Episode 19: "Get Rid of My Android Phone?!?"

AKA: Why I Keep Saying "I Told You So…"

Photo by Free To Use Sounds on Unsplash

Writing about technology — including all of its benefits and shortcomings — requires time to deeply investigate and a willingness to dig for facts that can be corroborated. Even with all of the time that I invest, I still make mistakes and get some things wrong. When my subscribers and readers point out my mistakes, I say “thank you” because I’m truly grateful. Some of you know about solutions or workarounds that I’ve not seen, despite being in the tech world for over 25 years. It’s always been this way but it bears repeating: I’m learning about technology just as much as you do when I write these pieces, so I’m really glad to learn from my readers.

Sometimes, however, the feedback I get isn’t always… er: “positive”. And of all the fact-based claims I’ve made, the one that causes the most grief for my readers is this one right here:

The Apple iOS/AppStore ecosystem is — by far — safer and more secure than the Android/Google Play ecosystem. 

Never mind that the above statement is true: some people clearly don’t like hearing it, especially - ahem - Android users. Look, I get it. It’s not news that anyone who has committed to the Google ecosystem wants to hear. That might be why “Androiders” (I just made that term up, do you like it?!) express their disappointment, stubbornness, anger or impatience when I make this claim. In practical terms, I’m told things like:

  • “If you’re really careful and know how it works, then Android is great!”

  • “You’re just an Apple fanboy!”

  • “Android is more flexible, configurable, and powerful than iOS!”

To these claims, I say:

  • Not everyone is really careful!

  • I do love Apple, but not to the point that I’d embrace them if they didn’t make easy-to-use and reasonably safe software and hardware!

  • Being flexible and configurable doesn’t make something safe!

Today, once again, the news supports my claim. New data released reveals that over 335 million installs of over 170 malicious apps have been tracked on Google Play, the company’s Android store platform. 335 million downloads. Go ahead, let that number sink in. 





Sorry, I’m not ready to write more words, yet, friends. That’s because you still need to be thinking about how ridiculously big that number is. 335 million. That’s a huge, freaking number. Huge. But you know what’s an even bigger number than that? 500 million. This month — September 2019 — it was also revealed that there were 500 million installs of six different, malicious apps from the Google Play store. Those installs included four VPN apps and two selfie apps.

Sweet Jesus, that’s a lot of downloads.

Does that mean Apple’s AppStore is perfect? No, it doesn’t. Apple and all companies have to regularly police their distribution platforms. Apple’s missed that mark a few times.

  • In this instance, while nothing malicious was found, the possibility of something malicious happening was noted.

  • In this instance, 39 apps - all popular in China - were discovered to have a critical flaw that, in cases, could be used to copy data from your iOS device including usernames/passwords if those had been previously copied by you.

  • And in this instance, researchers from the Georgia Institute of Technology uploaded a proof-of-concept app into the AppStore that showcases HOW a malicious hacker could sneak an app past Apple’s app police.

But friends, it’s not the same. These are rare instances compared to what’s happening on the Android platform. I’m sorry, really. But I mentioned this in my Medium article — How to Set Up a Secure Phone — back in May of 2019 and the facts really bear repeating: 

Apple’s iOS is — by far — safer than either Microsoft’s Windows or Google’s Android. These results have been confirmed by others. Repeatedly. And then again. And then again.

This month’s news is yet another example of how poorly the Android/Google ecosystem is fairing against malicious code, malicious apps, and the malicious hackers who take advantage of Google’s open system to hurt unsuspecting users. Apple’s ecosystem is, like it or not, safer. At least it is at the present time.

Back in 2017, one notable security expert — Mikko Hypponen — stated that Android “remains a haven for cybercriminals”. In the same article, he also stated that Windows mobile was a better choice than iOS because, in essence, so few people used it. Turns out, Microsoft agreed with him 100%: earlier this year, they announced they’re ending support for Windows mobile and will no longer update it.

You can hate me, you can be upset by the facts, and you can tell me that my pointing it out makes you feel like you’ve been duped into using an ecosystem that doesn’t protect its users. I get that. And you’d be right to feel and think those things.

But at the end of the day, you can’t reasonably debate me on this because the facts support Apple being a safer ecosystem. Is it a “walled garden” as some call it? Yes. It is. Does Apple charge a premium for its hardware? Yes, they do.

