Basically i want my Android phone to stop responding to ping requests.
I tried searching but i found no solution to this matter.
Has anyone done this? What's the easiest solution to permanently prevent the phone from responding to ping requests?
My phone is rooted and running 2.1 if that helps.
You can use iptables:
iptables -A INPUT -p icmp -j REJECT
Thanks for the reply!
This works great until i restart my phone.
What would be the best way to store this setting permanently?
I tried searching for an iptables config file but i couldn't find any.
iptables has no config file, you need run a script with all rules.
In the market you can find Autostart (root) to run a script at boot.
I downloaded Autostart and then ran the following commands:
Code:
su
mkdir /data/opt
echo "iptables -A INPUT -p icmp -j REJECT" > /data/opt/autostart.sh
Then i rebooted, pressed "Allow Always" for Autostart and rebooted once more.
Still i can ping my phone. Did i do anything wrong? Any more suggestions?
Check the rules with 'iptables -L -nv'
If nothing, try with the full path to iptables on the script (/system/xbin/iptables) and 'chmod 755 /data/opt/autostart.sh'
Related
I've been messing around with my Dev Magic and found a site for the G1 with some stuff to try:
http://gettinthru.blogspot.com/2009/04/mods-for-tmobile-g1-at-your-own-risk.html
In there, some of the things suggested use the linux command "cp" to copy files from/to the SD card. Problem is, I can't see it listed. Here is the listing of commands in /system/bin:
system_server
mediaserver
app_process
surfaceflinger
dalvikvm
dexopt
rild
wlan_loader
sdutil
service
netcfg
dumpsys
hcid
dd
cmp
df
date
cat
bugreport
chmod
chown
wpa_supplicant
wpa_cli
wipe
watchprops
vmstat
umount
top
vold
sync
stop
start
smd
sleep
setprop
setconsole
sendevent
schedtop
set_grp_id
route
rmmod
rmdir
renice
rm
reboot
radiooptions
ps
qemud
printenv
notify
netstat
mv
mount
mkdosfs
lsmod
mkdir
ls
log
ln
ioctl
kill
installd
iftop
insmod
ifconfig
id
hd
htclogkernel
getevent
getprop
flash_image
dvz
dmesg
dumpcrash
dhcpcd
debug_tool
toolbox
dumpstate
servicemanager
hciattach
logcat
sdptool
dbus-daemon
gzip
showlease
sh
schedtest
ping
logwrapper
iptables
linker
debuggerd
dosfsck
gdbserver
pm
svc
input
am
ime
monkey
akmd
As you can see, no cp. Any suggestions like a .apk of the command to push over to it?
Cheers
you can use dd to copy files aslong as you dont have busybox ( on the dream "all" the rooted images come with busybox )...
However you can use busybox from a non-rooted device by copying it to the folder "sqlite_stmt_journals" as it has both exec/write rights...
Seem to be sorted now...
I found that I can install Busybox like the G1 owners have as standard:
http://www.androidfanatic.com/cms/community-forums.html?func=view&id=228&catid=9
Folowed the guide and have cp and loads of stuff to play with now.
Cheers for your responses.
No problem... Wont take long before custom images are put together that include busybox as the magic now can also be rooted like the dream.
the "rootme" rom i provide in my rooting procedure has busybox installed, as well as apps2sd
the easiest way to replace the "cp" command is using "cat"
cat "sourcefile" > "targetfile"
if you need to copy more files, create a small script with a "for" loop.
Tom
So I've been tinkering with my Droid X on Cricket for the last two months. Got the FlyX rom on it. I was able to flash it right after I got it and everything works...except for MMS, which has been flaky. I have probably flashed this phone at least 10 times now and I can always get everything working except for MMS. I have the same problem with my fianceé's Droid 2 as well.
After going through APN's, PRL's, triple-checking all settings in QPST and CDMA WS, checking my account w/Cricket, etc. etc. it seems I finally narrowed it down to an autostart.sh issue.
I could be wrong but here's what happens - when I use the autostart.sh in Token's zip my MMS works perfectly every single time, the 3G icon is there but I have no internet or market or app data. When I use the autostart.sh from Whiterabbit's site then all data works perfectly except MMS.
