Introduction
I have not seen much talk about security in XDA, and not at all on Neo Section.
SO here's just one informative link talking about using and developing apps and security risks involved
http://www.technologyreview.com/computing/25921/?mod=related
Any bug in software could potentially be used as a security loophole to gain access to private information, spy on you, get your credit card info(should you do such things on phone).
What is kind of unsettling is that everyone seems fine with modding, tweaking, developing and using those ROMs made in XDA without worrying if there could be that kind of bug in your made or used ROM.
You don't need a malicious app only to have risks. Most people use Windows so they should know that it is OP systems bugs and vulnerabilities that allow for unwanted access to your files, data, etc.
Android itself is having very non-foolproof security system. All apps on unrooted phone are in sandbox. That's no security measure at all. It doesn't limit app from stealing your private info at all, it only cant delete the whole ROM. That's just idiotic security system, for it is the only thing beside encrypting shut off phone on 3.0 and 4.0. So that means Android on it's own has no security measures while it's working. Even Windows has... some... but not too much... so you could pay for antivirus and antispyware software ofc.
It has always been the goal of big corporations to make money from insecurity, be they software developers, arms dealers and you name it. They all benefit from insecurities existing. Same is with Google and it's Android. But the good news is that we the users can modify Android. We could all say "Au revoir security bugs and loopholes!" if we would care about developing ROMs designed to make Android more secure... alas that's not happening yet!
Overview of Linux/Android security issues.
It's a short condensed description just to get you interested in the topic. There's lots of material on net, you only need to search, read, watch videos.
Linux becomes more vulnerable with more applications with different permissions installed. Same is true for Android.
Say your Phone Exporer has root access, that means it has root access to whole Android. To remove unnecessary risks, this app's root access should be limited to only most necessary functions it needs to operate.
Currently for Android there is no such solution. For Linux there is Apparmor.
http://en.wikipedia.org/wiki/AppArmor
Total root access is obvious vulnerability, but it is at least known one. Let's look at possibility of apps having hidden permissions and what that could mean to you.
Blade Buddy from Market.
On market it does not list permission to "Unique Device ID"(IMEI for GSM and MEID; ESN for CDMA) for free nor for paid version.
That means the author of BB has left the code from free version in paid one. This permission is used by ads to track you. It's not necessary code for ads, but it helps the dev know who clicked on the add and generated him some money. To see your money generating zombie empire stretch across the whole globe.... quite a thrill, isn't it?
So it's a latent code, with no benefit to user and an exploit only calling to be abused.
Unique Device ID allows you to be tracked on net and also where you are physically. GPS is just one way to find you, police for example have scanners to locate your devices physical location by the IMEI code. You can count on the "bad guys" having this technology as well, for it's quite a tool for burglars and other criminals.
The risks of your home being marked as the next dungeon to be looted by some raiders, I mean criminals(or perhaps WoW players sleepwalking and sleepraiding?) or getting your ID and bank details stolen by trojan/hacker is random. Yet the threat would not exist without apps having so flagrant hidden permissions.
Next app with ludicrous permissions
Brightest Flashlight
It does list many permissions, among them "Hardware controls - take pictures and videos ". No, it does not need a permission to take photos through cameras to operate the flashlight. But it's fun nonetheless for the dev to see his trusty peasants, or maybe he just likes to observe people like some watch fish in aquarium or hamsters in cage( "Look at that dork!", "You're one ugly m...f...er","ummm a couple kissing in dark with ma flashlight, what are they searching?", "what's that you eat, mr Korean, brains?" "hey show me that document again.")
You don't even need to run the app yourself. It can be triggered by hacker on background and take a snapshot of you.
On top of this little needless permission it has following hidden permissions:
1. Unique IMSI, read about here http://en.wikipedia.org/wiki/IMSI
2. MCC+MNC (CDMA)
3. Unique Devide ID
4. Cell Tower Name.
That's a lot of needless permissions for flashlight, these are there just to track you the app user and have nothing to do with your comfortable use of the app.
These are just 2 apps with totally needless permissions for their intended functioning. If you don't want your Windows and Linux have such security holes then why do you want your Android have them?! You don't want, that's the point and these apps would not be so popular if people would really know and care about their phone being secure.