And you know what, folks: I’m happy to pay a little more to support a company that puts privacy first. That’s because I use my column on Medium and my technology newsletter to advocate for only one thing, really: safe, private, and secure computing. Pretty much everything I write is based around helping others — and myself! — achieve that goal.

So to my valued and passionate Androiders who subscribe to my newsletter, please forgive me for pointing out the obvious:

If you use an Android phone and you’d like an easy way to increase your security, your privacy and to reduce your risk of hacking: switch to using an Apple iOS device.

You might not like to hear the truth. But it’s still the truth. And for those who need enterprise-grade security, it turns out that Blackberry’s KEY2 phone is very highly rated. That’s because, even though the device runs on Android, it comes with features and services that Google and Android don’t provide by default including two years of security patches from both Google and Blackberry. Nice job, Blackberry. And here I thought your brand was dead.

However, as the writer concludes, if you don’t want that level of security, then the next best bet is…

…an iPhone. 😂

And that’s a wrap for today’s episode, everyone. Thank you again, for reading and being a subscriber. Let me know your thoughts in the comments section or by email.

As always… surf safe.

Click here for my guide on how to choose a privacy-focused VPN.
If you’re looking to set up a VERY secure iPhone, click here.
For a super cool way to NOT give your personal email address to everyone, click here.
Click here for a crash course on how to keep your devices updated.

Episode 18: Stop. Giving. Away. Your. Data.

How Websites Seek to Capture Your Data and What You Can Do To Counter

Hi folks and welcome to Episode #18. If it looks like I skipped a number, I didn’t. :) Our paid subscribers got to read Episode #17, something that my free subscribers didn’t get in email and don’t have access to via the TechTalk archives. Episode #17 is about the safe methods to use when upgrading/updating the software on your smartphones, tablets, computers or connected devices. To gain access to all of my posts via email and via the TechTalk archives, consider clicking this button right here. For the cost of one Starbucks latte per month, you can help support quality technology writing and (even better) make yourself safer online.

The Background

This episode is all about the traps — usually hiding in plain sight — that tech companies use to help us part with more of our privacy and security than we should. We often overlook these seemingly benign requests, so let’s learn how to better identify them so that we can start saying “No!” when we see these requests, OK?

Let’s jump right in…

The “Give Us Your Phone Number” Method

Websites — especially “free” social media and networking sites — rely on generating their profit by selling your data to advertisers. It’s a very lucrative business, something I talked about at length in Episode 15. That episode was focused on how the Google ecosystem works. I also talked about this concept in Episode 17, which detailed how the beanie-wearing CEO of Twitter had his own Twitter account hijacked.

What It Looks Like

Companys have gotten very clever at selling you on why they need access to your phone number. Here are two of the more common reasons provided: security & notifications…

There! Do you see? If you just give us your cellphone number then we can “keep your account secure” or “reset your password easily”.

How It Works

When you willingly give any website your actual cellphone number, the company owning that website now has extra capabilities and data about you that they don’t need and shouldn’t have:

  • The ability to message or call you. If a company has your phone number, then it’s only a matter of time before they use it.

  • The ability to target ads to you based on your area code. If your cellphone area code is 212, then either you live in New York City or you once did. That information is important to companies who wish to advertise to you.

  • The knowledge of which company provides your cellphone service. If you give me your cellphone number, this website can identify your cell service provider. If I know that, I’m one step closer to attempt SIM swapping your account. This is the same trick that malicious hackers used in August of 2019 to take control of the twitter account of the CEO of Twitter, Jack Dorsey.

  • Access to any public information linked to your number. Ever enter your cellphone number into Google, Yahoo, Bing, SmartPage or DuckDuckGo? It’s worth seeing just how much information is available about you all because you’ve willingly given your cellphone number to a website or other company.

If that sounds like it’s a lot of extra power and data that you’d rather not wish others to have: friend, I don’t blame you. Fortunately, there’s something we can do about it.

The Actual Truth

The truth is that you can reset your password and have a VERY secure account without giving any company or website your personal cellphone number. There is no company on the planet that needs your personal cellphone number to maintain your security or safety. Literally: none. Therefore, there’s no need to willingly provide that information to any company. Literally: none.

