Lately I had been researching on how to further secure Android against Exploits, Malware, and Privacy issues. Some, if not most, of this guide is for the more paranoid users but I believe it is usefull information for everyone. I will try to keep it as easy to follow as possible.
Part 1 - ADB & Root:
What is ADB:
ADB (A.K.A the Android Debug Bridge) is a tool used by developers to allow access to an android device via a computer. The program consists of a server (ADBD) which lives on the phone/tablet and the client (ADB) which lives on the computer. This allows dev's to quickly access logs and install applications over a command shell.
The Threat:
While ADB is usefull if it is left on an attacker can use it to gain access to the device and dump logs, bypass the lock screen, root the device, steal credentails and more. One such attack is Kos' P2P-ADB. This framework allows an attack to bypass most (if not all) security if ADB is enabled on the device.
The Solution:
The easiest solution is to simply disable Degbuging. The setting is disabled by default but most custom roms have it enabled. To disable (on ICS/JB) it go to:
Ensure Android debugging is unchecked.
For the more paranoid:
Adb actually relies on the ADBD binary. On most AOSP roms the binary is stored in /sbin/adbd if you change the permissions to 000 it can no longer execute and can't be used at all. One way to achieve this is by using this init.d script:
Save the code to a file called 99secure and place it in /etc/init.d/ If your rom supports init.d the script will execute on boot and remove the adbd permissions so it can't run.
What is root/superuser:
The root user has full access to the system and can perform almost any task. Most custom ROMs ship with root enabled.
The problem:
Running with root enabled is inherently insecure. If a malicous app is allowed to run with root permisions it has full access to the system and can do what ever it wants (delete information, steal passwords, keylog, activate the camera, etc.)
The Solution:
If you are running a CyanogenMod Rom you can disable root by going to:
Alternatively you can change the permisions of the "su" binary to 000 with:
Part 2 - Bluetooth:
Bluetooth is a great technology that allows close range (~30m) wireless comunication between devices such as headsets and speaker phones.
The Problem:
Bluetooth is a wide open whole for an attacker to gain access to your device. There are multiple exploits against bluetooth (such as bluejacking). While most aren't widely used bluetooth should be disabled when not in use.
The Solution:
Disable bluetooth via the settings app:
Alternatively you can disable the bluetooth service/daemon:
and even the bluetooth device (this was done on a Galaxy Nexus running CM10 JB):
After that is done bluetooth can no longer be turned on by accident or a malicous attacker (provided they don't have root).
Part 3 - NFC:
What is NFC:
As per Wikipedia
The Problem:
This year at defcon NFC was shown to be vulnerable to attack (http://forum.xda-developers.com/show....php?t=1832186). Another example is the recent Samsung Exploit which can be executed by NFC tags as well.
The Solution:
NFC can be disabled by:
Alternatively you can disable the NFC Device:
Part 4 - Network Attacks:
Just like a computer android is succeptable to attacks over the network. Bellow is a init.d script that will harden the TCP/IP stack:
Android also runs IPTables ( A firewall). You can change this by script or a nice GUI tool calledDroid Wall
Part 5 - Removing unneeded applications:
These commands will remove some applications that aren't needed and may have internet access. The bottom ones are kept for root only:
There may be more you want to remove like ssh.
I personally removed "Packet Management" as well to prevent installing apps over USB:
Part 6 - Removing APK's:
You can also remove unneeded APK's by:
I removed these apps:
What apps you can and can't remove
Part 7 - Misc:
Personally I don't use the playstore/Google Framework as it sends back WAY to much info for me to trust it. I also reccomend using Full Device Encryption and a secure Kernel such as FuguMod.
Alot of the information I got is from this Sans guide
I will be posting more as I look into other security options
Let me know if I missed anything and please hit thanks if I helped at all.
Bellow is the init.d script I am using (modified from the Sans guide) ** ONLY TESTED ON A GSM GALAXY NEXUS ***:
Part 1 - ADB & Root:
What is ADB:
ADB (A.K.A the Android Debug Bridge) is a tool used by developers to allow access to an android device via a computer. The program consists of a server (ADBD) which lives on the phone/tablet and the client (ADB) which lives on the computer. This allows dev's to quickly access logs and install applications over a command shell.
