Changes between Version 19 and Version 20 of doc/HardeningAndroid


Ignore:
Timestamp:
Jul 23, 2014, 11:41:47 PM (6 years ago)
Author:
patcon
Comment:

Fix headers. Move TOC to PageOutline.

Legend:

Unmodified
Added
Removed
Modified
  • doc/HardeningAndroid

    v19 v20  
    1 //This article was originally [https://blog.torproject.org/blog/mission-impossible-hardening-android-security-and-privacy posted to the Tor blog]. For a change history prior to migration to the wiki, please see the [#Changes Changes] section. (Subsequent changes will be tracked on this article's [https://trac.torproject.org/projects/tor/wiki/doc/HardeningAndroid?action=history History] page.)//
     1[[PageOutline]]
     2
     3''This article was originally [https://blog.torproject.org/blog/mission-impossible-hardening-android-security-and-privacy posted to the Tor blog]. For a change history prior to migration to the wiki, please see the [#Changes Changes] section. (Subsequent changes will be tracked on this article's [https://trac.torproject.org/projects/tor/wiki/doc/HardeningAndroid?action=history History] page.)''
     4
     5= Hardening Android for Security and Privacy =
    26
    37= Executive Summary =
     
    2529It is our hope that this work can be replicated and eventually fully automated, given a good UI, and rolled into a single ROM or ROM addon package for ease of use. Ultimately, there is no reason why this system could not become a full fledged off the shelf product, given proper hardware support and good UI for the more technical bits.
    2630
    27 The remainder of this document is divided into the following sections:
    28 
    29 [[TOC(inline, noheading)]]
    30 
    31 == Hardware Selection ==
     31= Hardware Selection =
    3232
    3333If you truly wish to secure your mobile device from remote compromise, it is necessary to carefully select your hardware. First and foremost, it is [http://www.osnews.com/story/27416/The_second_operating_system_hiding_in_every_mobile_phone absolutely essential] that the carrier's baseband firmware is completely isolated from the rest of the platform. Because your cell phone baseband does not authenticate the network (in part to allow roaming), any random hacker with [http://www.openbts.org/ their own cell network] can exploit these backdoors and use them to install malware on your device.
     
    4343In this way, you achieve true baseband isolation, with no risk of [http://news.cnet.com/2100-1029-6140191.html audio] or [http://www.globalresearch.ca/new-hi-tech-police-surveillance-the-stingray-cell-phone-spying-device/5331165 network] surveillance, [https://www.usenix.org/system/files/conference/woot12/woot12-final24.pdf baseband exploits], or [https://www.fsf.org/blogs/community/replicant-developers-find-and-close-samsung-galaxy-backdoor provider backdoors]. Effectively, this cell modem is just another untrusted router in a long, long chain of untrustworthy Internet infrastructure.
    4444
    45 == Installation and Setup ==
     45= Installation and Setup =
    4646
    4747We will focus on the installation of Cyanogenmod 11 using Team Win Recovery Project, both to give this HOWTO some shelf life, and because Cyanogenmod 11 features full SELinux support (Dear NSA: What happened to you guys? You used to be cool. Well, some of you. Some of the time. Maybe. [http://www.reuters.com/article/2014/03/31/us-usa-security-nsa-rsa-idUSBREA2U0TY20140331 Or maybe not]).
     
    4949The use of Google Apps and Google Play services is not recommended due to security issues with Google Play. However, we do provide workarounds for mitigating those issues, if Google Play is required for your use case.
    5050
    51 === ROM and Core App Installation ===
     51== ROM and Core App Installation ==
    5252
    5353With the 2013 Google Nexus 7 tablet, installation is fairly straight-forward. In fact, it is actually possible to install and use the device before associating it with a Google Account in any way. This is a desirable property, because by default, the otherwise mandatory initial setup process of the stock Google ROM sends your device MAC address directly to Google and links it to your Google account (all without using Tor, of course).
     
