifices.
I'd love a phone with a bank of iPhone style mute switches, but each hooked up physically to disable the cellular radio, gps antenna, mic, camera and etc.
An open-source project is actually worse for security because the attacker can just read your source and find the exploits.
Assembly is a pain to understand even with the latest disassemblers. Cut that out and you’re cutting out 90% of the work.
Now sure in theory having it open source means good people will find the exploit. But have you ever found an exploit and reported it? Of course not. Only attackers are motivated to put thousands of hours of work into looking for vulnerabilities. Unless you pay someone to actually put the same work in, it being open source is meaningless.
Not publishing source code demotivates the white hats and "good people" more than the bad actors, IMHO. There's a reason a lot of cryptography-related libraries have open/available source code
> But have you ever found an exploit and reported it?
Yes, actually. It was for a project I had already contributed to, so I was just reading source code and stumbled upon a somewhat critical bug. The main problem there was figuring out how to fix it without breaking API, really.
There's probably a way to quickly detect infection, too: constantly look at all network traffic. It's probably pretty difficult to hide the outgoing traffic when they are pulling all your messages and run frequent screen capture. They will encrypt it, but the volume of data should be impossible to hide.
Even easier if you have your phone stripped down and locked up in the first place, less apps to ever cause outgoing traffic.
- A different device for each app (Whatsapp, Telegram, Signal, etc)
- Use web front ends and keep the phone turned off - not sure if it works for all apps
- Regularly ditch devices, sell them second hand and get new/used phones.
- Use the devices to setup meetings in more secure environments, never say/text anything into the phone, assume its compromised at all times.
And there should be some sanction against NGO, they are scumbags.