I tried creating my own autostart.sh, incorporating parts of Token's along with the static IP from Whiterabbit but that resulted in no data and no MMS.
Here's the two files. First, the autostart.sh from Whiterabbit's site:
#!/system/bin/sh
export PATH="$PATH:/system/bin"
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
iptables -t nat -F
iptables -X
iptables -t nat -A OUTPUT -o ppp0 -p 6 ! -d 10.132.25.254 -j REDIRECT --to-port 1025
u2nl 10.132.25.254 8080 127.0.0.1 1025 >/dev/null 2>&1 &
sh -c "sleep 5;kill `ps|grep nk.bla.android.autostart|grep -v grep|awk '{print $2}'`" &
exit 0
And here's the autostart.sh from Token's zip:
#!/system/bin/sh
export PROXYHOST=wap.mycricket.com
export PROXYPORT=8080
#you shouldn't have to edit anything below this line
export PATH="$PATH:/system/bin"
until netcfg|grep -v DOWN|awk '{print $1}'|grep -v wlan|grep -v lo >/dev/null 2>&1 ; do sleep 1 ; done
export INTERFACE=`netcfg|grep -v DOWN|awk '{print $1}'|grep -v wlan|grep -v lo`
export PROXYIP=`ping -c 1 $PROXYHOST|grep PING|cut -d\) -f1|cut -d\( -f2`
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
iptables -t nat -F
iptables -X
iptables -t nat -A OUTPUT -o $INTERFACE -p tcp -d 10/8 -j ACCEPT
iptables -t nat -A OUTPUT -o $INTERFACE -p tcp -d 172.16/12 -j ACCEPT
iptables -t nat -A OUTPUT -o $INTERFACE -p tcp -d 192.168/16 -j ACCEPT
iptables -t nat -A OUTPUT -o $INTERFACE -p tcp -j REDIRECT --to-port 1025
u2nl $PROXYIP $PROXYPORT 127.0.0.1 1025 >/dev/null 2>&1 &
sh -c "sleep 5;kill `ps|grep nk.bla.android.autostart|grep -v grep|awk '{print $2}'`" >/dev/null 2>&1 &
exit 0
It is insanely frustrating to be so close to a fully functional phone. Clearly I don't know enough to be able to create a good autostart.sh file. Any suggestions?
Bump....
Should I post this in the Droid X forum?
Finally managed to create an autostart.sh file that works for me as well as my fiancee's Droid 2. PM me if anyone needs it.
Sent from my DROIDX using XDA App
Droid X Cricket MMS not working
I've been having the same problem. I'm on the android $55 plan so that my wife gets faster speed. I'm using this link below but not using the ROMS. What other settings did you use to get it working? What plan are you on and what speed are you getting?
http://forum.xda-developers.com/showthread.php?t=881883
I just saw I had a bunch of PM's from people...I figured I would get notified via email about that, but I guess I should check that.
Sorry to anyone who's been waiting a while for this autostart file, but here it is. Just remove the .zip at the end of the file name. By the way, ever since I created this autostart file my MMS worked great. until about a week ago and then it stopped working on my Droid X and Droid 2 on the same day. Some other cricket users were having the same issue but I think we've got that fixed now.
I switched both phones to the $55 Android plan and made a couple quick changes which I posted here: http://forum.xda-developers.com/showthread.php?t=1010880&page=4
Obviously using the $55 Android plan I am no longer using austostart.sh and u2nl. If you want to try this, you don't have to flash a new ROM...just do the ##PROGRAM and APN settings.
autostart.sh
Will you please send me the autostart file that you created? This is to get the mms working on the Droid X? I am having a hard time with this and is very frustrating. And may I ask what you do with the autostart file? I downloaded the program but however it does not appear in my app list, I think it is saved somewhere on my sd card......Would you mind giving me a brief explanation on how this app and this file is supposed to work or what I am supposed to do with them? my email is [email protected]. thank you so much.