    104104**VERY IMPORTANT:** Whenever you finish using adb, **always remember** to disable //USB Debugging// and restore //Root Access// to //Apps only//. While Android 4.2+ ROMs now prompt you to authorize an RSA key fingerprint before allowing a debugging connection (thus mitigating adb exploit tools that bypass screen lock and can install root apps), you still risk additional vulnerability surface by leaving debugging enabled.
    105105
    106 === Initial Configuration ===
     106== Initial Configuration ==
    107107
    108108After the base packages are installed, go into the Settings app, and make the following changes:
     
    171171Watch for typos! That command does not ask you to re-type that password for confirmation.
    172172
    173 === Disabling Invasive Apps and Services ===
     173== Disabling Invasive Apps and Services ==
    174174
    175175Before you configure the Firewall or enable the network, you likely want to disable at least a subset of the following built-in apps and services, by using //Settings -> Apps -> All//, and then clicking on each app and hitting the //Disable// button:
     
    192192* TalkBack
    193193
    194 === Tor and Firewall configuration === #Firewall
     194== Tor and Firewall configuration == #Firewall
    195195
    196196Ok, now let's install the firewall and tor support scripts. Go back into ''Settings -> Developer Options'' and enable ''USB Debugging'' and change ''Root Access'' to ''Apps and ADB''. Then, unzip the [https://people.torproject.org/~mikeperry/android-hardening/android-firewall.zip android-firewall.zip] on your laptop, and run the [https://people.torproject.org/~mikeperry/android-hardening/android-firewall/install-firewall.sh installation script]:
     
    249249You are now ready to enable Wifi and network access on your device. For vulnerability surface reduction, you may want to use the ''Advanced Options -> Static IP'' to manually enter an IP address for your device to avoid using dhclient. You do not need a DNS server, and can safely set it to 127.0.0.1.
    250250
    251 == Google Apps Setup ==
     251= Google Apps Setup =
    252252
    253253If you installed the Google Apps zip, you need to do a few things now to set it up, and to further harden your device. If you opted out of Google Apps, you can skip to the [#Software next section].
    254254
    255 ===  Initializing Google Play ===
     255==  Initializing Google Play ==
    256256
    257257The first time you use Google Play, you will need to enable four apps in Droidwall: ''"Google Account Manager, Google Play Services..."'', ''"Settings, Dev Tools, Fused Location..."'', ''"Gmail"'', and ''"Google Play"'' itself.
     
    261261After you log in for the first time, you should be able to disable the ''"Google Account Manager, Google Play Services..."'', ''"Gmail"'', and the ''"Settings..."'' apps in Droidwall, but your authentication tokens in Google Play may expire periodically. If this happens, you should only need to temporarily enable the ''"Google Account Manager, Google Play Services..."'' app in Droidwall to obtain new ones.
    262262
    263 === Mitigating the Google Play Backdoors ===
     263== Mitigating the Google Play Backdoors ==
    264264
    265265If you do choose to use Google Play, you need to be very careful about how you allow it to access the network. In addition to the risks associated with using a proprietary App Store that can send you targeted malware-infected packages based on your Google Account, it has at least two major user experience flaws:
     
    273273For the second issue, you can install the [https://play.google.com/store/apps/details?id=com.iu.seccheck SecCheck] utility, to monitor your apps for changes in permissions during a device upgrade.
    274274
    275 === Disabling Google Cloud Messaging ===
     275== Disabling Google Cloud Messaging ==
    276276
    277277If you have installed the Google Apps zip, you have also enabled a feature called [https://en.wikipedia.org/wiki/Google_Cloud_Messaging Google Cloud Messaging].
     
    285285If you would like to test your ability to control Google Cloud Messaging, there are two apps in the Google Play store than can help with this. [https://play.google.com/store/apps/details?id=com.iapplize.gcm.test GCM Test] allows for simple send and receive pings through GCM. [https://play.google.com/store/apps/details?id=com.firstrowria.pushnotificationtester Push Notification Tester] will allow you to test registration and asynchronous GCM notification.
    286286
    287 == Recommended Privacy and Auditing Software == #Software
     287= Recommended Privacy and Auditing Software = #Software
    288288
    289289Ok, so now that we have locked down our Android device, now for the fun bit: secure communications!
     
