Project

General

Profile

Hardening [tested @ Replicant 4.2]

Added by My Self almost 3 years ago

basic hardening

  • prevent "shoulder surfing" attacks
    • uncheck: Settings -> Security -> make passwords visible [_]
      (this make password entries looks like °°°° instead of switching them digit per digit into dots like °°°s)
    • and of course, don't let anybody standing around you and reading your password entries "over your shoulder"
      (this is really important. Please watch out and hide your device as good as you can from other eyes than your own)
  • protect Superuser
    • Settings -> Superuser -> Menu -> Settings -> PIN Protection
      (this prevent people with allowed physical access to you device from using or adding apps with root rights)
    • Be aware of: Settings -> Superuser -> Menu -> Settings -> Declare Permission [_]
      (for sure, this point will be deprecated in the future, like done already here: http://su.chainfire.eu/#updates-permission
      this means that if you enable this option, some root apps without this declaration will be rejected automatically from Superuser)
  • Enable screen lock
    • Settings -> Security -> Screen lock
      and choose:
      • PIN (if using this, please use more than just 4 digits)
      • Password (IMHO the better choice)
      • (Pattern is per se insecure and don't work for device encryption)
      • (Slide finally isn't a security mechanism)
  • disable ADB (in the meantime you don't use it; or you probably don't need it at all)

advanced hardening

  • use a firewall
    • for example the following open source app (AFWall+):
      https://f-droid.org/repository/browse/?fdfilter=afwall&fdid=dev.ukanth.ufirewall
    • inside that app, check: Menu -> Preferences -> IPv6 Support [X]
      (AFAIK basic IPv6 supported is present since Android 2.1. Since Android 4.0 IPv6 is also enabled for 3G Networks by default.
      So if your Router and/or ISP supports IPv6, you'll get an IPv6 address automatically and should definitely include this point)
    • also check: Menu -> Preferences -> Fix Startup Data Leak [X]
      (this prevent data leaks at boot, before the firewall service is started)
    • personally, I'm working with "White list" mode, which only allows manually selected apps to have network access (in and out)
      if you want to do this, too and want to use NTP (automatic time adjustment over internet), you should enable this two points:
      • (NTP) - Internet time service = of course ;-)
      • (root) - applications running as root = in my tests, NTP only worked if the UDP-packets sent to my DNS server(s) with root rights were not be blocked; while the "why" is a really good question, I sadly don't know the answer :-/
  • enable Pricacy Guard by default
    • check: Settings -> Security -> Privacy Guard -> Enable by default [X]
      (to activate the Privacy Guard setting for every new installed app automatically; of course you can disable it per app afterward;
      you should keep in mind, that apps which need access to your contacts, calendar or GPS should be disabled inside the Privacy Guard)
    • check: Settings -> Security -> Privacy Guard -> Menu -> Show built-in-apps [X]
      (to list all available apps inside the Privacy Guard. You should definitely test the functions you need of the enabled apps)
  • Network settings modifications (over Terminal Emulator app, switched to su)
    you should set the following values on every boot, because they will be set back to default at the next boot,
    (to do this, I've made a little flashable zip with an init.d script inside to run at every boot: hardening_v0.1.zip):
    • prevent "DoubleDirect" vulnerability
      sysctl -w net.ipv4.conf.all.accept_redirects=0 # disable all IPv4 ICMP redirect messages
      sysctl -w net.ipv4.conf.default.accept_redirects=0 # disable all IPv4 ICMP redirect messages on all new interfaces
      sysctl -w net.ipv6.conf.all.accept_redirects=0 # disable all IPv6 ICMP redirected packets
      sysctl -w net.ipv6.conf.default.accept_redirects=0 # disable all IPv6 ICMP redirect messages on all new interfaces
    • prevent "SYN flood" attacks
      sysctl -w net.ipv4.conf.all.rp_filter=1 # do source validation by reversed path (RFC1812) on all interfaces
      sysctl -w net.ipv4.conf.default.rp_filter=1 # do source validation by reversed path (RFC1812) on all new interfaces
    • disable router functionalities
      sysctl -w net.ipv4.conf.all.send_redirects=0 # disables acceptance of all IPv4 ICMP redirected packets on all interfaces
      sysctl -w net.ipv4.conf.default.send_redirects=0 # disables acceptance of all IPv4 ICMP redirected packets on all new interfaces
      sysctl -w net.ipv4.conf.all.secure_redirects=0 # disables acceptance of secure ICMP redirected packets on all interfaces
      sysctl -w net.ipv4.conf.default.secure_redirects=0 # disables acceptance of secure ICMP redirected packets on all new interfaces
      sysctl -w net.ipv4.conf.default.accept_source_route=0 # disable source routing on all new interfaces; drop packets with SRR option
    • miscellaneous
      sysctl -w net.ipv4.tcp_no_metrics_save=1 # TCP will not cache metrics on closing connections
      sysctl -w net.ipv4.icmp_echo_ignore_all=1 # the kernel will ignore all ICMP ECHO requests sent to it
    • enable "IPv6 privacy extensions" (RFC3041)
      sysctl -w net.ipv6.conf.all.use_tempaddr=2 # enable Privacy Extensions and prefer temporary addresses over public addresses
      sysctl -w net.ipv6.conf.default.use_tempaddr=2 # enable Privacy Extensions and prefer temporary addresses over public addresses
      note to the value: "net.ipv4.icmp_echo_ignore_all". Usually this point is bad for debugging network stuff on your target device.
      In te past, this point was known as some kind of security feature, but IMHO, today this is more an urban legend. Becaus this point is set back fast with the following Terminal Emulator command, I've decided to leave it enabled in my init.d script:
      • echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
        or
      • sysctl -w net.ipv4.icmp_echo_ignore_all=0