-amanda
dkranes said:
Finally managed to create an autostart.sh file that works for me as well as my fiancee's Droid 2. PM me if anyone needs it.
Sent from my DROIDX using XDA App
Click to expand...
Click to collapse
Flashed DX, now no data at all!, Reflashing help...
Hello-
I'm pretty good with electronics, I had a guy remotely flash my and my hubbys Droid X, everything was fine, my data went out a week ago, his is still fine. I lost the instuctions, the guy gave me to flash it, I still have the files on my computer, can anyone tell me how to use the files??? (Like a step by step guide)
Here are the Files I have on my computer:
TCPCom6 Setup
A folder called: Root22 and Files, with these files in it...
1. adb
2. Adbwinapi
3. Adbwinusbapi
4. Apps
5. DoRoot
I also have anycut on my phone already with APNS, but did those over and nothing.
I myself haven't done this before, but if I have instructions on these files than maybe, also I still have voice and wifi, but text and data are gone.
Don't know what to do, it's driving me crazy!!
Thanks in Advance!
I've searched the Forums but couldn't find anything interesting which could solve my problem. I've installed Ubuntu on my Device and now I'd like to get my WiFi working. I have made the wpa_supplicant.conf file and pasted it in /etc/wpa_supplicant.
Now when I run
sudo wpa_supplicant -i eth0 -D wext -c /etc/wpa_supplicant/wpa_supplicant.conf
It says:
Could not read interface eth0 flags: No such device.
Also, when I try to connect to an open network, typing:
sudo ifconfig eth0 down
The result is the same.
So what does
"Could not read interface eth0 flags: No such device."
mean and how can I get into the internet?
Thank You, I hope You can help me
Mr.Ox said:
I've searched the Forums but couldn't find anything interesting which could solve my problem. I've installed Ubuntu on my Device and now I'd like to get my WiFi working. I have made the wpa_supplicant.conf file and pasted it in /etc/wpa_supplicant.
Now when I run
sudo wpa_supplicant -i eth0 -D wext -c /etc/wpa_supplicant/wpa_supplicant.conf
It says:
Could not read interface eth0 flags: No such device.
Also, when I try to connect to an open network, typing:
sudo ifconfig eth0 down
The result is the same.
So what does
"Could not read interface eth0 flags: No such device."
mean and how can I get into the internet?
Thank You, I hope You can help me
Click to expand...
Click to collapse
maybe it's not 'eth0'.
type:
sudo ifconfig -a
to see all interfaces.
fserve said:
maybe it's not 'eth0'.
type:
sudo ifconfig -a
to see all interfaces.
Click to expand...
Click to collapse
Ok, I'm going to give it a try, thank You!
Now is the problem, that I have to open the WICD Manager, but I haven't got it installed... How do i get it now? Without internet?
Hi guys,
I want to use my PC running on Ubuntu 12.04 64Bit to access the internet.
Usually in Windows i use the HTC tool.
my phone is not rooted.
thanks for help
??
39 views, 0 reply !!!!
Coz maybe the ones who viewed the thread didn't know a solution hence not answered
May be someone who uses Ubuntu world know...
Most of us user windows...
Sent from a Desire S waiting for Kernel 3. WAKE UP HTC!!!!
if u hv HTC sense on ur device, just tick the INTERNET PASS THROUGH option from the notification tab
and the system will do the rest
cheers
check out screenshot below
thanks for your replies
lynxnoon : yes I'v tried to do that, it will be connected to the PC but without internet connection.
ensure the adapters (esp the wired) are updated online and then try again.
Also ensure theres is pass through connection on ur fone and then try to browse with the in-built browser.
If all these still doesnt work then u have to find out if the internet service provider alllows tethering or the modem u r using.
cheers
Rabih-Sy said:
Hi guys,
I want to use my PC running on Ubuntu 12.04 64Bit to access the internet.
Usually in Windows i use the HTC tool.
my phone is not rooted.
thanks for help
Click to expand...
Click to collapse
When I connect my phone and choose internet passthrough, the phone chooses ip address in the 192.168.99.0/24. If yours creates a different subnet you will have to change below accordingly.
