Wednesday, March 26 2014
A few weeks ago I upgraded from a Galaxy Nexus to a Nexus 5. I therefore took the chance
and investigated lightweight and practical device hardening tools.
I didn't have anything specific in mind I just wanted to improve my overall situation.
Here is what I came up with.
File system encryption, of course, using the build-in functionality of Android.
To improve the security and usability I use Cyrptfs Password to
have a separate passphrase for the file system encryption and the screen lock. This tool requires root.
Encrypted SMS and messaging using TextSecure. The application
is very user friendly and a nice replacement for Google Hangout.
I started using SSHTunnel and ProxyDroid
to secure network traffic while traveling. In combination both tools provide the ability to tunnel all network traffic of your device through any box you have a SSH access on.
Both apps require root.
I'm trying out Pry-fi a Wifi privacy tool.
This category is a little hard to describe. I was looking for an app to vet APK, but without using any AV software. I found Checksum,
this app calculates a checksum for each APK and compares it with a global repository that is feed with checksums from other users.
I further using my own tool TelStop to inspect TEL Uri to determine if the contain MMI codes.
If I was using an older Android device I would also install: ReKey to patch Master Key and X-Ray to
scan for vulnerabilities.
Many of the hardening apps I use require root access. Rooting is a tricky business and you should only do it if you know what you are getting into.
If you want to encrypt and root, first root then encrypt. Rooting a Nexus device is straightforward, unlock the bootloader, install su + superSU.
One thing todo is install a recovery image that can handle encrypted file systems like TWRP. A decent guide is posted here.
You should also consider re-locking your bootloader after rooting, see What's the security implication of having an unlocked boot loader?.
This is a lot of work and pretty painful when installing firmware patches, but you likely don't want to run around with a unlocked bootloader.
All together I'm pretty happy with this limited set of security applications. If you think I'm missing something important please let me know.