Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.
Awesome Lists | Featured Topics | Projects
https://github.com/beerisgood/mobile_security

a collection of differently important stuff about mobile phones
https://github.com/beerisgood/mobile_security
android ios linuxphone privacy security smartphone
Last synced: 13 days ago
JSON representation
a collection of differently important stuff about mobile phones
Host: GitHub
URL: https://github.com/beerisgood/mobile_security
Owner: beerisgood
License: gpl-3.0
Created: 2020-10-24T20:13:52.000Z (over 4 years ago)
Default Branch: main
Last Pushed: 2025-01-12T17:04:28.000Z (27 days ago)
Last Synced: 2025-01-17T15:09:51.244Z (22 days ago)
Topics: android, ios, linuxphone, privacy, security, smartphone
Homepage:
Size: 386 KB
Stars: 62
Watchers: 5
Forks: 7
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project

README

        ![GitHub last commit](https://img.shields.io/github/last-commit/beerisgood/Mobile_Security?label=last%20update%3A&style=flat-square)

### Android (Stock Google) + GrapheneOS

 - Secure an Android Device [Blog](https://source.android.com/security)

 - Android Security Features [Blog](https://source.android.com/security/features)

 - Madaidan's Insecurities - Android [Blog](https://madaidans-insecurities.github.io/android.html)

 - Madaidan's Insecurities - Mobile Security and Privacy Advice [Blog](https://madaidans-insecurities.github.io/security-privacy-advice.html#mobile-os)

 - GrapheneOS: a OpenSource privacy and security focused mobile OS with Android app compatibility [Blog](https://grapheneos.org/)

 - GrapheneOS community [Wiki](https://hub.libranet.de/wiki/graphene-os/wiki/Home)

 - Insider Attack Resistance [Blog](https://android-developers.googleblog.com/2018/05/insider-attack-resistance.html)

 - Google can't decrypt your locked phone with your Google Password [Blog](https://support.google.com/android/answer/7663172?hl=en&visit_id=637368692303073503-4208188940&rd=1)

 - Android Privacy and Security [Wiki](https://hub.libranet.de/wiki/and-priv-sec/wiki/Home)

 - Important Android Security mitigation's [Reddit](https://archive.is/aO9yv)

 - How Android Encryption works [Reddit](https://archive.ph/80M8n)

 - Storage Permissions [Reddit](https://archive.ph/0vfL6)

 - Why "Magisk", "Xposed" & "Xprivacy(Lua)" don't work and are bad [Reddit](https://archive.ph/S3Sd9)

 - Wipe free space [Reddit](https://archive.ph/h4fHa)

 - MAC address, serial number, IMEI, ANDROID_ID & Phone permission [Reddit](https://archive.ph/0UHaZ)

 - Cellebrire UFED extraction [Reddit](https://archive.ph/IpKzL)

 - How Secure is your Android Keystore Authentication? [Blog](https://labs.f-secure.com/blog/how-secure-is-your-android-keystore-authentication/)

 - Gyrophone: Recognizing Speech From Gyroscope Signals [Blog](https://crypto.stanford.edu/gyrophone/)

 - Why F-Droid isn't recommend for security [GitHub](https://github.com/GrapheneOS/os_issue_tracker/issues/341#issuecomment-699903065)

 - a [technical chat](https://github.com/madaidans-insecurities/madaidans-insecurities.github.io/issues/1) about Android with Daniel Micay

 - Architectural decomposition and isolation of the Media Frameworks over time [Image](https://1.bp.blogspot.com/-C2DwwKC4hRk/YBMwj0PQgZI/AAAAAAAADhc/za7j8K7zgTs6SbCK6dox8AjWidxRwPbOwCNcBGAsYHQ/s1122/Image%2B%2523%2B2.png)

 - Data Driven Security Hardening in Android [Blog](https://security.googleblog.com/2021/01/data-driven-security-hardening-in.html)

 - Securing Android from any unauthorized individual or criminal [Video](https://www.youtube.com/watch?v=WvIItxY-BKs&list=PLsoPy7S6vUtF48sOnu40WXUUzL0O9LNsf)

 - Continuing to Raise the Bar for Verifiable Security on Pixel [Blog](https://security.googleblog.com/2021/03/continuing-to-raise-bar-for-verifiable.html)

 - Why does the F-Droid website nearly always host an outdated F-Droid apk? [Forum](https://forum.f-droid.org/t/why-does-the-f-droid-website-nearly-always-host-an-outdated-f-droid-apk/6234/1)

 - CVE-2017-5947: OnePlus EDL triggering through ADB or Hardware Key Combination [Blog](https://alephsecurity.com/vulns/aleph-2017007)

 - CIS [Security Benchmark](https://www.cisecurity.org/benchmark/google_android/)

 - NIST Security Technical Implementation [Guide](https://ncp.nist.gov/checklist/968)

 - F-Droid [InSecurity](https://privsec.dev/posts/android/f-droid-security-issues/)

 - How private are [Android keyboards](https://www.scss.tcd.ie/Doug.Leith/pubs/gboard_kamil.pdf)?