I hope this solves your problem.
Edit /etc/rc.local sudo nano /etc/rc.local and add the following:
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward > /dev/null
iptables -P FORWARD ACCEPT
iptables -A POSTROUTING -t nat -j MASQUERADE -s 192.168.99.0/24
iptables -A FORWARD -i eth0 -o usb0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i usb0 -o eth0 -j ACCEPT
#forward all dns queries from usb0 to google's dns server
iptables -t nat -I PREROUTING -i usb0 -p udp --dport 53 -j DNAT --to 8.8.8.8
then at terminal type:
sudo /etc/rc.local
that will get you connectivity, but it will be short lived because htc is stupid and will disconnect if it doesn't detect the winblows htc software crap.
So you will need to fake it out. Turns out the phone is listening for htc software on port 6000 for 00 02 00 00 hex.
first you have to find the ip address of your phone (if arp doesn't work or you get command not found, you probably need to sudo arp):
phoneip=$(arp -n | grep usb0 | awk 'BEGIN {FS=" "} {print $1}')
then you tell the phone that htc software is listening:
echo -n -e "\x00\x02\x00\x00" | nc $phoneip 6000 > /dev/null
To make that automagic each time us a script. Call it htcfaker or whatever:
#!/bin/bash
while :; do
phoneip=$(arp -n | grep usb0 | awk 'BEGIN {FS=" "} {print $1}')
while [ -z $phoneip ]; do
sleep 15
phoneip=$(arp -n | grep usb0 | awk 'BEGIN {FS=" "} {print $1}')
done
echo -n -e "\x00\x02\x00\x00" | nc $phoneip 6000 > /dev/null
while [ "$phoneip" != "" ]; do
sleep 15
phoneip=$(arp -n | grep usb0 | awk 'BEGIN {FS=" "} {print $1}')
done
done
Then in your startup applications, point to that script.
Hope it helps!
I'm using unrooted HTC Sensation XE and Ubuntu 12.04 64-Bits, with these scripts Internet Pass Through works beautifully!:laugh::good:
haz3lnut said:
When I connect my phone and choose internet passthrough, the phone chooses ip address in the 192.168.99.0/24. If yours creates a different subnet you will have to change below accordingly.
I hope this solves your problem.
Edit /etc/rc.local sudo nano /etc/rc.local and add the following:
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward > /dev/null
iptables -P FORWARD ACCEPT
iptables -A POSTROUTING -t nat -j MASQUERADE -s 192.168.99.0/24
iptables -A FORWARD -i eth0 -o usb0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i usb0 -o eth0 -j ACCEPT
#forward all dns queries from usb0 to google's dns server
iptables -t nat -I PREROUTING -i usb0 -p udp --dport 53 -j DNAT --to 8.8.8.8
then at terminal type:
sudo /etc/rc.local
that will get you connectivity, but it will be short lived because htc is stupid and will disconnect if it doesn't detect the winblows htc software crap.
So you will need to fake it out. Turns out the phone is listening for htc software on port 6000 for 00 02 00 00 hex.
first you have to find the ip address of your phone (if arp doesn't work or you get command not found, you probably need to sudo arp):
phoneip=$(arp -n | grep usb0 | awk 'BEGIN {FS=" "} {print $1}')
then you tell the phone that htc software is listening:
echo -n -e "\x00\x02\x00\x00" | nc $phoneip 6000 > /dev/null
To make that automagic each time us a script. Call it htcfaker or whatever:
#!/bin/bash
while :; do
phoneip=$(arp -n | grep usb0 | awk 'BEGIN {FS=" "} {print $1}')
while [ -z $phoneip ]; do
sleep 15
phoneip=$(arp -n | grep usb0 | awk 'BEGIN {FS=" "} {print $1}')
done
echo -n -e "\x00\x02\x00\x00" | nc $phoneip 6000 > /dev/null
while [ "$phoneip" != "" ]; do
sleep 15
phoneip=$(arp -n | grep usb0 | awk 'BEGIN {FS=" "} {print $1}')
done
done
Then in your startup applications, point to that script.