The Threat:
While ADB is usefull if it is left on an attacker can use it to gain access to the device and dump logs, bypass the lock screen, root the device, steal credentails and more. One such attack is Kos' P2P-ADB. This framework allows an attack to bypass most (if not all) security if ADB is enabled on the device.
The Solution:
The easiest solution is to simply disable Degbuging. The setting is disabled by default but most custom roms have it enabled. To disable (on ICS/JB) it go to:
Code:
Settings ---> Developer Options ---> Android Debugging
For the more paranoid:
Adb actually relies on the ADBD binary. On most AOSP roms the binary is stored in /sbin/adbd if you change the permissions to 000 it can no longer execute and can't be used at all. One way to achieve this is by using this init.d script:
Code:
# Disable the adbd daemon
mount -o rw,remount -t rootfs rootfs /
chmod 000 /sbin/adbd
mount -o ro,remount -t rootfs rootfs /
mount -o ro,remount /system
What is root/superuser:
Quote:
The superuser is a special user account used for system administration. Depending on the operating system, the actual name of this account might be: root, administrator, admin or supervisor. In some cases the actual name is not significant, rather an authorization flag in the user's profile determines if administrative functions can be performed.
The problem:
Running with root enabled is inherently insecure. If a malicous app is allowed to run with root permisions it has full access to the system and can do what ever it wants (delete information, steal passwords, keylog, activate the camera, etc.)
The Solution:
If you are running a CyanogenMod Rom you can disable root by going to:
Code:
Settings ---> Developer Options ---> Root Access ---> Disabled
Code:
mount -o rw,remount /system
chmod 000 /system/xbin/su
mount -o ro,remount /system
Part 2 - Bluetooth:
Bluetooth is a great technology that allows close range (~30m) wireless comunication between devices such as headsets and speaker phones.
The Problem:
Bluetooth is a wide open whole for an attacker to gain access to your device. There are multiple exploits against bluetooth (such as bluejacking). While most aren't widely used bluetooth should be disabled when not in use.
The Solution:
Disable bluetooth via the settings app:
Code:
Settings ---> Bluetooth ---> Off
Code:
mount -o rw,remount /system
chmod 000 /system/bin/bluetoothd
mount -o ro,remount /system
Code:
mount -o rw,remount /system
chmod 000 /dev/ttyO1
mount -o rw,remount /system
Part 3 - NFC:
What is NFC:
Quote:
Near field communication (NFC) is a set of standards for smartphones and similar devices to establish radio communication with each other by touching them together or bringing them into close proximity, usually no more than a few centimetres. Present and anticipated applications include contactless transactions, data exchange, and simplified setup of more complex communications such as Wi-Fi.[1] Communication is also possible between an NFC device and an unpowered NFC chip, called a "tag".[2]
NFC standards cover communications protocols and data exchange formats, and are based on existing radio-frequency identification (RFID) standards including ISO/IEC 14443 and FeliCa.[3] The standards include ISO/IEC 18092[4] and those defined by the NFC Forum, which was founded in 2004 by Nokia, Philips and Sony, and now has more than 160 members. The Forum also promotes NFC and certifies device compliance.[5]
NFC standards cover communications protocols and data exchange formats, and are based on existing radio-frequency identification (RFID) standards including ISO/IEC 14443 and FeliCa.[3] The standards include ISO/IEC 18092[4] and those defined by the NFC Forum, which was founded in 2004 by Nokia, Philips and Sony, and now has more than 160 members. The Forum also promotes NFC and certifies device compliance.[5]
The Problem:
This year at defcon NFC was shown to be vulnerable to attack (http://forum.xda-developers.com/show....php?t=1832186). Another example is the recent Samsung Exploit which can be executed by NFC tags as well.
