Hardening [tested @ Replicant 4.2]
Added by My Self almost 10 years ago
basic hardening
- prevent "shoulder surfing" attacks
- uncheck: Settings -> Security -> make passwords visible [_]
(this make password entries looks like °°°° instead of switching them digit per digit into dots like °°°s) - and of course, don't let anybody standing around you and reading your password entries "over your shoulder"
(this is really important. Please watch out and hide your device as good as you can from other eyes than your own)
- uncheck: Settings -> Security -> make passwords visible [_]
- protect Superuser
- Settings -> Superuser -> Menu -> Settings -> PIN Protection
(this prevent people with allowed physical access to you device from using or adding apps with root rights) - Be aware of: Settings -> Superuser -> Menu -> Settings -> Declare Permission [_]
(for sure, this point will be deprecated in the future, like done already here: http://su.chainfire.eu/#updates-permission
this means that if you enable this option, some root apps without this declaration will be rejected automatically from Superuser)
- Settings -> Superuser -> Menu -> Settings -> PIN Protection
- Enable screen lock
- Settings -> Security -> Screen lock
and choose:- PIN (if using this, please use more than just 4 digits)
- Password (IMHO the better choice)
- (Pattern is per se insecure and don't work for device encryption)
- (Slide finally isn't a security mechanism)
- Settings -> Security -> Screen lock
- Encrypt your device
- Settings -> Security -> Encrypt phone
(this encrypt your /data folder and your /storage/{sdcard0} folder, which is a symlink to a virtual sdcard that lies under /data
used cipher mode: aes-cbc-essiv:sha256 with 128-bit keys; source: http://isyou.info/jowua/papers/jowua-v5n1-4.pdf) - change encryption password, the easiest way to do this is over an open source apps like (Cryptfs Password):
https://f-droid.org/repository/browse/?fdfilter=cryptfs&fdid=org.nick.cryptfs.passwdmanager
keep in mind, that for example this app, need your Superuser "Declare Permission" to be unchecked.
(Response of the app developer in this context: https://github.com/nelenkov/cryptfs-password-manager/issues/6)
- Settings -> Security -> Encrypt phone
- disable ADB (in the meantime you don't use it; or you probably don't need it at all)
- uncheck: Settings -> Developer Options -> Android debugging [_]
(this prevent "P2P-ADB" attacks like shown here: https://www.youtube.com/watch?v=OmDwl50usZg)
- uncheck: Settings -> Developer Options -> Android debugging [_]
advanced hardening
- use a firewall
- for example the following open source app (AFWall+):
https://f-droid.org/repository/browse/?fdfilter=afwall&fdid=dev.ukanth.ufirewall - inside that app, check: Menu -> Preferences -> IPv6 Support [X]
(AFAIK basic IPv6 supported is present since Android 2.1. Since Android 4.0 IPv6 is also enabled for 3G Networks by default.
So if your Router and/or ISP supports IPv6, you'll get an IPv6 address automatically and should definitely include this point) - also check: Menu -> Preferences -> Fix Startup Data Leak [X]
(this prevent data leaks at boot, before the firewall service is started) - personally, I'm working with "White list" mode, which only allows manually selected apps to have network access (in and out)
if you want to do this, too and want to use NTP (automatic time adjustment over internet), you should enable this two points:- (NTP) - Internet time service = of course ;-)
- (root) - applications running as root = in my tests, NTP only worked if the UDP-packets sent to my DNS server(s) with root rights were not be blocked; while the "why" is a really good question, I sadly don't know the answer :-/
- for example the following open source app (AFWall+):
- enable Pricacy Guard by default
- check: Settings -> Security -> Privacy Guard -> Enable by default [X]
(to activate the Privacy Guard setting for every new installed app automatically; of course you can disable it per app afterward;
you should keep in mind, that apps which need access to your contacts, calendar or GPS should be disabled inside the Privacy Guard) - check: Settings -> Security -> Privacy Guard -> Menu -> Show built-in-apps [X]