 - Waydroid or GrapheneOS? [Reddit](https://archive.ph/hzvSZ)

 - [*broken VPN*](https://mullvad.net/en/blog/2022/10/10/android-leaks-connectivity-check-traffic/)

 - Malware on the Google Play store [leads](https://www.malwarebytes.com/blog/news/2022/11/malware-on-the-google-play-store-leads-to-harmful-phishing-sites) to harmful phishing sites

 - Attacking the Android kernel [using](https://tamirzb.com/attacking-android-kernel-using-qualcomm-trustzone) the Qualcomm TrustZone

 - Why Eve and Mallory Still Love Android: Revisiting TLS [(In)Security in Android Applications](https://www.usenix.org/conference/usenixsecurity21/presentation/oltrogge)

## iOS (Apple) 

 - (2016) tfp0 [GitHub](https://siguza.github.io/cl0ver/)

 - (2016) Demystifying the Secure Enclave Processor [YouTube](https://www.youtube.com/watch?v=7UNeUT_sRos)

 - (2018) A14's new memory tagging - "Memory Tagging and how it improves C/C++ memory safety" [YouTube](https://www.youtube.com/watch?v=lLEcbXidK2o)

 - (2018) KTRR [GitHub](https://siguza.github.io/KTRR/)

 - (2019) Recreating An iOS 0-Day Jailbreak Out Of Apple's Security Updates [YouTube](https://www.youtube.com/watch?v=p512McKXukU)

 - (2019) "What's in a Jailbreak? Hacking the iPhone: 2014 - 2019" [YouTube](https://www.youtube.com/watch?v=31azOpD7DmI)

 - (2019) Evolution of iOS mitigations [PDF](https://github.com/ssd-secure-disclosure/typhooncon2019/blob/master/Siguza%20-%20Mitigations.pdf)

 - (2019) Examining Pointer Authentication on the iPhone XS [Blog](https://googleprojectzero.blogspot.com/2019/02/examining-pointer-authentication-on.html)

 - (2019) APRR [GitHub](https://siguza.github.io/APRR/)

 - (2020) [sandbox profiles](https://archive.is/FVLMH) in iOS 14

 - (2020) The core of Apple is PPL: Breaking the XNU kernel's kernel [Blog](https://googleprojectzero.blogspot.com/2020/07/the-core-of-apple-is-ppl-breaking-xnu.html)

 - (2020) PAN [GitHub](https://siguza.github.io/PAN/)

 - (2020) "Psychic Paper" [GitHub](https://siguza.github.io/psychicpaper/)

 - (2020) Behind the scenes of iOS and Mac Security [YouTube](https://www.youtube.com/watch?v=3byNNUReyvE)

 - Billy Ellis [YouTube Channel](https://www.youtube.com/c/BillyEllis/)

 - ARM assembly basics [Blog](https://azeria-labs.com/writing-arm-assembly-part-1/)

 - Why are iPhones considered better for privacy/security? [Reddit](https://archive.ph/zgZBG)

 - data minimization [Reddit](https://archive.ph/5zJt5)

 - clear explanation of how tracking is changing in iOS14 [Reddit](https://archive.ph/XN739)

 - Browser for iOS [Reddit](https://archive.ph/QlfIz)

 - Cellebrite and case scenarios [Reddit](https://archive.ph/UlEuC)

 - Apple's new security program [Reddit](https://archive.ph/Q3qbO)

 - Chances of backdoors in Apple operating systems [Reddit](https://archive.ph/agxgh)

 - iCloud data security [overview](https://support.apple.com/HT202303)

 - Privacy Review - See the trackers hidden in your apps [Blog](https://privacyreview.co/)

 - Should I get an iPhone if I value privacy? [Reddit](https://archive.ph/2NEUH)

 - iOS advantages [Reddit](https://archive.ph/2V8Ik)

 - iOS use an [improved implementation of ARM's Pointer Authentication Codes](https://developer.apple.com/documentation/security/preparing-your-app-to-work-with-pointer-authentication) (PAC), ensuring backward and forward-edge protection

 - Complete W^X implementation in iOS via [ARM’s Execute Never (XN) feature](https://help.apple.com/pdf/security/en_US/apple-platform-security-guide.pdf) (page 136)

 - how sideloading and third-party app stores would undermine iPhone security [PDF](https://www.apple.com/privacy/docs/Building_a_Trusted_Ecosystem_for_Millions_of_Apps.pdf)

 - CIS [Security Benchmark](https://www.cisecurity.org/benchmark/apple_ios/)