What to Do

Start thinking of yourself as a spy. No: I’m not joking. I want you to classify yourself! Never give out your actual cellphone number to anyone: websites, banks, the PTA, government organizations, co-workers or, obviously, strangers. Instead, if you absolutely MUST provide a phone number on certain occasions, only provide those individuals or companies with a secondary phone number. You can obtain one of those for free from either of these providers:

  • Google Voice works on all computers and Chromebooks, and on any mobile device running iOS or Android. The service is easy to use, integrates seamlessly into Google’s ecosystem, and offers some of the same powerful features that Google pioneered, including a powerful search engine and effective spam filtering for your phone calls.

  • Pinger Textfree is 100 percent free and available for iOS, Android, and over the web on any computer. The free version is funded by ads that display in various parts of the app when you’re texting and calling. There is, of course, a paid version without ads ($2.99/month) or with a reserved number ($4.99/month), but honestly, why bother for a burner number? Texting is totally free, but placing calls will cost you credits.

“But, David,” you ask, “If I’m using a Google product, won’t they just harvest more data from me?”. Good question. Yes, they will. But again, you’re only giving out your secondary phone number to non-essential companies or people. You can still provide your actual cell phone number to those who are in your “inner circle” of trust. What Google captures with the other calls is, essentially, secondary information, not your most trusted data.

The “Just Use Facebook” or “Just Use Google” Method

Some websites offer “convenience” instead of security. There’s nothing wrong with that if the website is upfront with you about it that, but most aren’t. To me, “security” means taking responsibility for guarding your log-in information: your username & password.

What It Looks Like

As a “convenience”, many websites offer you the ability to log into their systems using your Facebook or Google Account to sign in. Here are two examples:

How It Works

While it’s a convenience to not have to remember another user name and password, it’s also a liability. Giving Facebook & Google permission to log us into other websites opens all of us to a variety of consequences & trade-offs:

  • Giving Facebook & Google more information about you, in general. Remember, social media websites sites collect as much data about you as you allow them to. That’s their business. Giving them permission to log you into various websites provides them with much more data about who you are.

  • Giving Facebook & Google more information about you, in specific. We all have stories and information about ourselves that we guard more carefully. For example, are you a recovering alcoholic? Do you belong to a MeetUp group for recovering alcoholics? If you log into the MeetUp website using Facebook or Google, are you 100% sure about which data you’re sharing with those companies?

  • Facebook & Google can target you more specifically. With the extra data you willingly provide, Google and Facebook can then target you with even more precise ads for products, political issues & political candidates. Those ads have proven to create a more divisive political atmosphere and, in some cases, allowed foreign governments to influence our last major election cycle.

  • You open yourself to security vulnerabilities. If the websites you log in to hand off the security of your account to Facebook & Google, then those social media companies are now responsible for safeguarding your data. Only, they don’t. Facebook, in particular, is fucking awful at keeping their site secure. Last year, a study associated with Princeton's Center for Information Technology Policy found many security vulnerabilities with the Facebook login mechanism. Those security vulnerabilities can allow for malicious websites or hackers to capture even more additional information about you.

“The researchers found that sometimes when users grant permission for a website to access their Facebook profile, third-party trackers embedded on the site are getting that data, too. That can include a user's name, email address, age, birthday, and other information, depending on what info the original site requested to access.” — from the WIRED article on the same study.

Oh, and that doesn’t also count the 30 million Facebook users who had their account info compromised due to a security breach.

The Actual Truth

There is no reason that you need to use Facebook or Google to login into non-Facebook or non-Google websites. Literally: none. Doing so means that you are willingly providing those companies with extra information about you that they don’t need. Don’t help them.

What To Do

Instead of logging in with social media accounts, use a well-respected, well-reviewed password manager. If possible, choose an application that’s built entirely on “open source” software, so named because its source code is open for anyone — anyone!! — to view. The security community considers open-source software to be safer than traditional, commercial software precisely because anyone can see it and suggest code improvements.

In my opinion, the best open-source password manager available is Bit Warden. It’s 100% free, and available for every major operating system and browser. After using LastPass for nearly a decade, I’ve been using BitWarden for the past three months on my computer and smartphone and I like how well it works in most (but not all) cases, compared to LastPass. Grab it and use it to manage all of your user names and passwords so you don’t have to rely on your brain or on Facebook to do it for you.