paranoid hardening

  • prevent "privilege escalation" attacks
    • removing SUID bits from binaries
      you can change the file permissions over the Terminal Emulator app, switched to su (UNTESTED!):
      mount -o remount, -rw /system/bin
      chmod 0755 /system/bin/ping
      chmod 0750 /system/bin/netcfg
      chmod 0750 /system/bin/run-as
      mount -o remount, -ro /system/bin
      mount -o remount, -rw /system/xbin
      chmod 0755 /system/xbin/librank
      chmod 0755 /system/xbin/procmem
      chmod 0755 /system/xbin/procrank
      mount -o remount, -ro /system/xbin
      or just use my (TESTED!) flashable zip (which also includes the "network settings modifications" from above) named paranoid_hardening_v0.1.zip

fallback note
Don't be afraid; if you want to set the changes back to default (behavior), just "install" the Replicant .zip file (over CWM Recovery) again.
Over this way you don't lose any personal data or settings you made - even on encrypted devices.

disclaimer
Please don't make me responsible for any damage on your device. I've researched and tested very carefully, but if you want to try this at home, please do it at your own risk.

Any suggestions or comments are appreciated!


Replies (9)

Changelog - Added by My Self almost 3 years ago

A startup script will be created under: /system/etc/init.d/42hardening

Changelog

v0.1 (initial release)
  • basic [hardening]
    • prevent "DoubleDirect" vulnerability
    • prevent "SYN flood" attacks
    • disable router functionalities
    • disable ping reply (may by unwanted for debugging reasons)
    • enable "IPv6 privacy extensions"
  • paranoid [paranoid hardening]
    • prevent "privilege escalation" attacks (one-time executed, over updater-script inside the flashable zip)

RE: Hardening [tested @ Replicant 4.2] - Added by Pep tide over 2 years ago

If you install F-Droid as a system app (default on Replicant) you can disable installing apps from unknown sources. F-Droid will then use its system permissions to manage apps, using com.android.defcontainer (DefaultContainerService.apk) internally.

