- Table of contents
- Usage Notes
- Enabling root access
- Device Encryption
- Browser and webview: freedom and security issues
- Camera app
- Barcode scanning
- Video playback
- Terminal emulator
General-purpose usage notes and tips can be found on this page.
The website also provides recommendations and general advice.
Enabling root access¶
To allow root access, open the Developer options in the settings. There, press Root access. In the pop-up menu, select either Apps only, ADB only or Apps and ADB, depending on how you want to restrict root access. See ADB for more information about root access with ADB.
- On Replicant 6.0, the encryption scheme is specific to Android. Because of that if the device is broken, even if you have the passphrase, it's more complicated to recover the data.
- Replicant doesn't have protections against Evil maid attacks
While that Android feature is called "Device encryption", it doesn't encrypt everything.
For instance, on a Galaxy SIII, enabling "Device encryption" only encrypts the USERDATA partition.
As the encrypted partitions have to be opened, and that the user need to type a password, code has to run to prompt user for the password and open the encrypted partition. That code cannot come from within the encrypted partition.
This is why "full disk encryption" or "device encryption" schemes often have parts that are unencrypted.
Setting a device encryption password separate from the lockscreen password¶
By default on Android, the encryption password is the same as the lockscreen password. As users tend to use a simple PIN, password or pattern for the lockscreen, the encryption can be easily circumvented with a brute-force attack.Replicant allows to set an encryption password that is not tied to the lockscreen:
- Encrypt your device (In the settings: Security -> Encrypt phone)
- After the phone has rebooted and the encryption is set up, select Change encryption password in the Security menu of the settings
- Choose a strong passphrase. You will only have to enter this passphrase once when the device boots. There is a section below that elaborates more on how to choose a strong passphrase.
- Reboot the device and verify that the encryption works properly by entering the previously chosen passphrase
If a separate encryption password is in place and a PIN or password is set for the lockscreen, another security measure is active: After five unsuccessful attempts to unlock the screen, the device is rebooted and the attacker is faced with the much stronger encryption passphrase. This makes brute-force attacks on the lockscreen much harder.
Choosing a strong passphrase¶
As Android uses cryptsetup, most or all the Cryptsetup FAQ also apply to Replicant as well.
That FAQ has a Security Aspects section where it details the cost of breaking a passphrase in a table like this one:
|Passphrase entropy||Cost to break|
|50 bit||EUR/USD 600k|
|55 bit||EUR/USD 20M|
|70 bit||EUR/USD 600B|
|75 bit||EUR/USD 20T|
Be sure to look at the FAQ for potentially more up to date figures and the details that goes with them.
As for calculating the passphrase entropy, tools like keepassxc (which is available in Parabola) have a password generator that is able to calculate the entropy. At the time of writing, in keepassxc, this can be found in
Real example of a bad password¶For instance if we use
Replicantas a password is a very bad idea for several reasons:
- Casual attackers knowing that the device is running Replicant and can simply try various variations on Replicant by hand. They'll most probably find it.
- Attackers can easily copy the encrypted partition and try entries from dictionaries, it will probably find it very fast too.
- Slightly more sophisticated attackers probably have optimized dictionaries that try variations on common words with accurate statistical models. It will probably find it very fast too.
- Even with brute-force it's way too easy to find: It's too short and not enough random. Using Keepasxc to calculate the entropy gives us 15.32 bits of entropy. That's about 20452 tries in average (1/2 * 2^(bits of entropy in passphrase, according to the cryptsetup FAQ). So even with a slow computer that only does 1 try per second, we only spend 5h40 to find it.
- Do not set the default keyboard (LatinIME) as a non-system app if you use encryption: it will prevent you from entering the password to open the encrypted storage.
Browser and webview: freedom and security issues¶
Prevent usage of the embedded webview in apps¶
Use two web browsers¶
**Note: The recommendation above to use the Lightning browser needs to be reviewed because it hasn't been updated in over two years
Use a Gecko-based web browser¶
Gecko-based web browsers (such as IceCatMobile and Orfox) don't use WebView, and therefore don't have the security issues associated with WebView. However, Gecko-based web browsers require enabling llvmpipe.
Backups can be made using oandbackup or
If you created a backup of system applications before switching from the factory image or a different Android distribution to Replicant or before an upgrade to a new major release (e.g. from Replicant 4.2 to Replicant 6.0), restoring this backup will cause issues. The installation pages require a factory reset in these cases because the data is incompatible, so a backup of the data is incompatible as well.
SMS and contacts apps usually provide ways to export contacts and messages. Using these means to backup and restore the data will likely be successful and won't result in misbehaving apps.
- If the front camera on your device requires a non-free firmware, selecting the front camera will crash the app and you will not be able to use the app unless you delete the data of the app:
- In the settings under Personal, select Apps
- There will be two apps named Camera. Select the second one that has a camera as icon.
- Press Storage
- Select Clear Data and confirm the dialog
You should now be able to use the camera again.
- If the camera app freezes when you take a picture, press the shutter button a second time. This should restart the camera in the background and take the picture.
- If your device needs a non-free firmware for hardware media encoding/decoding, video recording will not work.
Viewing videos in the gallery or in the browser is not possible. See #1539 for background information.
Only the VLC app is known to be able to play videos on Replicant. Make sure to disable hardware acceleration in the settings to prevent crashes.
Replicant 6.0 includes a minimal terminal app, but it is not accessible by default. To make the app visible in the launcher, open the Developer options in the settings. In the Debugging section, enable Local terminal. A more feature-complete terminal emulator is available from F-Droid: https://f-droid.org/repository/browse/?fdfilter=terminal&fdid=jackpal.androidterm.