It can be stated for sure that above exemplified permissions not listed on market are more useful for pranksters, criminals or someone plainly looking-down-on-all-the-dumb-sheep and not at all for any legitimate, user or customer friendly purposes.
There are very few tools to check for security and privacy problems in apps. That gives a sense that majority of devs do not want Android to be secure and private, because Android is another revenue generating platform through Google ads business of course. Were people more educated about the matter then Google ads business would shrink down as well. A private and secure Android can't be tracked or annoyed with ads. No ads, no profit. No security therefore means profit. Unfortunately this lack of security can be exploited by anyone with criminal or malignant intentions so very easily.
The most important thing is to read the permissions before installing.
If you had read the article I linked. Those permissions don't matter anything really if stuff developers use doesn't reveal what it does, or developer itself doesn't disclose what the app does.
We can safely say that those permissions asked are just to make ordinary users of Android think that all is under their control.
I use Privacy Blocker app and it keeps finding app permissions that are not listed. Even that app doesn't find those permissions which Cyanogenmod permission manager shows. And I've sanitized all my apps, still I find my phone connecting to some odd servers while using certain paid and seemingly legit apps. I even found shapshots from front camera made by some app... and I am checking all permissions I can, even for those not listed.
What seems harmless but could reveal your IP address and potentially other data about you is... advertisements used by apps.
Ads can be far more than just a little annoyance that slows your device. Any file, picture loaded from some location in internet can be used to locate you.
I had a problem of getting phone call bills for calls lasting 10 to 20 secs that I never made after using a slew of market apps, flashlights, fun stuff, etc.
I paid two months for such calls trying to find out which app did it and still don't know which one it was. Skype(phone app has fake IP of Holland but actual connection goes to Moscow... oh come one what is this? Why such hiding? Like anyone would trust their phone's Skype connection stream through Moscow... no thank you! Then wonder still if the phone gets so slow and Skype call quality is so bad even over wifi while Windows Skype does just fine?), Brighest flashlight, some photo editors, and slew of other garbage I've already forgotten about cause I don't use any of it anymore.
First post updated
How about the new 4.3 update..in includes some security and privacy control..will this thing prevent you had mentioned?
Is there any way to reactivate this post? maybe start working on a security enhanced android ROM? I'm agree, Security does matter!
Hi.
I recently came across some chinese / asian websites which kang / modify and release a diversity of roms.
I'm not specifying sources / which roms are, this is a general announcement to be careful with what we download & flash into our devices, and why ?
I flashed in order to test some of these roms (not the sense 5 kang tho), since I work in network security, I had noticed on our firewall logs when my mobile connected through the wifi, a bunch of UDP requests / DNS queries to russian websites. This can be used to botnets, DoS, even malware / spam propagation (a diversity of not cool stuff, basically).
A colegue of mine which also has a 'droid had once an app which sent repeatedly ICMP requests in "not random" but specific hours / intervals, he asked me to test his rom which he downloaded and flashed from "another" website, and I confirmed the suspicious behavior. There was established connections to foreigner addresses through a diversity of protocols, data being sent / received and at times, a udp flood directed to specific addresses. This is bad, my friends.
We don't know what these roms have inside, what's their mechanism besides the standard transparent operations which most of us are familiar with, and they could be very well used to do illegal things which I guaranty we don't want to be part of.
Flashing a rom, connecting through 3G or Wifi, and then our mobile is now part of a botnet which participates without our knowledge on such illegal operations is just one of the things that could happen. Phishing is also very possible - in other hand, a lot of things are possible without our knowledge and consent. We don't want this do we ?
The last Rom which I have experienced this, the link was removed and is no longer online. So i'm not pointing URL's / Rom names because this is something that each one of us has to be careful about.
Fortunately we have ways to detect / avoid / remove and make sure our device is used only for us and does only what we "tell" it to do.
We can use this thread to report such roms (since they're not published on xda, we can only warn each other and be aware) and applications that have malicious content.
I'll also be updating this thread with methods, applications for android to detect malware / suspicious activities (I'm not going into depth like using a sniffer or protocol / packet analyzer (although we can) I'll try to keep as simple as possible.
Suggestions, reports are very welcome and should be reported here. We can use this thread to protect our droids and help each other making our devices secure.
