Android How to protect data from unauthorized access on Android?

[Exidous]

The only one in price range was a Pixel 4a with a tiny haircrack in the plastic frame at the edge; came from a reseller. Probably no warranty issues since Pixel phones can easily reverted to stock.

Ah, I got a 4a as well. On this side of the pond they sell gimped Pixels as well - if it's from a carrier (cheaper) rather than Google (full MSRP, but unlockable), it has an un-unlockable bootloader. I lucked out/accidentally cracked whatever idiotic code they use to block unlocking the bootloader on my carrier version. ...my cheapness transcends my paranoia and I wanted to pay no more than ~$100 for the absurdly overpowered corporate spying devices we apparently need to use to place phone calls these days. Thanks? Walmart.

I've no idea why only Pixel phones support changing the root of trust and relocking the bootloader into yellow state. Other phones will just go red state when locking with custom OS.

Money is why. Google pays (a bare minimum of) homage to the software license they are supposed to be bound to and permit you to kind of sort of modify Android (on only their flagship hardware, full price bullshit).

Everyone except Google that's selling Android devices has negligible financial incentive to permit end-user modification. Frankly, Google doesn't exactly have a 'financial' incentive to do it, I suspect it's more inertia, and a way to pay lip service to the supposedly open source software base they're supposedly built on.

Everyone except Google that's selling Android devices either makes no modifications (investing a minimum in software development) or makes modifications for their own user data resale business, which would be at minimum impeded by a custom ROM. Today, those non-Google Android phones that have unlockable bootloaders are more frequently accidents. And when users aren't supposed to unlock in the first place, why would there be a need to support relocking?

In the old days there was a not-insignificant enthusiast customer segment, who would prefer the phones that eased (let alone permitted) custom ROM installation. That's not a big enough slice of the pie anymore, from the perspective of smartphone manufacturers.

While I'm ranting, the entire smartphone market has become, to my eyes, economically deranged. A basic phone should be less than $100 and have, at most, a four inch screen. Instead, the market seems to demand to pay hundreds of dollars for something that will unerringly spy on them and can't even fit in a pocket. It's absurd.

I'm glad you're aware of the $5 wrench. It keeps us grounded while seeking grand security solutions.

 

[genistopitauniverfrocrami]

A basic phone should be less than $100 and have, at most, a four inch screen. Instead, the market seems to demand to pay hundreds of dollars for something that will unerringly spy on them and can't even fit in a pocket. It's absurd.

Agreed, especially considering the over reliance on mobile. Like now I'm considering switching banks because their only options are to use insecure SMS OTP or their bank app. Screen wise though, some people might still prefer larger ones (e.g. for poorer eyesight).

Indeed, not only have they figured out how to sell phones for that much, but also hardware that essentially expires after six years. (In comparison, a base RPi and 4 inch display costs about $80 and is mainlined. Though granted, those are just the main costs.)

But while I was researching what I'd do on this phone, there was significant discussion of GrapheneOS

So you had a Pixel 4a before finding out about GrapheneOS? How lucky... albeit in 'end-of-life' support now. At least it has good custom ROM support.

 

[Exidous]

So you had a Pixel 4a before finding out about GrapheneOS? How lucky... albeit in 'end-of-life' support now. At least it has good custom ROM support.

No, last fall when I finally dragged myself to replace my last phone (OG Pixel), I started reading up on custom rom availability on the sorts of devices that were in my price tolerance. When I took the black friday deal for my current phone, I had already read up on the 4a. At puchase, I thought I had a high likelihood of being stuck with stock because it was a carrier model (disabled bootloader unlock), but if I got lucky when it carrier unlocked (thanks FTC merger agreement) after 60 days and also bootloader unlock I was expecting to use one of the xda custom roms.

I don't recall my exact reason for instead picking LineageOS when I indeed got lucky, but it may have had something to do with reading about GrapheneOS and feeling security-guilty about going with a random rom and installing Gapps.

So perhaps I salved my guilt a little by going with LineageOS and installing Gapps (over its whining).

 

[genistopitauniverfrocrami]

No, last fall when I finally dragged myself to replace my last phone (OG Pixel), I started reading up on custom rom availability on the sorts of devices that were in my price tolerance. When I took the black friday deal for my current phone, I had already read up on the 4a. At puchase, I thought I had a high likelihood of being stuck with stock because it was a carrier model (disabled bootloader unlock), but if I got lucky when it carrier unlocked (thanks FTC merger agreement) after 60 days and also bootloader unlock I was expecting to use one of the xda custom roms.

I don't recall my exact reason for instead picking LineageOS when I indeed got lucky, but it may have had something to do with reading about GrapheneOS and feeling security-guilty about going with a random rom and installing Gapps.

So perhaps I salved my guilt a little by going with LineageOS and installing Gapps (over its whining).

Thanks for sharing, it sounds like you researched your options thoroughly. LineageOS is definitely a solid choice offering stability and community support.

I find it interesting how custom ROMs can lead people to become more aware of security and privacy. I started as a Google apps fan too, using LineageOS/CyanogenMod, but discovering microG and its free mission changed my perspective.