To Consider

At their most recent keynote address, Apple announced that they, too, would be offering a simplified, convenient log-on button to help consumers. It’s called, simply “ Sign-in with Apple” and it will look like this:

Apple’s claiming to be putting both convenience and privacy forward for consumers with their offering saying that they won’t track what apps you're using or where you have accounts. Developers (and supposedly Apple) do not see any of your data that you don't agree to provide and the company is making it very easy to hide your personal email address so others won’t have access to it:

Sounds like an interesting option. In fact, it’s worth watching the Wall Street Journal video below for a deeper dive on how Facebook, Google, & Apple’s system will work:

If Apple has done its work correctly — and the longterm reviews are yet to be seen —consumers will get a convenient login but with deeper security and privacy than either Google or Faceturd can provide. For me, that’s worth exploring. To see how the process works on iOS 13, MacRumors has an excellent write up (with pictures!!) to help make things nice ‘n easy.

Until Apple’s new system is proven to be a game-changer, I’ll share what I use:

My Favorite Email Tool

I spoke at length about these folks back in Episode #3. The company is called 33mail and they offer unlimited, free, customizable email addresses. Even better, their system and interface is simple and has helped me to nearly halt spam instantly. In fact, after using their free plan for months, I decided to sign up for the company's premium service for $1/month. It was worth it. That tier provided me with: no advertisements in forwarded emails, use of my own customized domain, and a higher monthly data cap so I could send/receive more emails using their system. Here’s how it works…

Not bad for a free service. Not bad at all…

And… that’s a wrap for today’s episode, my friends. Thank you all, once again, for reading and for being a subscriber. Let me know your thoughts in the comments section or by email.

As always… surf safe.

Links to More Great Techtalk Posts

Click here for my guide on how to choose a privacy-focused VPN.
If you’re looking to set up a VERY secure iPhone, click here.
For a super cool way to NOT give your personal email address to everyone, click here.
Click here for a crash course on how to keep your devices updated.

Episode 16: How To Prevent Your Twitter Account From Being Hacked Hacked

Avoid What Happened to the Beanie-Wearing CEO of Twitter

Happy Autumn, everyone. I hope everyone had a peaceful and relaxing Summer. After taking a much-needed Summer break with my family, myself, I’m back with more updates, info, and useful tips. I’m looking forward to diving into more fun topics with you. Please leave comments and questions. We’ll start this new season with something plucked from the headlines.

The Background

Jack Dorsey is the beanie-wearing CEO of Twitter and Square. In 2016, Dorsey’s personal twitter account “@jack” was hacked by “OurMine”. OurMine - a hacking collective or, perhaps, just one teenager - had already hacked the accounts of both Facebook’s and Google’s CEO before compromising Jack’s Twitter account. When OurMine took control of @jack, they tweeted something simple but obvious:

“Testing your security”

Of course, that was three years ago, so the folks at Twitter have had plenty of time to patch any weak links on their platform and with any associated systems that feed into Twitter. They’ve also, obviously, had plenty of time to make whatever changes they needed to protect their CEO’s highly-visible Twitter account and, by extension, the accounts of every other Twitter user.

Alas, that’s not how this ridiculous story ends.

The Latest

Last month, on August 30th, Jack Dorsey’s, Twitter account was hacked once again, this time by a hacking collective called the “Chuckle Squad”. Once the @jack account was under their control, the hackers tweeted/retweeted some truly offensive messages:

For 18 minutes, the offensive tweets remained visible to the public. Then, Twitter security teams removed them. About 90 minutes after the hack was discovered, the Twitter Communications team tweeted to their boss that his @jack account was secure.

If you consider the 2016 hacking episode — and I most certainly do — then a 90 minute response time to fix a hacked account that was previously compromised is about three years too slow.

The Method

What makes the hack even more embarrassing is the method the hackers employed to “pwn” Jack’s twitter feed. Pwning his account — hacker speak for “owning” or “taking control of” — was carried about by leveraging one of the lowest-tech solutions around: text messaging.

Again, from the Twitter Communications team:

If you’re wondering how that’s even possible, here’s the rub: Twitter asks you to link a phone number to your account. This is done, supposedly, both to verify your account and to enable a security feature known as 2-step verification. However, this “security” feature also opens an awful vulnerability:

Sending a text message to “404-04” from the phone number connected to your Twitter account allows you to tweet from that connected account without needing to sign in to your Twitter account using a username and password. This is made possible by Cloudhopper, a company that Twitter purchased in 2010.