Hope it helps!
Click to expand...
Click to collapse
Did anyone experienced the problem that this stopped working after a day or so?
When I plug into the phone now it just wont give a ipv4 address therefore theres nothing to re-route through the pc?
Mine still working without any problem after 2 months. I can only suggest you to check 2 things:
Ensure your /etc/rc.local file is not changed due to any Ubuntu update
You have to run the "htcfaker" script in Terminal before plugging in your phone. Do not close this Terminal until you want to disconnect.
fruity12 said:
Did anyone experienced the problem that this stopped working after a day or so?
When I plug into the phone now it just wont give a ipv4 address therefore theres nothing to re-route through the pc?
Click to expand...
Click to collapse
iptables table 'nat' not found while running sudo /etc/rc.local script
ykkhern said:
Mine still working without any problem after 2 months. I can only suggest you to check 2 things:
Ensure your /etc/rc.local file is not changed due to any Ubuntu update
You have to run the "htcfaker" script in Terminal before plugging in your phone. Do not close this Terminal until you want to disconnect.
Click to expand...
Click to collapse
I have updated /etc/rc.local file but I'm getting below error what needs to be done? I'm newbie to Linux, neverthless tried to look into many forums but couldn't get it resolved.. Please help !!
Code:
[email protected]:~$ sudo /etc/rc.local
[sudo] password for anvyal:
iptables v1.4.18: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
Please let me know if any other info needs to be provided. Thanks in advance for your help !!
anvyal said:
I have updated /etc/rc.local file but I'm getting below error what needs to be done? I'm newbie to Linux, neverthless tried to look into many forums but couldn't get it resolved.. Please help !!
Code:
[email protected]:~$ sudo /etc/rc.local
[sudo] password for anvyal:
iptables v1.4.18: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
Please let me know if any other info needs to be provided. Thanks in advance for your help !!
Click to expand...
Click to collapse
Please check the following line in your /etc/rc.local:
iptables -A POSTROUTING -t nat -j MASQUERADE -s 192.168.99.0/24
You have to change the IP subnet (highlighted in red font above) to match your phone's IP address. If your phone use 192.168.1.2 for example, then you'll have to change the IP subnet to 192.168.1.0/24.
To find your phone's IP address, first connect your phone to your PC in USB Tethering mode. Then on your PC side open a Terminal and issue the command "arp" (without the quotes) which shall give you the IP address of your phone.
Good luck!:laugh:
Script update required for recent phones?
This script didn't work for me on my M8 - the Sync hex data seems to have grown, and just passing the \x00\x02\x00\x00 string caused the pass through to immediately disconnect with failure message "Either you do not have the latest version of HTC Sync Manager installed, or another phone is already using Internet pass-through on your PC".
Changing the line in the script as below fixes it:
Code:
echo -n -e "\x00\x02\x00\x00" | nc $phoneip 6000 > /dev/null
Code:
echo -n -e "\x00\x02\x00\x00\x00\x03\x00\x00\x00\x05\x00\x00" | nc $phoneip 6000 > /dev/null
I got this from vc0528.tumblr.com/post/71168788542/simulate-htc-sync-manager-via-usb-on-linux-os, which also has the alternative Perl script, which works a treat too:
Code:
#!/usr/bin/perl
use IO::Socket::INET;
#6000/tcp open X11
do{
open IN,”/proc/net/arp”; @arp=<IN>; close IN;
@d=grep ! /00:00:00:00:00:00/,grep /0x2.*usb0/,@arp;
} until($d[0]);
$_=$d[0]; s/\ .*//; chomp; print “sock:\t$_\n”;
my $sock = IO::Socket::INET->new(PeerAddr => $_ , PeerPort => 6000, Type=>SOCK_STREAM, Proto=>”tcp”) or die “Can not create socket [email protected]\n”;
print $sock “\x00\x02\x00\x00”;
print $sock “\x00\x03\x00\x00”;
print $sock “\x00\x05\x00\x00”;
close $sock;
Finally, if it helps anyone, I was wanting to set up a wifi range extender and so my IPtables was:
Code:
-A FORWARD -i wlan1 -o usb0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i usb0 -o wlan1 -j ACCEPT
Lately I had been researching on how to further secure Android against Exploits, Malware, and Privacy issues. Some, if not most, of this guide is for the more paranoid users but I believe it is usefull information for everyone. I will try to keep it as easy to follow as possible.
