Wednesday, March 26 2014
Monday, March 03 2014
A few weeks ago I upgraded from a Galaxy Nexus to a Nexus 5. I therefore took the chance
and investigated lightweight and practical device hardening tools.
I didn't have anything specific in mind I just wanted to improve my overall situation.
Here is what I came up with.
File system encryption, of course, using the build-in functionality of Android.
To improve the security and usability I use Cyrptfs Password to
have a separate passphrase for the file system encryption and the screen lock. This tool requires root.
Encrypted SMS and messaging using TextSecure. The application
is very user friendly and a nice replacement for Google Hangout.
I started using SSHTunnel and ProxyDroid
to secure network traffic while traveling. In combination both tools provide the ability to tunnel all network traffic of your device through any box you have a SSH access on.
Both apps require root.
I'm trying out Pry-fi a Wifi privacy tool.
This category is a little hard to describe. I was looking for an app to vet APK, but without using any AV software. I found Checksum,
this app calculates a checksum for each APK and compares it with a global repository that is feed with checksums from other users.
I further using my own tool TelStop to inspect TEL Uri to determine if the contain MMI codes.
If I was using an older Android device I would also install: ReKey to patch Master Key and X-Ray to
scan for vulnerabilities.
Many of the hardening apps I use require root access. Rooting is a tricky business and you should only do it if you know what you are getting into.
If you want to encrypt and root, first root then encrypt. Rooting a Nexus device is straightforward, unlock the bootloader, install su + superSU.
One thing todo is install a recovery image that can handle encrypted file systems like TWRP. A decent guide is posted here.
You should also consider re-locking your bootloader after rooting, see What's the security implication of having an unlocked boot loader?.
This is a lot of work and pretty painful when installing firmware patches, but you likely don't want to run around with a unlocked bootloader.
All together I'm pretty happy with this limited set of security applications. If you think I'm missing something important please let me know.
InfoSecSouthWest April 4-6 Austin Texas. jduck: Android Security Research and Testing at Scale. Thomas Wang: Breaking through the bottleneck: Mobile malware is outbreak spreading like wildfire.
TextSecure: secure and easy to use text (SMS) for Android (and soon iOS)
I'm not really into advertising for stuff here but the recent update of
TextSecure made a gigantic impression on me. The application works well, is uber user friendly, and looks just great.
They further added IM like functionality (using IP rather then SMS), see here: The New TextSecure: Privacy Beyond SMS. Further there is the possibility to run your own
server for TextSecure IP backend, see here.
I switched to TextSecure for a number of reasons: transparent encrypted SMS, super usable application (I can finally stop using the Hangout app - worst thing so far on my Nexus 5), TextSecure source code is available, and did I mention that the UI looks really great? All in all this is good quality security software that even looks better then the less secure competitors, YES!
WebViews and Security on Android
The security (insecurity) of WebView lately got a lot of attention.