This means that the most recent hack of Jack Dorsey’s Twitter account was, in fact, accomplished by leveraging the technology from another company which is also owned by Twitter.

#FacePalm 🤦

The Confirmation

To confirm this for myself, I went ahead and tried texting to 404-04 from the phone number connected to my Twitter account. And when I did (screengrab at left), you’ll never guess what happened on my Twitter account (screen grab at right)…

So… if someone picks up your phone and simply texts a message to 40404, then that message goes live to everyone who follows you on Twitter. Oh, well: so much for security… and for your reputation.

The Prevention

There are three steps to prevent what happened to the beanie-wearing CEO of Twitter from happening to you: removing phone numbers from your Twitter account(s), locking your cellphone SIM card with a unique password, and removing your cell phone number from any critical internet account you own.

Let’s breakdown each of these:

Removing Your Phone Numbers From Twitter

  1. To find where Twitter keeps the phone number linked to your account, click this link on your desktop/laptop computer: https://twitter.com/settings/phone. You’ll see the following page. Click the “Delete phone number” button which I’ve highlighted:

  2. Now, click the red “Delete” button in the pop-up window as shown:

  3. Congratulations! You’ve now prevented what happened to the CEO of Twitter from happening to you. You’ll get an email confirmation like this one, reminding you that you can always change your mind. Worth noting: do not change your mind. There is no reason to ever link your phone to your Twitter account.

Lockdown Your Cellphone SIM

The deeper reason that the beanie-wearing CEO of Twitter had his Twitter handle hijacked was through a long-standing hack known as SIM swapping. Here’s how it works: malicious hackers start by collecting any relevant, public information about you including name, address, phone number, email, last four digits of your social security number, etc. Then, posing as you, they call the mobile carrier that controls your cellphone contract and attempts to convince them to port your mobile number to a new provider or new number.

That process, it turns out, is VERY easy to do.

However, you can change that by locking your SIM or account with additional passwords. It's simple to do and will prevent SIM swapping from occurring on your accounts. Here are the pages and links offered by each of the four, main American providers:

  1. AT&T offers a mostly easy-to-follow breakdown at this link: https://www.att.com/esupport/article.html#!/wireless/KM1051397

  2. Verizon offers their guide at this link but they only allow a 4-digit password: https://www.verizonwireless.com/support/account-pin-faqs/

  3. T-Mobile describes its process in the screengrab below or at this link:
    https://www.t-mobile.com/customers/secure process. I’d recommend using a longer, 15-digit password if possible.

  4. Sprint has its info at this link:

If you’re a reader from another country, please: either go online to your carrier’s website to learn how to do this or — gulp — call them up to get help in locking your SIM or account down with this second layer of protection.

Remove Your Mobile Phone Number From ALL Online Accounts

The only reason to connect a phone number to ANY of your online accounts is to allow for a process known as “2-step verification”, which guards against malicious hackers. It does this by texting a constantly-rotating number to your cellphone and then prompts for that number on the website in question. The process is designed so that even if hackers gain access to your usernames/passwords, they’d then also need access to your cell phone (which isn’t likely) to log to any of your critical accounts.

If you currently use 2-step verification, please do one of the following:

  1. Get a free Google Voice number and substitute that new number in place of your actual cellphone number on any online account where you’re using two-step verification.

  2. Switch to a process called “two-factor” or “multi-factor” authentication. This requires an amazing and free app called Authy. It’s more complicated and takes more time to implement, but it’s safer and more flexible than 2-step-verification. I’ve outlined the process on a piece I wrote here.

But please: take one of these steps before you continue. That way you’ll avoid losing any previously-established security measures.

While I can’t provide a tutorial on how to remove your actual cellphone number from every single web account, here are a few of the top choices to check. In general, take the time to check all of your social media accounts (FB, Twitter, IG, Linked, etc.), communication accounts (Google, Skype, Yahoo, Microsoft, Slack, etc.), shopping accounts (Amazon, eBay, PayPal, Walmart, etc.), banking accounts, and utility accounts (Gas, Water, Trash, Cable, Netflix, etc.) to ensure that your personal cell phone number is NOT listed on any website.

