Encrypted Call And Text From WhisperSystems

Whispersystems has released two Android apps that allow for encryption of all calls and texts with any other device running the apps.

RedPhone allows for encrypted calls using SRTP and ZRTP between you and other phones running RedPhone. Setup is simple and use of the app is seamless. All calls are VOIP, and the encryption documentation can be found here:

https://github.com/WhisperSystems/RedPhone/wiki/Encryption-Protocols

The other app, TextSecure, allows for both asymmetric encryption between you and those who also run the app as well as local encryption of text messages. You can even set a timeout so that your messages are locked after X minutes/ hours – a very handy feature.

In light of recent disclosures about US wiretapping, PRISM and otherwise, you may want to seriously consider trying these out.

https://github.com/WhisperSystems/TextSecure/wiki/Protocol

You can download both of these apps off of the play store:
https://play.google.com/store/apps/details?id=org.thoughtcrime.redphone

https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms

Android 4.2 Is Out – How’s The Security?

Android 4.1 introduced multiple security improvements, such as implementing proper ASLR with PIE and fixing numerous information leaks. It seems that 4.2 is all about security, really pushing Android up a few notches.

 

  • Application verification — Users can choose to enable “Verify Apps” and have applications screened by an application verifier, prior to installation. App verification can alert the user if they try to install an app that might be harmful; if an application is especially bad, it can block installation.
  • More control of premium SMS — Android will provide a notification if an application attempts to send SMS to a short code that uses premium services which might cause additional charges. The user can choose whether to allow the application to send the message or block it.
  • Always-on VPN — VPN can be configured so that applications will not have access to the network until a VPN connection is established. This prevents applications from sending data across other networks.
  • Certificate Pinning — The libcore SSL implementation now supports certificate pinning. Pinned domains will receive a certificate validation failure if the certificate does not chain to a set of expected certificates. This protects against possible compromise of Certificate Authorities.
  • Improved display of Android permissions — Permissions have been organized into groups that are more easily understood by users. During review of the permissions, the user can click on the permission to see more detailed information about the permission.
  • installd hardening — The installd daemon does not run as the root user, reducing potential attack surface for root privilege escalation.
  • init script hardening — init scripts now apply O_NOFOLLOW semantics to prevent symlink related attacks.
  • FORTIFY_SOURCE — Android now implements FORTIFY_SOURCE. This is used by system libraries and applications to prevent memory corruption.
  • ContentProvider default configuration — Applications which target API level 17 will have “export” set to “false” by default for each ContentProvider, reducing default attack surface for applications.
  • Cryptography — Modified the default implementations of SecureRandom and Cipher.RSA to use OpenSSL. Added SSLSocket support for TLSv1.1 and TLSv1.2 using OpenSSL 1.0.1
  • Security Fixes — Upgraded open source libraries with security fixes include WebKit, libpng, OpenSSL, and LibXML. Android 4.2 also includes fixes for Android-specific vulnerabilities. Information about these vulnerabilities has been provided to Open Handset Alliance members and fixes are available in Android Open Source Project. To improve security, some devices with earlier versions of Android may also include these fixes.

The really key security features here are the application verification and the premium SMS warnings. The majority of Android malware out there redirects you to Premium SMS services, which will charge you per-text, easy money for criminals. This should prevent most of those infections.

The OS is also, overall, more difficult to exploit. Most infections are due to social engineering and not exploitation, but for those looking to store sensitive information on their phones (hopefully after encrypting them) this should help keep that information safe.

Source:

https://developer.android.com/about/versions/jelly-bean.html

Avast Mobile AntiVirus – A Mobile AntiVirus That Isn’t Completely Crap

So as you may or may not know Android has attracted a lot of attention from the antivirus industry, there are now at least a dozen antivirus apps. What you probably didn’t know is that the capabilities afforded applications on Android really didn’t allow any of those antivirus programs to work at all, they could keep a local database of hashes and that’s it. File analysis was not possible.

So for the most part they were all crap and they were trying to scare as many people into installing them as possible even though they did nothing (and in the beginning they did worse than nothing).

I haven’t bothered keeping up because seeing article after article of “Android malware explosion!” hyping a situation that doesn’t exist was pretty depressing. But I’d heard that Avast included some features that required root and that definitely got me interested.

Avast on the desktop is alright. If I were into that sort of thing I’d probably pick it, Panda Cloud, or Microsoft Security Essentials. But I’m not so I don’t.

On mobile though it has quite a few features that make it worthwhile. The antivirus component itself may not be on par with desktop versions but I don’t really care about that anyways.