Part 1 - ADB & Root:
What is ADB:
ADB (A.K.A the Android Debug Bridge) is a tool used by developers to allow access to an android device via a computer. The program consists of a server (ADBD) which lives on the phone/tablet and the client (ADB) which lives on the computer. This allows dev's to quickly access logs and install applications over a command shell.
The Threat:
While ADB is usefull if it is left on an attacker can use it to gain access to the device and dump logs, bypass the lock screen, root the device, steal credentails and more. One such attack is Kos' P2P-ADB. This framework allows an attack to bypass most (if not all) security if ADB is enabled on the device.
The Solution:
The easiest solution is to simply disable Degbuging. The setting is disabled by default but most custom roms have it enabled. To disable (on ICS/JB) it go to:
Code:
Settings ---> Developer Options ---> Android Debugging
Ensure Android debugging is unchecked.
For the more paranoid:
Adb actually relies on the ADBD binary. On most AOSP roms the binary is stored in /sbin/adbd if you change the permissions to 000 it can no longer execute and can't be used at all. One way to achieve this is by using this init.d script:
Code:
# Disable the adbd daemon
mount -o rw,remount -t rootfs rootfs /
chmod 000 /sbin/adbd
mount -o ro,remount -t rootfs rootfs /
mount -o ro,remount /system
Save the code to a file called 99secure and place it in /etc/init.d/ If your rom supports init.d the script will execute on boot and remove the adbd permissions so it can't run.
What is root/superuser:
The superuser is a special user account used for system administration. Depending on the operating system, the actual name of this account might be: root, administrator, admin or supervisor. In some cases the actual name is not significant, rather an authorization flag in the user's profile determines if administrative functions can be performed.
Click to expand...
Click to collapse
The root user has full access to the system and can perform almost any task. Most custom ROMs ship with root enabled.
The problem:
Running with root enabled is inherently insecure. If a malicous app is allowed to run with root permisions it has full access to the system and can do what ever it wants (delete information, steal passwords, keylog, activate the camera, etc.)
The Solution:
If you are running a CyanogenMod Rom you can disable root by going to:
Code:
Settings ---> Developer Options ---> Root Access ---> Disabled
Alternatively you can change the permisions of the "su" binary to 000 with:
Code:
mount -o rw,remount /system
chmod 000 /system/xbin/su
mount -o ro,remount /system
Part 2 - Bluetooth:
Bluetooth is a great technology that allows close range (~30m) wireless comunication between devices such as headsets and speaker phones.
The Problem:
Bluetooth is a wide open whole for an attacker to gain access to your device. There are multiple exploits against bluetooth (such as bluejacking). While most aren't widely used bluetooth should be disabled when not in use.
The Solution:
Disable bluetooth via the settings app:
Code:
Settings ---> Bluetooth ---> Off
Alternatively you can disable the bluetooth service/daemon:
Code:
mount -o rw,remount /system
chmod 000 /system/bin/bluetoothd
mount -o ro,remount /system
and even the bluetooth device (this was done on a Galaxy Nexus running CM10 JB):
Code:
mount -o rw,remount /system
chmod 000 /dev/ttyO1
mount -o rw,remount /system
After that is done bluetooth can no longer be turned on by accident or a malicous attacker (provided they don't have root).
Part 3 - NFC:
What is NFC:
Near field communication (NFC) is a set of standards for smartphones and similar devices to establish radio communication with each other by touching them together or bringing them into close proximity, usually no more than a few centimetres. Present and anticipated applications include contactless transactions, data exchange, and simplified setup of more complex communications such as Wi-Fi.[1] Communication is also possible between an NFC device and an unpowered NFC chip, called a "tag".[2]
NFC standards cover communications protocols and data exchange formats, and are based on existing radio-frequency identification (RFID) standards including ISO/IEC 14443 and FeliCa.[3] The standards include ISO/IEC 18092[4] and those defined by the NFC Forum, which was founded in 2004 by Nokia, Philips and Sony, and now has more than 160 members. The Forum also promotes NFC and certifies device compliance.[5]
Click to expand...