 - NIST Security Technical Implementation [Guide](https://ncp.nist.gov/repository?sortBy=modifiedDate%7Cdesc&keyword=iOS)

 - A Look at iMessage in iOS 14 [Blog](https://googleprojectzero.blogspot.com/2021/01/a-look-at-imessage-in-ios-14.html) (Keywords: Blastdoor, Re-randomization of the Dyld Shared Cache Region)

 - JITSploitation [I: A JIT Bug](https://googleprojectzero.blogspot.com/2020/09/jitsploitation-one.html) | [II: Getting Read/Write](https://googleprojectzero.blogspot.com/2020/09/jitsploitation-two.html) | [III: Subverting Control Flow](https://googleprojectzero.blogspot.com/2020/09/jitsploitation-three.html)

 - Page Protection Layer ([PPL](https://support.apple.com/guide/security/operating-system-integrity-sec8b776536b/1/web/1#sec314c3af61))

 - iOS 16: [restricted Userclients](https://saaramar.github.io/ios16_restricted_iouserclients/)

 - [some resources](https://github.com/houjingyi233/macOS-iOS-system-security) about iOS/ MacOS system security

 - Clone your finger - [bypassing TouchID](https://wojciechregula.blog/post/clone-you-finger-bypassing-touchid/)

 - VPNs on iOS are a [scam](https://www.michaelhorowitz.com/VPNs.on.iOS.are.scam.php) and somehow [broken](https://archive.is/CaFL2)

 - InAppBrowser.com - see what JavaScript commands get [injected](https://krausefx.com/blog/announcing-inappbrowsercom-see-what-javascript-commands-get-executed-in-an-in-app-browser) through an in-app browser

 - iOS hardened allocator, called [kalloc_type](https://security.apple.com/blog/towards-the-next-generation-of-xnu-memory-safety/)

 - [why](https://web.archive.org/web/20230713190731/https://twitter.com/bytebytego/status/1583331309094510593) ApplePay is more secure and private than GooglePay

 - (A15 chip and above) Safari hardware security mitigation called [JITBox](https://www.youtube.com/watch?v=8mQAYeozl5I&t=635s)

 - Location Services Privacy [Overview](https://www.apple.com/privacy/docs/Location_Services_White_Paper_Nov_2019.pdf)

 - [Lockdown](https://support.apple.com/HT212650) Mode - a thread about [what happens](https://infosec.exchange/@eingfoan/110048946958208752#) (also available for Apple Watch since watchOS 10)

 - When does an old iPhone [become](https://www.intego.com/mac-security-blog/when-does-an-old-iphone-become-unsafe-to-use/) unsafe to use?

 - What [if](https://security.apple.com/blog/what-if-we-had-sockpuppet-in-ios16/) we had the SockPuppet vulnerability in iOS 16?

 - Apple [Health Privacy Overview](https://www.apple.com/ios/health/pdf/Health_Privacy_White_Paper_May_2023.pdf) - how the Health app and HealthKit protect your privacy

 - [App](https://support.apple.com/HT212025) Tracking Transparency

 - (iOS [17.0](https://www.apple.com/ios/ios-17/pdf/iOS_All_New_Features.pdf)) features: Link Tracking Protection in Messages, Mail, and Safari; Communication Safety & Sensitive Content Warning; Photos privacy prompt improvements; Add-only Calendar permission; App privacy improvements; more secure Lockdown Mode; Privacy changes with [Safari 17](https://cunderwood.dev/2023/06/09/privacy-changes-coming-to-safari-17/)

 - An [analysis](https://googleprojectzero.blogspot.com/2023/10/an-analysis-of-an-in-the-wild-ios-safari-sandbox-escape.html) of an in-the-wild iOS Safari WebContent to GPU Process exploit

 - Advancing iMessage security: iMessage Contact Key [Verification](https://security.apple.com/blog/imessage-contact-key-verification)

 - [Operation Triangulation](https://media.ccc.de/v/37c3-11859-operation_triangulation_what_you_get_when_attack_iphones_of_researchers): What You Get When Attack iPhones of Researchers

 - Apple's iPhone 15 [Under the C](https://media.ccc.de/v/37c3-12074-apple_s_iphone_15_under_the_c): Hardware hacking tooling for the new iPhone generation

 - Bifröst: Apple's [Rainbow Bridge](https://media.ccc.de/v/37c3-11948-bifrost_apple_s_rainbow_bridge_for_satellite_communication) for Satellite Communication

 - [Stolen Device Protection](https://support.apple.com/HT212510) for iPhones

 - how Apps [abuse](https://www.youtube.com/watch?v=4ZPTjGG9t7s) Push Notifications for Tracking

 - App privacy [report](https://support.apple.com/102188)

