Experience Report on the Challenges and Opportunities in Securing Smartphones Against Zero-Click Attacks

TL;DR

This paper shares practical experiences and insights on designing and evaluating a sandboxed ecosystem to defend smartphones from zero-click attacks exploiting chat app vulnerabilities, highlighting key challenges and lessons learned.

Contribution

It introduces a security design that isolates chat applications in a sandboxed environment to mitigate zero-click attack risks, based on real-world implementation and evaluation.

Findings

Sandboxed ecosystem reduces attack surface

Performance and usability challenges identified

Fundamental security gaps remain unaddressed

Abstract

Zero-click attacks require no user interaction and typically exploit zero-day (i.e., unpatched) vulnerabilities in instant chat applications (such as WhatsApp and iMessage) to gain root access to the victim's smartphone and exfiltrate sensitive data. In this paper, we report our experiences in attempting to secure smartphones against zero-click attacks. We approached the problem by first enumerating several properties we believed were necessary to prevent zero-click attacks against smartphones. Then, we created a security design that satisfies all the identified properties, and attempted to build it using off-the-shelf components. Our key idea was to shift the attack surface from the user's smartphone to a sandboxed virtual smartphone ecosystem where each chat application runs in isolation. Our performance and usability evaluations of the system we built highlighted several shortcomings and the fundamental challenges in securing modern smartphones against zero-click attacks. In this experience report, we discuss the lessons we learned, and share insights on the missing components necessary to achieve foolproof security against zero-click attacks for modern mobile devices.