Click to collapse
As per Wikipedia
The Problem:
This year at defcon NFC was shown to be vulnerable to attack (http://forum.xda-developers.com/showthread.php?t=1832186). Another example is the recent Samsung Exploit which can be executed by NFC tags as well.
The Solution:
NFC can be disabled by:
Code:
Settings --- > Wireless & Networks ---> NFC
Alternatively you can disable the NFC Device:
Code:
mount -o rw,remount /system
chmod 000 /dev/ttyO3
mount -o rw,remount /system
Part 4 - Network Attacks:
Just like a computer android is succeptable to attacks over the network. Bellow is a init.d script that will harden the TCP/IP stack:
Code:
# hardening TCP/IP stack for IPV4
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 #ICMP broadcast
sysctl -w net.ipv4.conf.all.accept_redirects=0 # ICMP redirects ipv4
sysctl -w net.ipv6.conf.all.accept_redirects=0 #ICMP redirects ipv6
sysctl -w net.ipv4.conf.all.send_redirects=0 # ICMP redirects
sysctl -w net.ipv4.conf.all.accept_source_route=0 #source routing disable
sysctl -w net.ipv4.conf.all.forwarding=0 #Forwarding traffic
sysctl -w net.ipv4.conf.all.rp_filter=1
sysctl -w net.ipv4.conf.all.log_martians=1 #filter martians
sysctl -w net.ipv4.tcp_max_syn_backlog=1280 # TCP syn half-opened
sysctl -w net.ipv4.ip_forward=0
sysctl -w net.ipv4.tcp_syncookies=1
Android also runs IPTables ( A firewall). You can change this by script or a nice GUI tool calledDroid Wall
Part 5 - Removing unneeded applications:
These commands will remove some applications that aren't needed and may have internet access. The bottom ones are kept for root only:
Code:
rm -f /system/xbin/irsii
rm -f /system/xbin/nano
rm -f /system/xbin/nc
rm -f /system/xbin/telnet
rm -f /system/xbin/telnetd
rm -f /system/xbin/opcontrol
chmod 740 /system/xbin/rsync
chmod 740 /system/xbin/strace
chmod 000 /system/bin/bluetoothd
chmod 750 /system/bin/iptables
chmod 750 /system/bin/ping]
There may be more you want to remove like ssh.
I personally removed "Packet Management" as well to prevent installing apps over USB:
Code:
# disable the Packet Management binary
chmod 000 /system/bin/pm
Part 6 - Removing APK's:
You can also remove unneeded APK's by:
Code:
mount -o rw,remount /system
rm -r /system/app/[apk name here]
mount -o ro,remount /system
I removed these apps:
Bluetooth.apk
NFC.apk
Development.apk
DrmProvider.apk (You may not want to do this if you use the playstore)
Email.apk ( I use K-9 instead)
Exchange.apk (I don't need it you may)
PackageInstaller.apk ( Used to install apps. Don't remove if you want to install apps).
Click to expand...
Click to collapse
What apps you can and can't remove
Part 7 - Misc:
Personally I don't use the playstore/Google Framework as it sends back WAY to much info for me to trust it. I also reccomend using Full Device Encryption and a secure Kernel such as FuguMod.
Alot of the information I got is from this Sans guide
I will be posting more as I look into other security options
Let me know if I missed anything and please hit thanks if I helped at all.