 - (A17 Pro chip and above) [Apple Intelligence](https://www.apple.com/apple-intelligence/) & [Private Cloud Compute](https://security.apple.com/blog/private-cloud-compute/)

 - (iOS [18](https://www.apple.com/newsroom/2024/06/apple-extends-its-privacy-leadership-with-new-updates-across-its-platforms/)) Locked and hidden apps, Contacts permission improvements, Accessory Setup Kit, [Rotate Wi-Fi Address](https://www.macrumors.com/2024/06/10/ios-18-rotate-wifi-address/)

 - (iPhone 16 / A18 chip and above) [Secure Exclave](https://mastodon.social/@_inside/112552696723119626) like the M4 (and above) iPad Pro

 - (iOS 18) [Inactivity Reboot](https://naehrdine.blogspot.com/2024/11/reverse-engineering-ios-18-inactivity.html)

 - You can be an iOS hacker: Stack Pivots and JOP/ROPs [Youtube Video](https://www.youtube.com/watch?v=2f9KQIL5jFs)

## Custom ROMs (like LineageOS, etc)

 - Madaidan's Insecurities - Custom ROMs [Blog](https://madaidans-insecurities.github.io/android.html#custom-roms)

 - Is LineageOS secure? [Reddit](https://archive.ph/kNRHK)

 - LineageOS problems with firmware updates & user-debug builds [Reddit](https://archive.ph/ZtE8N)

 - Why can't LineageOS address its security issues? [Reddit](https://archive.ph/ocOk5)

 - read what's wrong with /e/ aka eelo [Blog](https://ewwlo.void.partidopirata.com.ar/)

 - avoid toxic CalyxOS [Reddit](https://archive.ph/n2y4m)

 - ClearOS (Freedom Phone) is [not great](https://mjg59.dreamwidth.org/59479.html)

 - [Positon](https://grapheneos.org/articles/positon-location-service#positon-location-service) location service

 

## CopperheadOS (**Warning! Scam**)

- Info about CopperheadOS [Twitter](https://archive.is/rRrVI)

- CopperheadOS Bogus Legal Threat [Blog](https://renlord.com/posts/2020-03-25-copperheados-legal-threat/)

- Just a reminder that GrapheneOS is being sued by a company that has been harassing Graphene devs [Reddit](https://archive.ph/XlH5K)

- Unbelievable: Copperhead registered the grapheneos.ca and grapheneos.net domains and redirected them to their site [Twitter](https://archive.is/VFN1u)

- ongoing attacks on GrapheneOS [Reddit](https://archive.is/rRrVI)

- Copperhead CEO has admitted to their new OS tracking devices including via device identifiers in the update system which are stored in databases mapping device identifiers to customers by their official phone sellers. It's a backdoor enabling targeting devices/users with specially crafted updates [Twitter](https://archive.is/uULWl)

- Proof of Copperhead threatening a PhD student for working on GrapheneOS with bogus legal claims. It also shows how they tried to get him in trouble with his university by framing it as him using their resources (which he didn't do) for copyright infringement (which didn't happen, it is open source) [Reddit](https://archive.ph/fhGQT)

- Archive of Copperhead CEO trying to get Ian Carroll (well known security researcher) fired for sending a single Direct Message to @CopperheadOS on Twitter with a middle finger emoji. He was able to DM them because they stole the account from the open source project and they hadn't unfollowed him [Archive](https://archive.is/k6Xxg)

- STATEMENT OF DEFENCE AND COUNTERCLAIM against Copperhead in their bogus lawsuit aimed at intimidating GrapheneOS and draining our time, energy and money. We're also filing a federal lawsuit against Copperhead over their fraudulent copyright claims and may take further action [PDF](https://grapheneos.org/legal/Micay_%20Copperhead_%20Statement%20of%20Defendant%20and%20Counterclaim.pdf)

- Archive of Copperhead's early threats, ultimatums and false claims against the open source project. They threatened @yegortimoshenko for archiving it and attempted to get it taken down with a bogus DMCA. Be aware it's full of false claims. Compare the false narratives back then to their claims now [Github](https://github.com/yegortimoshenko/copperhead-takeover/)

- Help spreading CopperheadOS scam [Twitter](https://archive.is/vPNem)

- History of GrapheneOS [Website](https://grapheneos.org/#history)

 

## Linux Phones (like Purism)

 - Madaidan's Insecurities - Linux Phones [Blog](https://madaidans-insecurities.github.io/linux-phones.html)

 - Linux in general is quite bad for security [Reddit](https://archive.ph/pEUKF)

 - Librem firmware and hardware is not open source [Reddit](https://archive.ph/v3Z6M)

 - Librem security theater [Reddit](https://archive.ph/fvgeZ)

 - Linux phones are not automatically secure [Blog](https://tuxphones.com/linux-mobile-devices-are-not-inherently-secure/)