...stuff I do and things I like...

Wednesday, March 26 2014

Android Hardening Tools

A few weeks ago I upgraded from a Galaxy Nexus to a Nexus 5. I therefore took the chance and investigated lightweight and practical device hardening tools. I didn't have anything specific in mind I just wanted to improve my overall situation. Here is what I came up with.

Basics:
    File system encryption, of course, using the build-in functionality of Android. To improve the security and usability I use Cyrptfs Password to have a separate passphrase for the file system encryption and the screen lock. This tool requires root.

    Encrypted SMS and messaging using TextSecure. The application is very user friendly and a nice replacement for Google Hangout.

Network:
    I started using SSHTunnel and ProxyDroid to secure network traffic while traveling. In combination both tools provide the ability to tunnel all network traffic of your device through any box you have a SSH access on. Both apps require root.

    I'm trying out Pry-fi a Wifi privacy tool.

App Security:
    This category is a little hard to describe. I was looking for an app to vet APK, but without using any AV software. I found Checksum, this app calculates a checksum for each APK and compares it with a global repository that is feed with checksums from other users.

    I further using my own tool TelStop to inspect TEL Uri to determine if the contain MMI codes.

    If I was using an older Android device I would also install: ReKey to patch Master Key and X-Ray to scan for vulnerabilities.

Rooting:
    Many of the hardening apps I use require root access. Rooting is a tricky business and you should only do it if you know what you are getting into. If you want to encrypt and root, first root then encrypt. Rooting a Nexus device is straightforward, unlock the bootloader, install su + superSU. One thing todo is install a recovery image that can handle encrypted file systems like TWRP. A decent guide is posted here.

    You should also consider re-locking your bootloader after rooting, see What's the security implication of having an unlocked boot loader?. This is a lot of work and pretty painful when installing firmware patches, but you likely don't want to run around with a unlocked bootloader.


All together I'm pretty happy with this limited set of security applications. If you think I'm missing something important please let me know.

Monday, March 03 2014

Mobile Security News Update March 2014

Conferences
    InfoSecSouthWest April 4-6 Austin Texas. jduck: Android Security Research and Testing at Scale. Thomas Wang: Breaking through the bottleneck: Mobile malware is outbreak spreading like wildfire.


CFPs
TextSecure: secure and easy to use text (SMS) for Android (and soon iOS)
    I'm not really into advertising for stuff here but the recent update of TextSecure made a gigantic impression on me. The application works well, is uber user friendly, and looks just great. They further added IM like functionality (using IP rather then SMS), see here: The New TextSecure: Privacy Beyond SMS. Further there is the possibility to run your own server for TextSecure IP backend, see here.

    I switched to TextSecure for a number of reasons: transparent encrypted SMS, super usable application (I can finally stop using the Hangout app - worst thing so far on my Nexus 5), TextSecure source code is available, and did I mention that the UI looks really great? All in all this is good quality security software that even looks better then the less secure competitors, YES!


WebViews and Security on Android
    The security (insecurity) of WebView lately got a lot of attention. There has been some early academic work such as A View to A Kill: WebView Exploitation by Matthias Neugschwandtner et al. Then there was Dave Hartley's blog post on ad-network security. Most recently Joshua 'jduck' Drake wrote a very detailed blog post about the WebView addJavaScriptInterface Saga. All in all the WebView story is not over for sure as WebViews are a widely used framework feature of Android. I'll keep following this issue for sure.

Links