This post has the intention of protecting ourselfs, but privacy tips / applications are also welcome. Be careful tho, would be ironic to suggest an app to protect user privacy and in the end the app itself sends private data to GodKnowsWhere.
To be continued / Updated Soon.
List of Applications to monitor / analyze traffic:
Netstat Professional - Allows you to see what connections your android has established. Allows whois info, Real time IP / Port and status information (pretty much like netstat -an), and what service is running / port information.
Wi.cap. Network Sniffer - Much like a network protocol analyzer / network sniffer. This neat app allows you to see what connections are estabilished / protocol / status / analyze packets. If there's a connection estabilished - it will be listed. [Root needed]
Shark for Root - Traffic sniffer for 3G & Wifi (supports FroYo tethered mode too). Records traffic which later you can open with WireShark. To preview you can use Shark Reader.
List of Applications fo scan for malware.
Coming Soon...
Procedures to discover / analyze / report malware / suspicious behaviours and such.
Coming Soon...
Post reserved for procedures which will include:
- Common Sense
- How a malware works (the term malware is used to include viruses, trojans, custom scripts and apps.
- What to look for / suspicious behavior which you should pay attention to (also included in Common Sense).
- Basic tools to detect / analyze / remove malware.
More to come.
Sent from my HTC Z710e using xda premium
Generally, i suggest to use ROMs from XDA only, except for CM/MIUI official website. The risk is real! Thanks to @MidnightDevil for his help and his time
I suggest to read this thread to all the users!
XxXPachaXxX said:
Generally, i suggest to use ROMs from XDA only, except for CM/MIUI official website. The risk is real! Thanks to @MidnightDevil for his help and his time
I suggest to read this thread to all the users!
Click to expand...
Click to collapse
Thank you for your support
If anyone has suggestions / knowledge about this sort of matter please share
There's a LOT of info that I tend to post on this thread in a way to educate / share knowledge with everyone.
Trusting the developers and sources is the first step for prevention. Be careful with dodgy websites and roms which you don't know about.
Scanning the rom zip file with a virus scanner is useless in this matter.
Unknown Rom
The threat is over when a secure rom is installed (after using a none xda rom) ??
MidnightDevil said:
Thank you for your support
If anyone has suggestions / knowledge about this sort of matter please share
There's a LOT of info that I tend to post on this thread in a way to educate / share knowledge with everyone.
Trusting the developers and sources is the first step for prevention. Be careful with dodgy websites and roms which you don't know about.
Scanning the rom zip file with a virus scanner is useless in this matter.
Click to expand...
Click to collapse
phearell said:
The threat is over when a secure rom is installed (after using a none xda rom) ??
Click to expand...
Click to collapse
So far there isn't malware which persists after full wipe. Can't speak of the contents of the sdcard tho. But usually yes. But then you have the apk's which can contain malicious code and so forth...
Those apps are usually banned from the PlayStore, but there's a short window between published / report / removed from Store which users can download it.
Unless I didn't understood your post
MidnightDevil said:
So far there isn't malware which persists after full wipe. Can't speak of the contents of the sdcard tho. But usually yes. But then you have the apk's which can contain malicious code and so forth...
Those apps are usually banned from the PlayStore, but there's a short window between published / report / removed from Store which users can download it.
Unless I didn't understood your post
Click to expand...
Click to collapse
AFAIK google also scan apps installed on the device. When installing a 3rd party app (not via Google Play), you get a prompt to allow google to scan it anyway for malicious content.
Also, there are a couple of anti-virus apps available from well known companies such Avast for android, and also from AVG.
I never really tried those, but they might help protecting your device. However I doubt if they scan system apps/services, for in most cases they are supposed to be safe (from the OEM itself).
It is well known that the biggest security hole is the user. So the best thing to do is to keep away from unknown ROMs/sources.
astar26 said:
AFAIK google also scan apps installed on the device. When installing a 3rd party app (not via Google Play), you get a prompt to allow google to scan it anyway for malicious content.
Also, there are a couple of anti-virus apps available from well known companies such Avast for android, and also from AVG.
I never really tried those, but they might help protecting your device. However I doubt if they scan system apps/services, for in most cases they are supposed to be safe (from the OEM itself).
It is well known that the biggest security hole is the user. So the best thing to do is to keep away from unknown ROMs/sources.
Click to expand...