When you install/upgrade/uninstall apps, you are interfacing with com.android.packageinstaller (PackageInstaller.apk), a handler to open .apk files and display UI dialogs.

Removing com.android.packageinstaller will allow F-Droid to manage apps, but even with unknown sources enabled, you won't be able install/upgrade/remove apps without using ADB.

You can also remove com.android.defcontainer if you don't need to use F-Droid.

See http://wiki.cyanogenmod.org/w/Barebones

RE: Hardening [tested @ Replicant 4.2] - Added by Pep tide over 2 years ago

If you used an external SD card, formatting it as ext4 (default is exfat) will give you support for permissions on the file system (as well as other features like symlinks), so apps can be restricted to only read/write to their own storage folders.

RE: Hardening [tested @ Replicant 4.2] - Added by My Self about 2 years ago

A little update with 3 points I would like to add here:
  • There is a setting under: Settings -> Developer options -> Protect SD card, which could be interesting for you.
    If this point is enabled, apps must request permissions to read data from external storage (SD card).
    But beware: some apps may not work until they'll be updated by their developer. Just if you want to try this point.
  • A cool app hits the F-Droid store: https://f-droid.org/repository/browse/?fdid=cz.eutopia.snooperstopper
    With this tool you could restrict the pattern/PIN/password entry of your encrypted device to a specified number of tries, before the device reboots and ask for the stronger encryption password (instead of the unlock one), which could also be modified with this app to a different/stronger one.
  • Last but not least, I've made a little overview about Replicant's system apps. What they do, what permissions they need, and which one is optionally safe to remove. The overview is attached as a PDF file here: https://redmine.replicant.us/boards/9/topics/10875?r=10929#message-10929

RE: Hardening [tested @ Replicant 4.2] - Added by christina d almost 2 years ago

My Self, would you recommend Orbot to pass all connections through Tor?

RE: Hardening [tested @ Replicant 4.2] - Added by My Self almost 2 years ago

My Self, would you recommend Orbot to pass all connections through Tor?

While I'm not sure, why especially me could give a dedicated answer for that, my first counter question would be: why not?

But IMHO it depends on what you're doing with your device. If you're using facebook, online banking and such things, it's possibly not the best idea to pass really all connections through TOR, because you deanonymizing yourself by using services which identifies you with your real identity.
Also if you have registered yourself with your real name to the email provider you possibly using, and/or send/receive unencrypted emails, I would also exclude the mailing app etc.

So, if you just want to hide your browser search requests, for example, I would enable TOR for the browser(s) only. Please keep in mind, that your browser configuration spreads its fingerprint to the sites you visit, as discussed here: http://redmine.replicant.us/boards/39/topics/9093
I personally would prefer Lightning Browser instead of the stock browser, because:

As a TOR alternative you could also use, (or wait until it's available on f-droid) VPN-services like: https://bitmask.net/en

Hope that helps in any way.

RE: Hardening [tested @ Replicant 4.2] - Added by My Self almost 2 years ago

+1 reason to encrypt your device:
75% of Android devices can be remotely unlocked by Google
http://betanews.com/2015/11/23/google-can-remotely-reset-your-android-passcode/

[UPDATE]
To be fair, Google's statement added: https://plus.google.com/+AdrianLudwig/posts/JFPXLnV3M2f

RE: Hardening [tested @ Replicant 4.2] - Added by Steve iphone over 1 year ago

Hey folks I'm Steve and new here.
First i will thank you, for this awesome project :)

I've got a question about the hardening script (.zip).
I dont know, how to boot any scripts on the system, someone can tell me what to do?

Until now i've been typed every command on terminal manualy after reboot.

RE: Hardening [tested @ Replicant 4.2] - Added by My Self over 1 year ago

Hi Steve, and sorry for the delayed response.

Hope this post (section "2.") will help you: http://redmine.replicant.us/boards/39/topics/10575?r=10665#message-10665

    (1-9/9)