    348348    Intent Intercept allows you to inspect and extract [https://stackoverflow.com/questions/6578051/what-is-intent-in-android Android Intent] content without allowing it to get forwarded to an actual app. This is useful for monitoring how apps attempt to communicate with eachother, though be aware it only covers one of the [https://developer.android.com/training/articles/security-tips.html#IPC mechanisms of inter-app communication] in Android.
    349349
    350 == Backing up Your Device Without Google ==
     350= Backing up Your Device Without Google =
    351351
    352352Now that your device is fully configured and installed, you probably want to know how to back it up without sending all of your private information directly to Google. While the Team Win Recovery Project will back up all of your system settings and apps (even if your device is encrypted), it currently does not back up the contents of your virtualized `/sdcard`. Remembering to do a couple adb pulls of key directories can save you a lot of heartache should you suffer some kind of data loss or hardware failure (or simply drop your tablet on a bridge while in a rush to catch a train).
     
    367367**VERY IMPORTANT:** Don't forget to disable //USB Debugging//, as well as the Droidwall adb exemption when you are done with the backup!
    368368
    369 == Removing the Built-in Microphone == #MicrophoneRemoval
     369= Removing the Built-in Microphone = #MicrophoneRemoval
    370370
    371371If you would really like to ensure that your device cannot listen to you even if it is exploited, it turns out it is very straight-forward to remove the built-in microphone in the Nexus 7. There is only one mic on the 2013 model, and it is located just below the volume buttons (the tiny hole).
     
    379379**Pro-Tip:** Before you go too crazy and start ripping out the cameras too, remember that you can cover the cameras with a sticker or tape when not in use. I have found that regular old black electrical tape applies seamlessly, is non-obvious to casual onlookers, and is easy to remove without smudging or gunking up the lenses. Better still, it can be removed and reapplied many times without losing its adhesive.
    380380
    381 == Removing Baseband Remnants == #BasebandRemoval
     381= Removing Baseband Remnants = #BasebandRemoval
    382382
    383383There is one more semi-hardware mod you may want to make, though.
     
    411411}}}
    412412
    413 == Future Work ==
     413= Future Work =
    414414
    415415In addition to streamlining the contents of this post into a single additional Cyanogenmod installation zip or alternative ROM, the following problems remain unsolved.
    416416
    417 === Better Usability ===
     417== Better Usability ==
    418418
    419419While arguably very secure, this system is obviously nowhere near usable. Here are some potential improvements to the user interface, based on a brainstorming session I had with another interested developer.
     
    429429A similar UI could be added to LinPhone. Because the actual voice and video transport for LinPhone does not use Tor, it is possible for an adversary to learn your SIP ID or phone number, and then call you just for the purposes of learning your IP. Because we handle call setup over Tor, we can prevent LinPhone from performing any UDP activity, or divulging your IP to the calling party prior to user approval of the call. Ideally, we would also want to inform the user of the fact that incoming calls can be used to obtain information about them, at least prior to accepting their first call from an unknown party.
    430430
    431 === Find Hardware with Actual Isolated Basebands ===
     431== Find Hardware with Actual Isolated Basebands ==
    432432
    433433Related to usability, it would be nice if we could have a serious community effort to audit the baseband isolation properties of existing cell phones, so we all don't have to carry around these ridiculous battery packs and sketch-ass wifi bridges. There is no engineering reason why this prototype could not be just as secure if it were a single piece of hardware. We just need to find the right hardware.
     
    435435A [https://blog.torproject.org/blog/mission-impossible-hardening-android-security-and-privacy#comment-55372 random commenter claimed that the Galaxy Nexus] might actually have exactly the type of baseband isolation we want, but the comment was from memory, and based on software reverse engineering efforts that were not publicly documented. We need to do better than this.
    436436
    437 === Bug Bounty Program ===
     437== Bug Bounty Program ==
    438438
    439439If there is sufficient interest in this prototype, and/or if it gets transformed into a usable addon package or ROM, we may consider running a bug bounty program where we accept donations to a dedicated Bitcoin address, and award the contents of that wallet to anyone who discovers a Tor proxy bypass issue or remote code execution vulnerability in any of the network-enabled apps mentioned in this post (except for the Browser app, which does not receive security updates).
    440440
    441 === Port Tor Browser to Android ===
     441== Port Tor Browser to Android ==
    442442
    443443The Guardian Project is undertaking [https://github.com/guardianproject/orfox a port of Tor Browser to Android] as part of their [https://dev.guardianproject.info/projects/google-summer-of-code/wiki/Orfox_-_Firefox-based_Privacy_Enhanced_Browser/1 OrFox project]. This will greatly improve the privacy of your web browsing experience on the Android device over both Firefox and Chrome. We look forward to helping them in any way we can with this effort.
    444444
    445 === WiFi MAC Address Randomization ===
     445== WiFi MAC Address Randomization ==
    446446
    447447It is actually possible to randomize the WiFi MAC address on the Google Nexus 7. The closed-source root app [https://play.google.com/store/apps/details?id=com.jworksbr.macspoofer Mac Spoofer] is able to modify the device MAC address using Qualcomm-specific methods in such a way that the entire Android OS becomes convinced that this is your actual MAC.
     