Considering our focus on Android security, have you explored the features of LineageOS or your Pixel Phone? For instance, the encryption feature of Android or perhaps Android Verified Boot with custom keys?

Post automatically merged: May 22, 2024

@KleinesSinchen It's great to see your interest in Android security and exploring options like GrapheneOS. I hope my earlier comment that GrapheneOS "should take care of it" doesn’t discourage you from continuing the discussion.

Also, my question about what you used before smartphones was more about understanding how you managed without the modern reliance on communication and other apps. Your insights on that could be interesting.

 

[4d1xlaan]

for what it's worth, Pixel 4a has a bypass for secure element throttling which allows for bruteforcing of unlock pin, which will never be patched. this affects 2nd through 5th gen Pixels

graphene will eventually add 2fa pin for fingerprint unlock, which would allow you to use a long passphrase for first unlock and fingerprint + pin for regular use, but who knows if the end of life models will even get that update

(also lineage is a complete waste of a pixel, and a massive downgrade in security, but w/e you do you)

https://discuss.grapheneos.org/d/12...s-their-capabilities-and-how-grapheneos-fares

 

[KleinesSinchen]

more about understanding how you managed without the modern reliance on communication and other apps

That's an easy one. When I still has social contacts in real life I told people to contact me via E-mail. Take it or leave it.
As for forcing everyday life activity indirectly to smartphone usage: That's going to be a political rant, which will go into my blog. Started writing today. Don't know when it will be finished. Will take time.

This thread brought more than I dared to hope in my dreams.

From looking quickly through GrapheneOS in the last few days it does look convincing. I've yet to understand how it makes use of different keys (different user accounts) and how to make sure to unload encryption keys of specially protected profiles. For now I've only used one profile.

Biggest obvious problem is the attack surface offered by USB data connection. Despite Android defaulting to not expose data and only activating MTP after unlocking and manually selecting it, a phone still reports normally when plugging it into a PC. With journalctl -f this becomes obvious. The phone exposing itself voluntarily to the PC might also expose vulnerabilities.

Sentry solves that, but I still have the problem it disables Seedvault. No idea if this is

a) A bug in Sentry on supported devices or​

b) A bug in Seedvault or​

C) Intended behavior of Android when installing a device owner software.​

The commercial solutions in this regard offer way more options not needed and not wanted on a private device (remote access, surveillance, disabling app installation…). Sentry just diverts from the intended use of device owner app to allow enforcing very few things: Disable USB data and disable safe boot. Funny enough my tablet now says it is owned by my organization and I shall contact my administrator for further information. So for further information I have to contact myself?

If anybody got an unused stock device with Google services installed it would be nice if they would install Sentry as device owner, enter Google account afterwards (doesn't work the other way round – there must not be any accounts on the phone before setting a device owner app) and look it the Google (Drive) app backup gets disabled/removed.

https://discuss.grapheneos.org/d/12...s-their-capabilities-and-how-grapheneos-fares

XRY and Cellebrite and similar are one reason that got me into thinking about data security on mobile devices. A really sad approach that "the good guys" decided to abuse security holes "for protecting us from criminals and make prosecution possible." With rhetoric tricks anybody opposing these practices is associated with criminal activity themselves ("Do you have something to hide?" "Are you on the side of [very bad criminals]").
But don't you ever sell these tools to bad guys (Finfisher) that's totally not okay.

Spoiler: Warning: Touching politics

My private data is just that: Private. Do I have something to hide? Normally one would answer: "I don't think so.", but in the end you never know. After listening to an audio drama I searched the Wikipedia as the movie "Dirty Harry" was mentioned on that CD. After reading about the movie, I continued reading about the second leading role of that movie. With that I mean his oversized revolver. Without precautions like TOR/VPN and full disk encryption this would provide evidence I'm interested in firearms, maybe make somebody assume I want to get a powerful gun (or already did).
It is a trivial example how something simple and innocent can be suspicious when thinking like law enforcement, especially when law enforcement becomes questionable itself like it is the case right now. Such an information in search history can be a puzzle piece when you are suspected of a crime… while being innocent.

You never know what your computers might reveal. So yes, I got something to hide – without being a criminal.

Back to the technical topic. I've not the faintest idea how these forensic tools achieve becoming able to bruteforce anything. They must somehow have some kind of access just by plugging it in. This is why I want to disable USB data connection altogether like mentioned above.

graphene will eventually add 2fa pin for fingerprint unlock, which would allow you to use a long passphrase for first unlock and fingerprint + pin for regular use

Why is that not default since days one of fingerprint readers!? That would finally make these thing useful!
Fingerprint sensors are resistant against shoulder surfing and PINs are resistant against pushing your finger against the phone. In current implementations fingerprint is a convenience and not a security feature.

 

[4d1xlaan]

Biggest obvious problem is the attack surface offered by USB data connection.

