In Android, the IP-based data layer is end-to-end encrypted, but the same is not true for voice and SMS traffic on telephone networks. Its encryption remains under the control of the operator, without any type of control by the user, who cannot know if the data is encrypted or not.

This enables another possible attack, when a device like StingRay makes the mobile believe that the network does not support encryption, so that it switches to an unencrypted connection, thus potentially being intercepted.

1366-2000.jpg

I have not found this option either in Android 14 G stock or in graphene.

    Icecube Cellular network encryption doesn't prevent surveillance. Carrier-based calls and texts are fundamentally insecure. They pass through your carrier and other carriers as plain text. The network connection having authenticated encryption only aims to secure the connection to a fundamentally insecure federated network. On top of that, cellular encryption is known to be insecure and disabling the null cipher doesn't change that it can be broken. Even 4G and 5G encryption is thoroughly broken with basic things not done properly.

    Even apps without end-to-end encryption almost all use transport encryption which at least means only their servers can see messages and metadata. Use end-to-end encryption whenever possible, but transport encryption is enough to mitigate this and nearly everything has transport encryption now. Apps without at least TLS with WebPKI authentication for transport are increasingly uncommon. Carrier-based texts and calls won't be secure even if you have only 4G or 5G enabled (we plan to extent our 4G only option to 5G) and if there was a way to disable the worst ciphers, etc. It's still not secure encryption and it's still only able to secure the initial connection to an insecure federated network. That doesn't really accomplish much.

    Thanks for the explanation, i see that the best way to make voice calls is using signal, even conversations (omemo) instead of Volte.
    I am surprised that many companies or banks continue to use SMS as a two-step verification method instead of Yubikeys or similar.

      • [deleted]

      Icecube I am surprised that many companies or banks continue to use SMS as a two-step verification method instead of Yubikeys or similar.

      I'm not sure why you find that so surprising? SMS 2FA is much easier and convenient for businesses. They'd rather spend more money elsewhere compared to implementing proper 2FA, an app for customers to use that is routinely up-to-date, etc.

        [deleted]

        I thought that if small email companies can afford to implement a system like yubikey (Fido 2) where the client generates much less profits, a bank could take it on without reducing its profits too much. I think even an OTP (G authenticator) like using a mobile phone is better than an SMS.