4.3 security hotspot - Security Discussion

When using an S4 with (selinux enforcing) as a hotspot, is there any risk that a malicious webserver operator
can access the device using the carrier assigned (dynamic) ip address? If the IP is port scanned is the scan
of the device ports, ports on the pc connected to it, or the carriers server?
What type of protections (on the wan side) should be in place to properly secure an S4 with 4.3 for use as a hotspot
so the device itself can't be compromised? (assuming no 3rd party apps are installed) I assume device encryption would
not help this situation because the device has to be decrypted to run the hotspot. It's unclear samasung knox 1.0 could
provide anything useful, and I think they force packets through lookout so it slows the connection.

Related

How to open ports?

Hello,
I installed debian on the JF 1.5 I'm running on my phone, then I installed (in Debian, of course) OpenSSH Server.
Now, when the phone is connected to my LAN via Wifi, I can SSH it to its IP address even from my PC, and login to Debian... like to a real computer
I'd like to open inbound connections to port 22 on Android, to allow me connect with SSH also when it's on 3G network, using the IP that was assigned by mobile carrier. How I can do it?
Thanks in advance!
I don't think open port on phone do anything.
the blocking is on your operator network. they have firewall too.
Maybe my operator doesn't? I'm using Tre (Italy). What I can do to test it?
Up Up, please
but most mobile operators use private address + proxy scheme. how could you bypass that? (even if the client is also in the same mobile network, your carrier is very likely to implement subnet isolation for security reasons.)

[Q] Cisco IronPort blocks internet access for all apps – help?

Hi,
Here’s my situation – at my office they use Cisco IronPort to monitor and filter all internet requests. A transparent proxy is used on the network switches to direct port 80 traffic to the IronPort server. Initially only the browser on my phone would work as that is the only app that passes the correct authentication. All other apps fail to reach the internet. But the IronPort server can be configured to pass through a type of device if it can be identified. Using the IP address of my phone to filter the traffic logs, it seems that some apps pass “Windows Phone OS” in the data packets. And by adding “Windows Phone OS” to the IronPort exception list, those apps now work. But most apps still don’t work because they don’t include any windows phone identifier in the data packets. Can anyone provide any additional info on this subject or a possible solution?
Thanks.
bump... any ideas... anyone?
Use cellular data instead of your corporate network?
Use apps that use the new socket APIs, or connect to HTTP servers running on a port other than 80?
Complain to your IT people (commoditization of IT being what it is, I'm actually surprised by this restriction)?
See if you can get them using proxy authentication instead of packet inspection for authentication purposes (WP7 supports proxy authentication on WiFi)?
Find a job with an IT infrastructure that doesn't suck?

[Q] Is there a way to enable android hotspot without tethering

Hello all,
I am looking for a way to run my android as a wireless router (not as an access point or a tether).
I am putting together a distributed app with components running on multiple devices. It works fine when I have the Wi-Fi enabled on my android and I have a wi-fi router to connect to, but I need to run this where I won't necessarily have the wi-fi router available.
Basically, I want to run a private network using my android as both my core app, and as a wifi-router/dhcp server, without allowing devices that connect to my android to have access to the internet through my device.
I've seen many apps and threads that all cover how to use the built-in access point, or how to configure the device as a hotspot, but these all discuss tethering and how to get past the limits (or snooping) of your provider and not how to set up a private network.
Is there a way, or an existing app that will allow me to set up a private network as I describe? If not, is there something I can do within my server code to enable the Access Point and disable Tethering at the same time?
Thanks in Advance
F.F.

[Q] Any way to lock down to SSH/VPN traffic only?

I want to set my Mum's new tablet so that it can only access the Internet via the SSH server running on her Buffalo router (with Tomato firmware).
I've got the server working and accessible remotely and so far the only app I've found that has a Global Proxy setting to redirect everything via the SSH server is SSHTunnel, although I gather that it's not totally reliable when connections drop/change and I can't expect my Mum to cope with monitoring it and re-enabling it manually. When it's disabled, all traffic will just go over local connection unencrypted so that's a concern.
Ideally there'd be some way to setup the SSH settings at a system level, with no way to disable them and force all the traffic go out like this but I'm not sure if there is any way to achieve this.
The other part is setting a firewall (AFWall+ or Android Firewall seem to be the main ones) to only allow traffic via the SSH server. I'm not sure what whitelist rules would be required for this. For example, SSHTunnel connects to the server at x.x.x.x:x, so I presume I'd need a rule to allow connections to this address and this port (I had a quick play with the Avast firewall, which only allows creating custom rules for IP or port, so I'd need two rules with that and it doesn't allow entering the DynDNS name, only a IP address, so that's no good).
Then SSHTunnel has a Local Port (1984) and remote addressort (127.0.0.1:3128) so I presume I'd need rules to allow all of those as well (I'm not sure which of these need to be incoming/outgoing or both). Then there's the question of whether I need to allow other ports like DNS (53) and so on, or if that all goes over the SSH tunnel and doesn't require setting allow rules specifically.
It might be that a VPN server would be more suitable for what I'm trying to acheive than a SSH server and I think the Tomato firmware on the router has that facility (or if the version currently flashed doesn't, there's probably another version I could flash that does), so if that's the case, I'd appreciate advice on locking it down that way instead. Android has built-in VPN support, so it might be possible to use that but it depends on whether it will auto-connect and stay connected all the time or if it requires user intervention and I'll still need to setup firewall rules to prevent data being sent without the VPN in case it does get disabled.
Another issue is whether these firewall rules will prevent the device even being able to connect to any public Wi-Fi points before redirecting the traffic via the SSH/VPN server, which would obviously be no good.
OK, maybe there's another way
I was thinking of setting up a VPN on a Raspberry Pi installed at my parent's house, as they have reasonable broadband speeds, something like 100/10MB. Is there anyway that I could setup my Mum's tablet so that it passes everything through the VPN whether at home or away, so that she doesn't have to worry about toggling the VPN or firewall?
I can point it to the No-IP domain name I've setup but then I think every request would go out onto the Internet (albeit encrypted) before coming back in to the VPN, which would then have to go out again to retrieve whatever webpage, etc is being requested, which would obviously be stupid. If I point it to the LAN IP of 192.168.1.66, that will avoid doing that when at home but won't work when away.
So, any ideas?

Blocking offensive online content connected via mobile data

Hi,
At my home I use OpenDNS and a Netgear R7000 router with custom word filters. While I managed to block pornographic material from all devices connected to the router, I am unable to filter the mobile data. The OpenDNS settings work when the android device is connected to the wifi and not using its own data. I have tried using apps like Net Nanny, however those apps only force the users to use its own browser which is fine most of the time when the user is browsing the internet. It will not work if the phone is tethered to the PC utilising its own mobile data. Simply tethering the phone via USB or wifi and using its own data, a user can download a tunnelling app, install it on the PC and use the tunnel browser and browse like normally. I do not think my mobile phone provider has an OpenDNS option.
I think there are two methods to go about this:
1. Either disable USB and Wifi tethering option for the device - (the device cannot be use as a tethering device which is ok most of the time until when the tethering function is really needed) or
2. Forcing the mobile data through the OpenDNS port with the help of some sort of app/setting which is password protected.
Password protecting an app/setting is possible I think as Avast AV has an option to lock an app. I am not sure if I can create a Tasker (app) profile that detects/knows the phone is in the house and disables the tethering function. Any ideas? I do not want to resort removing the data plan as communication is done via whatsapp, email etc.

Categories

Resources