What interests me the most is the Firewall and the AntiTheft. Being able to control internet access on a per-app basis is a great way to restrict them. If you do it on a whitelist basis you can make life harder for an attacker.

The AntiTheft is also nice – it hides itself in the app drawer and allows you to remote lock the device or get its GPS coordinates. It’s similar to WheresMyDroid but with more features such as being able to wipe the entire SD card (requires root) or force the GPS to turn on and send the signal (requires root) among others.

There’s a Web Guard (similar to the desktop version), which I’ve yet to try out but I haven’t noticed any impact on browsing speed so either it’s not doing anything or it’s doing it quickly.

Avast! Mobile also includes what they call Privacy Advisor, which creates an aggregate list of the permissions apps have been assigned on the system. This was actually really useful – I had no idea that Angry Birds had requested the permission to track my location (among other things).

In short, Avast Mobile is a nice security program for Android and the firewall as well as other root features are what make it so.

What I’d like to see is a permission removal system. The example of Angry Birds is appropriate – Angry Birds has a permission that allows it to track my location. I can throw birds at pig houses all day without that permission, I’d like to take it away. This is possible with root and I’d love to see that implemented in Avast!.

I Do Really Like Android

I’m not going to say Android is the most secure OS, I’m not going to say Android is more secure than iOS, and I’m not going to say Android is even secure at all. Maybe it is and maybe it isn’t, that’s not the issue.

I just want to say that the model of having every application forced to declare specific rights is one I can get behind. I the user get to see exactly what this application is going to do when I install it and the operating system is limiting programs. It’s great.

Yes, malware can just declare more rights and I’m just a user so I’ll get tricked eventually. But it’s serious progress. It’s not some BS with ‘Admin’ and ‘User’ groups where when a program says it wants Admin it could have completely legit reasons and then my computer is under some hackers control.

I just like that it tries to force least privilege on everything. It has its issues in the implementation but it at least looks good when you squint.

Securing My Verizon Galaxy Nexus

So I got an Android phone and I think it’s only fair to write up a few things to secure it.

1) I Rooted My Phone

Rooting your phone and unlocking the bootloader doesn’t actually make it more secure. You take your security out of the hardware and you rely on the kernel instead. That’s actually really crappy, but it’s necessary for almost everything else you’ll want.

2) Custom ROM

I’m running a custom operating system on my device. It’s Android, it’s just not the Android that came with it. Specifically the Verizon Galaxy Nexus (as of 07/27/2012) comes with Ice Cream Sandwich (ICS). ICS is the first Android OS to incorporate Address Space Layout Randomization (ASLR) but the ASLR is really weak and preliminary. Jelly Bean, Android 4.1, has full ASLR with Position Independent Executables, hardening against information leaks, full RELRO support for most of the OS, and it’s basically just a whole lot better on the ASLR front.

So moving to Jelly Bean is recommended.

3) Passwords / PIN/ Face Unlock

In terms of security it goes (greatest to least) Password -> PIN -> Face Unlock. Anyone with a Facebook picture of you or some photograph can access your phone if it uses Face Unlock. The feature is really cool and I’d love it if it paired with voice recognition or something (this way the attacker needs your face, your voice, and the phrase) but right now it’s nothing special. PINs are too short, useless against anyone but a friend who wants to mess with you. Passwords are pretty much where it’s at – you’re limited to 16 characters but that’s more than enough.

If you’re not using encryption it actually doesn’t really matter that much – they can get in anyways. But still, always good to go for a password.

4) Encryption Of Home

Android now allows you to encrypt the entire data partition with 128bit AES. I have personally opted out of this function as it’s kind of a pain in the ass – flashing ROMs with it isn’t easy. If I weren’t rooting and doing all this stuff I’d encrypt but for now it’s not worth it.

5) Disabling NFC

NFC allows your Android device to connect to others in short range and transfer information. It’s not good for security. It’s come up multiple times as a potential attack vector and I have no use for it myself.

Settings -> More… -> NFC

Uncheck the box.

If you don’t use it then… don’t use it. There’s no reason to leave it on.

6) Where’s My Droid

This is less of a security app and more of a “oh shit I lost my phone” app. Where’s My Droid is a free app that allows you to send key phrases via text to your phone and have it either ring or send you back a GPS coordinate. It also has a web interface that allows you to get details on the whereabouts of the phone.

If you use Where’s My Droid I highly suggest you make use of the “whitelist” and set it so only a few phones can send the message.