Instead, if you must use a phone number - and there are very few websites that actually require this - just use your new Google Voice number instead. In fact, unless it’s a trusted friend or family member needs it: stop giving out your actual cell phone number at all. Instead, ONLY give out your Google Voice number. From this point forward, no one gets access to your cellphone number: not never, not no how.

Removing Your Cellphone Number from Google
  1. On your computer, sign in to your account and then click on this link: https://myaccount.google.com/phone?utm_source=google-account&utm_medium=web. Here you’ll see any phone numbers you’ve connected to your Google account.

  2. If you see your actual cellphone number, click once on it.

  3. Then click the three dots icon to reveal the hidden menu, allowing you to remove your cellphone number. Click remove as shown here:

  4. You’ll be asked to confirm your choice. Click the “REMOVE NUMBER” link as shown here and your cellphone number is now removed from Google.

    Removing Your Cellphone from Facebook
    1. On your computer, sign in to your Facebook account.

    2. Click this link: https://www.facebook.com/settings?tab=mobile&section=phones&view

    3. All of your associated phone numbers are listed at top of the next page. If you see your cellphone number, click the “Remove” link as shown here:

    4. A new window pops-up asking you to confirm your choice. Do so by clicking the “Remove Number” button as shown here:

    5. You’ve now removed your cellphone number from Facebook.

    Removing Your Cellphone from Amazon
    1. From your computer, sign in to your account and then click this link: https://www.amazon.com/gp/css/homepage.html.

    2. Click on the “Login & security” box as shown here:

    3. The next window shows your name, email, and phone numbers if you have them. If you see your cellphone number click the Edit box as shown here:

    4. Please note: clicking edit only allows you to change any phone number you have associated your Amazon account, not delete it. Here, then, is where you’d substitute a Google Voice number (or any secondary, non-cellphone number) in its place. When you enter that new number, you’ll be asked to verify it by receiving a text with a one-time password and entering the number in question.

    5. Pro-tip #1: because Amazon doesn’t allow you to delete your phone number, call those suckers on the phone. I did and the process took about 10min of my time. The customer service number in the United States is: (888) 280-4331. When prompted, say “account security” to the voice-activated smart operator and you’ll get routed to the right individual.

    6. Pro-tip #2: (593) 966-4545 isn’t my number. It’s a made-up number. I write a security newsletter and blog: you didn’t actually think I’d be sharing my actual phone number, did you?

The Lessons Learned

I’d say there are three lessons here to consider.

Lesson #1: Keep and Use Different Sets of Personal Data

I keep and use different sets of phone numbers, mailing addresses, and email addresses. So should you. We’ve been conditioned to hand out our actual, private data to anyone who asks: websites, doctor’s offices, utility companies, government agencies and new people who we’ve only just met at work or while socializing. This isn’t the way to operate in a deeply inter-connected digital world. Instead, we should treat our direct contact information as gold that’s only shared with the most trusted of individuals and never on any website. I call this process “Classifying Yourself” because (a) it sounds sexy to act like a spy and (b) it’s actually kinda fun.

Lesson #2: When in Doubt, Don’t Share Data

If you sign up for a website and it asks you for your phone number or email, don’t provide it. In most cases, it’s not necessary. In fact, I’d avoid giving out information to anyone at any time for ANY reason whenever possible. In the rare cases when you MUST provide personal information, only provide your secondary set.

Lesson #3: Switch to Using Multi-factor Authentication

If you’re not already doing so, start using Multi-factor authentication on all of your critical accounts. If you’re currently using 2-step-verification, switch to using multi-factor-authentication.

And…. that’s a wrap for today’s episode, everyone. Thank you, once again, for reading and for being a subscriber. Please let me know your thoughts in the comments section or by email.

As always… surf safe.

Click here for my guide on how to choose a privacy-focused VPN.
If you’re looking to set up a VERY secure iPhone, click here.
For a super cool way to NOT give your personal email address to everyone, click here.
Click here for a crash course on how to keep your devices updated.

What do you folks want to learn about...?

Give it to me, straight: what topics or challenges in the world of tech would you like me to explain? Nothing is too far-fetched to suggest. I’ll grab a few suggestions and run with them!

Reply →

Loading more posts…