Click to collapse
No doubt the biggest flaw usually comes from the end user.
But answering your statemente about anti viruses.
Usually anti viruses (specially in portable devices) act base upon a database of known signatures and suspicious behavior. They provide no protection against a custom developed script or code with a work-around for this behavior. Basically - avoids behaving like a malware.
A code is considered malicious when acts upon suspicious behavior (for example, on windows - when an app registers itself on registry autorun / startup folders / tries to load a file on temp directory / temporary internet files, hooks itself into a process / uses a windows process to deliver it's payload faking a signature, etc etc). Knowing this, any custom app / script that avoids suspicious behavior / does not have a present signature on a AV database and a few more details - all doors are "open" and is a highway to hell.
Google scan engine uses the same mechanism, in fact, I'm not even sure if it has any sort of protection against suspicious behavior as it only executes upon apk install.
Believe me, the biggest flaw is the user as the best protection is also a well educated user. It's a matter of knowing what can do and what should avoid. Fear or suspicion is an important thing these days, as they prevent us from making mistakes as installing an app from a dodgy site. We should know better.
MidnightDevil said:
No doubt the biggest flaw usually comes from the end user.
But answering your statemente about anti viruses.
Usually anti viruses (specially in portable devices) act base upon a database of known signatures and suspicious behavior. They provide no protection against a custom developed script or code with a work-around for this behavior. Basically - avoids behaving like a malware.
A code is considered malicious when acts upon suspicious behavior (for example, on windows - when an app registers itself on registry autorun / startup folders / tries to load a file on temp directory / temporary internet files, hooks itself into a process / uses a windows process to deliver it's payload faking a signature, etc etc). Knowing this, any custom app / script that avoids suspicious behavior / does not have a present signature on a AV database and a few more details - all doors are "open" and is a highway to hell.
Google scan engine uses the same mechanism, in fact, I'm not even sure if it has any sort of protection against suspicious behavior as it only executes upon apk install.
Believe me, the biggest flaw is the user as the best protection is also a well educated user. It's a matter of knowing what can do and what should avoid. Fear or suspicion is an important thing these days, as they prevent us from making mistakes as installing an app from a dodgy site. We should know better.
Click to expand...
Click to collapse
I just remembered of an app called "Who is tracking" (was featured on the portal a while ago), that also scans system files (bloatware) and tells you which app tracks you. tried using it a while ago, but didn'y really try to understand it, and it seems to have changed since. will try it myself.
Agreed with Patcha, unless you 100% trust the source (CM/MIUI are well known and if they did something untrustworthy a massive ****storm would ensue) then I would stick to ROM's posted on XDA (though frankly I avoid MIUI out of moral principle #SouceCodeMuch?). Anything untrustworthy that is posted on XDA is picked up very quickly and dealt with effectively.
More to come from me on this, I need to organize what I want to say so it doesn't sound like a mad persons ramblings
Edit: A thing to look out for in google play store is the permissions, READ THEM, read what they mean, read what permissions the app requests and if you don't know why an app needs that permission or if it looks dodgy (like the permission to send sms messages without the user knowing) then for God's sake don't use the app util you've found out what the app needs that permission for (quick google search or email to the developer). Don't just blindly agree to all the permissions without reading them.
These permissions are declared by the developer in the Android_manifest.xml file and pulled from there when publishing the app on play store. As far as I am aware, there is no way to fool this system - you can't edit the visible permissions through the developer panel of play store, only by editing the manifest - I have a developer account on play store so this I am 100% sure on.
Yup, very true. Something I forgot to mention earlier and is VERY important.
Always check the permissions and what for the permissions are used. Some good developers write what for they need the permissions. Some things are obvious, others not so quite.
Also reading the comments of an app helps as well. More experienced users tend to write a more complete review and sometimes they draw the attention to things that sometimes other users miss. About permissions or anything else.
Any user can write a review, so if you find something important, you can also write in the review. Just make sure you don't underrate an app because of a doubt
Usually developers also have their contact email in case of doubts, it can be used to to bring some things to light.
Ladies and Gentlemen,
I am opening this discussion in order to not only receive some high-quality answers on the following questions, but also to learn what everyone does in order to ensure security and integrity of Apps on their phones (especially when working in environments where attacks are likely or possible due to intersting files on the phone or similar).
