Experience Report on the Challenges and Opportunities in Securing Smartphones Against Zero-Click Attacks

Zero-click attacks require no user interaction and typically exploit zero-day (i.e., unpatched) vulnerabilities in instant chat applications (such as WhatsApp and iMessage) to gain root access to the victim's smartphone and exfiltrate sensitive data. In this paper, we report our experiences in attempting to secure smartphones against zero-click attacks. We approached the problem by first enumerating several properties we believed were necessary to prevent zero-click attacks against smartphones. Then, we created a security design that satisfies all the identified properties, and attempted to build it using off-the-shelf components. Our key idea was to shift the attack surface from the user's smartphone to a sandboxed virtual smartphone ecosystem where each chat application runs in isolation. Our performance and usability evaluations of the system we built highlighted several shortcomings and the fundamental challenges in securing modern smartphones against zero-click attacks. In this experience report, we discuss the lessons we learned, and share insights on the missing components necessary to achieve foolproof security against zero-click attacks for modern mobile devices.