The Solution:
NFC can be disabled by:
Code:
Settings --- > Wireless & Networks ---> NFC
Alternatively you can disable the NFC Device:
Code:
mount -o rw,remount /system
chmod 000 /dev/ttyO3
mount -o rw,remount /system
Just like a computer android is succeptable to attacks over the network. Bellow is a init.d script that will harden the TCP/IP stack:
Code:
# hardening TCP/IP stack for IPV4
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 #ICMP broadcast
sysctl -w net.ipv4.conf.all.accept_redirects=0 # ICMP redirects ipv4
sysctl -w net.ipv6.conf.all.accept_redirects=0 #ICMP redirects ipv6
sysctl -w net.ipv4.conf.all.send_redirects=0 # ICMP redirects
sysctl -w net.ipv4.conf.all.accept_source_route=0 #source routing disable
sysctl -w net.ipv4.conf.all.forwarding=0 #Forwarding traffic
sysctl -w net.ipv4.conf.all.rp_filter=1
sysctl -w net.ipv4.conf.all.log_martians=1 #filter martians
sysctl -w net.ipv4.tcp_max_syn_backlog=1280 # TCP syn half-opened
sysctl -w net.ipv4.ip_forward=0
sysctl -w net.ipv4.tcp_syncookies=1
Part 5 - Removing unneeded applications:
These commands will remove some applications that aren't needed and may have internet access. The bottom ones are kept for root only:
Code:
rm -f /system/xbin/irsii
rm -f /system/xbin/nano
rm -f /system/xbin/nc
rm -f /system/xbin/telnet
rm -f /system/xbin/telnetd
rm -f /system/xbin/opcontrol
chmod 740 /system/xbin/rsync
chmod 740 /system/xbin/strace
chmod 000 /system/bin/bluetoothd
chmod 750 /system/bin/iptables
chmod 750 /system/bin/ping]
I personally removed "Packet Management" as well to prevent installing apps over USB:
Code:
# disable the Packet Management binary
chmod 000 /system/bin/pm
Part 6 - Removing APK's:
You can also remove unneeded APK's by:
Code:
mount -o rw,remount /system
rm -r /system/app/[apk name here]
mount -o ro,remount /system
Quote:
Bluetooth.apk
NFC.apk
Development.apk
DrmProvider.apk (You may not want to do this if you use the playstore)
Email.apk ( I use K-9 instead)
Exchange.apk (I don't need it you may)
PackageInstaller.apk ( Used to install apps. Don't remove if you want to install apps).
NFC.apk
Development.apk
DrmProvider.apk (You may not want to do this if you use the playstore)
Email.apk ( I use K-9 instead)
Exchange.apk (I don't need it you may)
PackageInstaller.apk ( Used to install apps. Don't remove if you want to install apps).
What apps you can and can't remove
Part 7 - Misc:
Personally I don't use the playstore/Google Framework as it sends back WAY to much info for me to trust it. I also reccomend using Full Device Encryption and a secure Kernel such as FuguMod.
Alot of the information I got is from this Sans guide
I will be posting more as I look into other security options
Let me know if I missed anything and please hit thanks if I helped at all.
Bellow is the init.d script I am using (modified from the Sans guide) ** ONLY TESTED ON A GSM GALAXY NEXUS ***:
Code:
#!/system/bin/sh
# Customize some parameters and lockout the SO
# July 2011
mount -o rw,remount /system
# Disable Bluetooth
chmod 000 /dev/ttyO1
#Disable NFC
chmod 000 /dev/ttyO3
# hardening TCP/IP stack for IPV4/IPV6
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 #ICMP broadcast
sysctl -w net.ipv4.conf.all.accept_redirects=0 # ICMP redirects ipv4
sysctl -w net.ipv6.conf.all.accept_redirects=0 #ICMP redirects ipv6
sysctl -w net.ipv4.conf.all.send_redirects=0 # ICMP redirects
sysctl -w net.ipv4.conf.all.accept_source_route=0 #source routing disable
sysctl -w net.ipv4.conf.all.forwarding=0 #Forwarding traffic
sysctl -w net.ipv4.conf.all.rp_filter=1
sysctl -w net.ipv4.conf.all.log_martians=1 #filter martians
sysctl -w net.ipv4.tcp_max_syn_backlog=1280 # TCP syn half-opened
sysctl -w net.ipv4.ip_forward=0
sysctl -w net.ipv4.tcp_syncookies=1
# Removing/ disabling unnecessary binaries. Some of them have access to Internet
rm -f /system/xbin/irsii
rm -f /system/xbin/nano
rm -f /system/xbin/nc
rm -f /system/xbin/telnet
rm -f /system/xbin/telnetd
No comments:
Post a Comment