(to list all available apps inside the Privacy Guard. You should definitely test the functions you need of the enabled apps)
- check: Settings -> Security -> Privacy Guard -> Enable by default [X]
- Network settings modifications (over Terminal Emulator app, switched to su)
you should set the following values on every boot, because they will be set back to default at the next boot,
(to do this, I've made a little flashable zip with an init.d script inside to run at every boot: hardening_v0.1.zip):- prevent "DoubleDirect" vulnerability
sysctl -w net.ipv4.conf.all.accept_redirects=0 # disable all IPv4 ICMP redirect messages
sysctl -w net.ipv4.conf.default.accept_redirects=0 # disable all IPv4 ICMP redirect messages on all new interfaces
sysctl -w net.ipv6.conf.all.accept_redirects=0 # disable all IPv6 ICMP redirected packets
sysctl -w net.ipv6.conf.default.accept_redirects=0 # disable all IPv6 ICMP redirect messages on all new interfaces - prevent "SYN flood" attacks
sysctl -w net.ipv4.conf.all.rp_filter=1 # do source validation by reversed path (RFC1812) on all interfaces
sysctl -w net.ipv4.conf.default.rp_filter=1 # do source validation by reversed path (RFC1812) on all new interfaces - disable router functionalities
sysctl -w net.ipv4.conf.all.send_redirects=0 # disables acceptance of all IPv4 ICMP redirected packets on all interfaces
sysctl -w net.ipv4.conf.default.send_redirects=0 # disables acceptance of all IPv4 ICMP redirected packets on all new interfaces
sysctl -w net.ipv4.conf.all.secure_redirects=0 # disables acceptance of secure ICMP redirected packets on all interfaces
sysctl -w net.ipv4.conf.default.secure_redirects=0 # disables acceptance of secure ICMP redirected packets on all new interfaces
sysctl -w net.ipv4.conf.default.accept_source_route=0 # disable source routing on all new interfaces; drop packets with SRR option - miscellaneous
sysctl -w net.ipv4.tcp_no_metrics_save=1 # TCP will not cache metrics on closing connections
sysctl -w net.ipv4.icmp_echo_ignore_all=1 # the kernel will ignore all ICMP ECHO requests sent to it - enable "IPv6 privacy extensions" (RFC3041)
sysctl -w net.ipv6.conf.all.use_tempaddr=2 # enable Privacy Extensions and prefer temporary addresses over public addresses
sysctl -w net.ipv6.conf.default.use_tempaddr=2 # enable Privacy Extensions and prefer temporary addresses over public addresses
note to the value: "net.ipv4.icmp_echo_ignore_all". Usually this point is bad for debugging network stuff on your target device.
In te past, this point was known as some kind of security feature, but IMHO, today this is more an urban legend. Becaus this point is set back fast with the following Terminal Emulator command, I've decided to leave it enabled in my init.d script:- echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
or - sysctl -w net.ipv4.icmp_echo_ignore_all=0
- echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
- prevent "DoubleDirect" vulnerability
paranoid hardening
- prevent "privilege escalation" attacks
- removing SUID bits from binaries
you can change the file permissions over the Terminal Emulator app, switched to su (UNTESTED!):
mount -o remount, -rw /system/bin
chmod 0755 /system/bin/ping
chmod 0750 /system/bin/netcfg
chmod 0750 /system/bin/run-as
mount -o remount, -ro /system/bin
mount -o remount, -rw /system/xbin
chmod 0755 /system/xbin/librank
chmod 0755 /system/xbin/procmem
chmod 0755 /system/xbin/procrank
mount -o remount, -ro /system/xbin
or just use my (TESTED!) flashable zip (which also includes the "network settings modifications" from above) named paranoid_hardening_v0.1.zip
- removing SUID bits from binaries
fallback note
Don't be afraid; if you want to set the changes back to default (behavior), just "install" the Replicant .zip file (over CWM Recovery) again.
Over this way you don't lose any personal data or settings you made - even on encrypted devices.
disclaimer
Please don't make me responsible for any damage on your device. I've researched and tested very carefully, but if you want to try this at home, please do it at your own risk.