Bellow is the init.d script I am using (modified from the Sans guide) ** ONLY TESTED ON A GSM GALAXY NEXUS ***:
Code:
#!/system/bin/sh
# Customize some parameters and lockout the SO
# July 2011
mount -o rw,remount /system
# Disable Bluetooth
chmod 000 /dev/ttyO1
#Disable NFC
chmod 000 /dev/ttyO3
# hardening TCP/IP stack for IPV4/IPV6
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 #ICMP broadcast
sysctl -w net.ipv4.conf.all.accept_redirects=0 # ICMP redirects ipv4
sysctl -w net.ipv6.conf.all.accept_redirects=0 #ICMP redirects ipv6
sysctl -w net.ipv4.conf.all.send_redirects=0 # ICMP redirects
sysctl -w net.ipv4.conf.all.accept_source_route=0 #source routing disable
sysctl -w net.ipv4.conf.all.forwarding=0 #Forwarding traffic
sysctl -w net.ipv4.conf.all.rp_filter=1
sysctl -w net.ipv4.conf.all.log_martians=1 #filter martians
sysctl -w net.ipv4.tcp_max_syn_backlog=1280 # TCP syn half-opened
sysctl -w net.ipv4.ip_forward=0
sysctl -w net.ipv4.tcp_syncookies=1
# Removing/ disabling unnecessary binaries. Some of them have access to Internet
rm -f /system/xbin/irsii
rm -f /system/xbin/nano
rm -f /system/xbin/nc
rm -f /system/xbin/telnet
rm -f /system/xbin/telnetd
rm -f /system/xbin/opcontrol
chmod 740 /system/xbin/rsync
chmod 740 /system/xbin/strace
chmod 000 /system/bin/bluetoothd
chmod 750 /system/bin/iptables
chmod 750 /system/bin/ping
## This is the last step of the hardening
# do a backup before
# disable the Packet Management binary
chmod 000 /system/bin/pm
# Disable the adbd daemon
mount -o rw,remount -t rootfs rootfs /
chmod 000 /sbin/adbd
mount -o ro,remount -t rootfs rootfs /
mount -o ro,remount /system
Hardening android
How can I harden android to block certain web site or filtering the prono sites?
Have you made any further progress with locking down your phone. I switched from iPhone to android and I can't help but feel that the iPhone was more secure. Alot of my concern is that on Android I notice that even with a pin lock sometimes apps run on top of it and if you have a lock screen it sometimes seems to circumvent pin codes all together. Is the security of the phone now based on how secure the lock screen is?
As for your mods, It seems like most, if not all, of these mods require root access. Are you suggesting it is more secure to root your device and perform these mods than to leave it stock?
Also, how vulnerable is it to have a phone with an unlocked bootloader and a custom recovery? Doesn't that make it easier for someone with physical access to compromise your phone? I understand you can enable encryption which only encrypts the data partition but what about if the phone is already started up? Is there a way to harden it from physical attack other than disabling ADB?
Thank you
Josh
inaxsesable said:
Have you made any further progress with locking down your phone. I switched from iPhone to android and I can't help but feel that the iPhone was more secure. Alot of my concern is that on Android I notice that even with a pin lock sometimes apps run on top of it and if you have a lock screen it sometimes seems to circumvent pin codes all together. Is the security of the phone now based on how secure the lock screen is?
As for your mods, It seems like most, if not all, of these mods require root access. Are you suggesting it is more secure to root your device and perform these mods than to leave it stock?
Also, how vulnerable is it to have a phone with an unlocked bootloader and a custom recovery? Doesn't that make it easier for someone with physical access to compromise your phone? I understand you can enable encryption which only encrypts the data partition but what about if the phone is already started up? Is there a way to harden it from physical attack other than disabling ADB?
Thank you
Josh
Click to expand...
Click to collapse
Check out my other threads for more information and tweaks like secdroid. As far as iOS goes its pitiful for security I work in computer forensics and the iPhone is the easiest phone to pull data off of. If you want security and or encryption stick android. iOS encryption is defeated by simply turning the phone on ( it loads the keys automatically from hardware). If you need more help please pm as I can reply quicker there!
Sent from my Nexus 4 using xda premium
Check out Secdroid. The thread is still here somewhere or go straight to Google Play...
Sent from my Nexus 10 using xda app-developers app
Tor has a comprehensive how-to
Tor has a comprehensive how-to @ their blog called "mission-impossible-hardening-android-security-and-privacy"