    453453Obviously, an Open Source F-Droid app that properly resets (and automatically randomizes) the MAC every time the WiFi interface is brought up is badly needed.
    454454
    455 === Disable Probes for Configured Wifi Networks ===
     455== Disable Probes for Configured Wifi Networks ==
    456456
    457457The Android OS currently probes for all of your configured WiFi networks while looking for open wifi to connect to. Configured networks should not be probed for explictly unless activity for their BSSID is seen. The xda-developers forum has a [http://forum.xda-developers.com/showthread.php?t=2683858 limited fix to change scanning behavior], but [http://forum.xda-developers.com/showpost.php?s=5172139ce1f8c5a99e3ef4bfa471042a&p=51268001&postcount=4 users report] that it does not disable the active probing behavior for any "hidden" networks that you have configured.
    458458
    459 === Recovery ROM Password Protection ===
     459== Recovery ROM Password Protection ==
    460460
    461461An unlocked recovery ROM is a huge vulnerability surface for Android. While disk encryption protects your applications and data, it does not protect many key system binaries and boot programs. With physical access, it is possible to modify these binaries through your recovery ROM.
     
    465465It may also be possible to [https://android.stackexchange.com/questions/36830/whats-the-security-implication-of-having-an-unlocked-boot-loader restore your bootloader lock] as an alternative, but then you lose the ability to make backups of your system using Team Win.
    466466
    467 === Disk Encryption via TPM or Clever Hacks ===
     467== Disk Encryption via TPM or Clever Hacks ==
    468468
    469469Unfortunately, even disk encryption and a secure recovery firmware is not enough to fully defend against an adversary with an extended period of physical access to your device.
     
    473473It may also be possible to mitigate these attacks by placing key material in SRAM memory locations that will be overwritten as part of the [http://rhombus-tech.net/allwinner_a10/a10_boot_process/ ARM boot process]. If these physical memory locations are stable (and for ARM systems that use the SoC SRAM to boot, they will be), rebooting the device to extract key material will always end up overwriting it. Similar ARM CPU-based encryption defenses have also been [http://www1.informatik.uni-erlangen.de/filepool/projects/armored/armored.paper.pdf explored in the research literature].
    474474
    475 === Download and Build Process Integrity ===
     475== Download and Build Process Integrity ==
    476476
    477477Beyond the download integrity issues mentioned above, better build security is also [https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global-compromise deeply needed] by all of these projects. A [http://gitian.org/ Gitian descriptor] that is capable of building Cyanogenmod and arbitrary F-Droid packages in a reproducible fashion is one way to go about [https://blog.torproject.org/blog/deterministic-builds-part-two-technical-details achieving this property].
    478478
    479 === Removing Binary Blobs ===
     479== Removing Binary Blobs ==
    480480
    481481If you read the [http://wiki.cyanogenmod.org/w/Build_for_flo Cyanogenmod build instructions] closely, you can see that it requires extracting the binary blobs from some random phone, and shipping them out. This is the case with most ROMs. In fact, only the [https://en.wikipedia.org/wiki/Replicant_%28operating_system%29 Replicant Project] seems concerned with this practice, but regrettably they do not support any wifi-only devices. This is rather unfortunate, because no matter what they do with the Android OS on existing cell-enabled devices, they will always be stuck with a closed source, backdoored baseband that has direct access to the microphone, if not the RAM and the entire Android OS.
     
    483483Kudos to them for [http://redmine.replicant.us/projects/replicant/wiki/SamsungGalaxyBackdoor finding one of the backdoors] though, at least.
    484484
    485 == Changes since initial posting == #Changes
     485= Changes since initial posting = #Changes
    486486
    4874871. Updated phttps://people.torproject.org/~mikeperry/android-hardening/android-firewall.zip firewall scripts] to fix [https://code.google.com/p/droidwall/issues/detail?id=260 Droidwall permissions vulnerability].