Don't have much to say about the rest of your post, but this, this is why you want a recent enough device running GrapheneOS

https://grapheneos.org/releases#2024022600

Tensor = P6 and newer

 

[Exidous]

From looking quickly through GrapheneOS in the last few days it does look convincing. I've yet to understand how it makes use of different keys (different user accounts) and how to make sure to unload encryption keys of specially protected profiles. For now I've only used one profile.

I like Shelter https://f-droid.org/en/packages/net.typeblog.shelter/, from your perspective as a baby blanket. It sounds like it similarly uses the built in Android (work) profiles function to sort-of sandbox apps. Maybe there's more discussion associated with that functionality as in that app? I don't know if GrapheneOS significantly altered the implementation of Android's profiles or if it's just utilizing them for functionality ala Shelter.

 

[4d1xlaan]

I like Shelter https://f-droid.org/en/packages/net.typeblog.shelter/, from your perspective as a baby blanket. It sounds like it similarly uses the built in Android (work) profiles function to sort-of sandbox apps. Maybe there's more discussion associated with that functionality as in that app? I don't know if GrapheneOS significantly altered the implementation of Android's profiles or if it's just utilizing them for functionality ala Shelter.

the separation/sandboxing between a work profile and the user profile is not nearly as strong as using two separate profiles

for instance, work profile uses the same encryption as owner profile, while secondary profiles can be closed to put their data at rest

work profile can read some info from owner profile as well

https://discuss.grapheneos.org/d/605-apps-in-owner-profile-detect-play-services-in-work-profile/2

https://discuss.grapheneos.org/d/115-work-profile-vs-user-profile/4

 

[KleinesSinchen]

the separation/sandboxing between a work profile and the user profile is not nearly as strong as using two separate profiles

Pretty obvious. As so often a tradeoff between security and convenience. Shelter being able to freeze apps (saves battery!) and providing second app instances on one user is a nice thing beyond any security considerations.

It does make sense to use at least one additional profile on GrapheneOS: Because the session of additional users can be ended opposed to user 0 → unload encryption key and reach "before first unlock" condition for secondary profiles. I've never noticed the importance of before first unlock compared to after first unlock before.
I have to confess that I solely rely on emergency power off for protecting master keys in RAM on desktop computers. Quickly grabbing RAM and cooling it down hoping to receive the master key sounds absurd and gets harder the more dens and more quick RAM becomes. Even with 1990s technology this wasn't reliable enough for having the (in)famous Stop 'n' Swop feature to be actually used in Banjo Kazoozie (and swapping an N64 cart is a whole lot of easier and quicker than opening a desktop PC cooling and removing RAM).
Direct memory access is/was possible with Firewire and there might be other possibilities.

All in all reading about this topic for two weeks now brings me to one conclusion GrapheneOS is pretty much the only alternative if you are very serious with Android security!
*Sigh* Maybe Pixel 8 series drops price a bit when the 9 series is released.
=========



About Device Owner apps: They are not exactly intended to be security addition for a private users, but for enforcing company rules. Protecting someone else's interests instead of your own. Android Device Policy Control as offered by commercial solutions with remote administration, remote surveillance and whatnot is the opposite of securing your data (though it may make sense for corporate owned devices – given that the remote administration tool itself doesn't contain exploitable security holes).

A pretty young app named OwnDroid looks interesting (and can remove itself if desired). Unfortunately the documentation beyond a short readme file is only in Chinese for now. The app itself has already been translated to English. Readme mentions Google's Test Device Policy Control (Test DPC) App. Have not fully tested the latter yet because it looks more complex.

Independent code audit would be prerequisite before trusting and giving any app Device Owner role, THE most powerful and dangerous role available not counting root access. This promising app reminds of local Groups Policy object in Windows. Just like local Group Policies you can lock/unlock certain functions for yourself opposed to AD domain controlled group policies enforced by the admin.

Many possible user restrictions are pointless, like disabling screen brightness control. Seriously? What for would the admin prevent a user from adjusting screen backlight?

I can see a few of these being useful (toggling the options to "on" position makes enforces a restriction). Example screenshots:

Freezing network configuration, disallowing Bluetooth (sharing) and USB data connection could prevent opportunistic quick copies if your attention isn't at 100%.

Sadly these DPC restricting options can be (and probably already are) abused by colorful, shitty parental control software (bundled with 100 tracking modules connected to the vendor); Software for those bad people who want to solve sociological problems, problems of upbringing kids, with technological methods. The only thing missing for parental controls are a separate from app login (parent PIN) and automatic conditions to enforce the DPC restrictions (WiFi 1 hour a day, not in the evening…)


OwnDroid also explains why Seedvault backup died the moment Sentry was installed. It seems installing any Device Owner app disables the backup service by default – this would probably also be true for the Google Drive backup on stock ROMs. But here the service can be reactivated. In this page (System manager → Options) toggling to "on" positions actually turns on a feature and not a restriction.

 

[4d1xlaan]

*Sigh* Maybe Pixel 8 series drops price a bit when the 9 series is released.

keep an eye on google's store, they have sales sometimes. last month at easter they had like 33% off on nearly everything