Any suggestions or comments are appreciated!¶
Replies (9)
Changelog - Added by My Self almost 10 years ago
A startup script will be created under: /system/etc/init.d/42hardening
Changelog
v0.1 (initial release)- basic [hardening]
- prevent "DoubleDirect" vulnerability
- prevent "SYN flood" attacks
- disable router functionalities
- disable ping reply (may by unwanted for debugging reasons)
- enable "IPv6 privacy extensions"
- paranoid [paranoid hardening]
- prevent "privilege escalation" attacks (one-time executed, over updater-script inside the flashable zip)
RE: Hardening [tested @ Replicant 4.2] - Added by Pep tide over 9 years ago
If you install F-Droid as a system app (default on Replicant) you can disable installing apps from unknown sources. F-Droid will then use its system permissions to manage apps, using com.android.defcontainer
(DefaultContainerService.apk
) internally.
When you install/upgrade/uninstall apps, you are interfacing with com.android.packageinstaller
(PackageInstaller.apk
), a handler to open .apk files and display UI dialogs.
Removing com.android.packageinstaller
will allow F-Droid to manage apps, but even with unknown sources enabled, you won't be able install/upgrade/remove apps without using ADB.
You can also remove com.android.defcontainer
if you don't need to use F-Droid.
RE: Hardening [tested @ Replicant 4.2] - Added by Pep tide over 9 years ago
If you used an external SD card, formatting it as ext4 (default is exfat) will give you support for permissions on the file system (as well as other features like symlinks), so apps can be restricted to only read/write to their own storage folders.
RE: Hardening [tested @ Replicant 4.2] - Added by My Self about 9 years ago
- There is a setting under: Settings -> Developer options -> Protect SD card, which could be interesting for you.
If this point is enabled, apps must request permissions to read data from external storage (SD card).
But beware: some apps may not work until they'll be updated by their developer. Just if you want to try this point. - A cool app hits the F-Droid store: https://f-droid.org/repository/browse/?fdid=cz.eutopia.snooperstopper
With this tool you could restrict the pattern/PIN/password entry of your encrypted device to a specified number of tries, before the device reboots and ask for the stronger encryption password (instead of the unlock one), which could also be modified with this app to a different/stronger one. - Last but not least, I've made a little overview about Replicant's system apps. What they do, what permissions they need, and which one is optionally safe to remove. The overview is attached as a PDF file here: https://redmine.replicant.us/boards/9/topics/10875?r=10929#message-10929
RE: Hardening [tested @ Replicant 4.2] - Added by christina d about 9 years ago
My Self, would you recommend Orbot to pass all connections through Tor?
RE: Hardening [tested @ Replicant 4.2] - Added by My Self about 9 years ago
My Self, would you recommend Orbot to pass all connections through Tor?
While I'm not sure, why especially me could give a dedicated answer for that, my first counter question would be: why not?
But IMHO it depends on what you're doing with your device. If you're using facebook, online banking and such things, it's possibly not the best idea to pass really all connections through TOR, because you deanonymizing yourself by using services which identifies you with your real identity.
Also if you have registered yourself with your real name to the email provider you possibly using, and/or send/receive unencrypted emails, I would also exclude the mailing app etc.
I personally would prefer Lightning Browser instead of the stock browser, because:
- http://redmine.replicant.us/boards/9/topics/10875?r=10887#message-10887
- it have a simple option to use Orbot, if installed (Settings -> General Settings -> HTTP Proxy -> Orbot).
As a TOR alternative you could also use, (or wait until it's available on f-droid) VPN-services like: https://bitmask.net/en
Hope that helps in any way.
RE: Hardening [tested @ Replicant 4.2] - Added by My Self almost 9 years ago
+1 reason to encrypt your device:
75% of Android devices can be remotely unlocked by Google
http://betanews.com/2015/11/23/google-can-remotely-reset-your-android-passcode/
[UPDATE]
To be fair, Google's statement added: https://plus.google.com/+AdrianLudwig/posts/JFPXLnV3M2f
RE: Hardening [tested @ Replicant 4.2] - Added by Steve iphone over 8 years ago
Hey folks I'm Steve and new here.
First i will thank you, for this awesome project :)
I've got a question about the hardening script (.zip).
I dont know, how to boot any scripts on the system, someone can tell me what to do?
Until now i've been typed every command on terminal manualy after reboot.
RE: Hardening [tested @ Replicant 4.2] - Added by My Self over 8 years ago
Hi Steve, and sorry for the delayed response.
Hope this post (section "2.") will help you: http://redmine.replicant.us/boards/39/topics/10575?r=10665#message-10665