Here is my question: Let's suppose a phone is ROOTED, is locked with a Pattern, is updated daily, has TitaniumBackup installed, runs Trust as well as an Antivirus App and on top of that, installed Apps are monitored in a regular basis through TitaniumBackup. Is it even possible for law enforcements or hackers to install malware? If so, what would be necessary for them to do so? Physical access? Malformed Apps with matching signature? Other types of attacks (encouraging @He3556 the owner of Smartphone Attack Vector to chime in)?
Second question (hope @jcase can answer this): What would be the best way of preventing attacks of afforementioned groups and alike? What do YOU personally do?
SecUpwN said:
Ladies and Gentlemen,
I am opening this discussion in order to not only receive some high-quality answers on the following questions, but also to learn what everyone does in order to ensure security and integrity of Apps on their phones (especially when working in environments where attacks are likely or possible due to intersting files on the phone or similar).
Here is my question: Let's suppose a phone is ROOTED, is locked with a Pattern, is updated daily, has TitaniumBackup installed, runs Trust as well as an Antivirus App and on top of that, installed Apps are monitored in a regular basis through TitaniumBackup. Is it even possible for law enforcements or hackers to install malware? If so, what would be necessary for them to do so? Physical access? Malformed Apps with matching signature? Other types of attacks (encouraging @He3556 the owner of Smartphone Attack Vector to chime in)?
Second question (hope @jcase can answer this): What would be the best way of preventing attacks of afforementioned groups and alike? What do YOU personally do?
Click to expand...
Click to collapse
Pe rooted, with common rooted apps installed? Would be easy to compromise that phone, as you have already done it for them.
Use a stock firmware, chose a vendor with a recent history of good security (Samsung, nexus, motorola in that order imo), keep it up to date, reduce the number of apps you run, don't root it. Disabled usb debugging.
jcase said:
Pe rooted, with common rooted apps installed? Would be easy to compromise that phone, as you have already done it for them.
Use a stock firmware, chose a vendor with a recent history of good security (Samsung, nexus, motorola in that order imo), keep it up to date, reduce the number of apps you run, don't root it. Disabled usb debugging.
Click to expand...
Click to collapse
Thanks for answering. So that means, in short words, buy a phone and only update official stuff. How boring, I wouldn't be here on XDA then! But I get your point. I'm especially interested in the question of detection. If such agencies have installed anything that would leak data (and I'm sure it's fairly easy to do for them), how would they hide that specific App from the list of TitaniumBackup? Also, how would they trick the Trust Even Logger created by @Dark3n to not show any installation?
Most importantly though, is there some way of detecting such installations or manipulations afterwards?
There is growing so called "Zero-Day-Exploit" Industry, with names like vupen or FinFisher , the one who are working for the German Gov. but also for countries like Saudia Arabia and Iran. They know how to find exploits, nobody knows about (zero-day) and program trojans for all kinds of platforms. So antivirus software can't help here. And it is easy to bypass security if you know one of the bugs - and we know there are many of them in firmware, operating systems, plugins, frameworks and so on... Beside this "white" marked there is also a grey and black marked. So if you need to track your woman or steal information from other companies, you will find somebody with a tool for that, i suppose.
You would need a "Intrusion Detection Software" - sorry but this won't work for Smartphones, because there is a lot of calculation, data and energy needed - you find this special hardware in big data centers.
Do not root and do not install Apps you don't really need is still a good advice, specially when people don't know so much about all this.
Another way to sneak in is to compromise the users pc, that is (maybe) connected to the phone sometimes (work with iphone sync but also with android to change DNS and get SMS with e-tan's - you will find more info it in the media)
Or if you have the "power" you can can use the cloud services (iOS, Google, Windows or other 3rd party services) to steal user data (sms, pictures, GPS history...) or just let it sync the malware to the phone. So you don't have to break in directly.
What would be the best way of preventing attacks of afforementioned groups and alike?
Click to expand...
Click to collapse
tomorrow i will have time, there are to many possibilities
Thanks for clarifying, @He3556!
Now I know that phones in general are hard to lock down for such agencies. Time to quote myself:
SecUpwN said:
Most importantly though, is there some way of detecting such installations or manipulations afterwards?
Click to expand...
Click to collapse
Hey @He3556, if you've been following security news the past weeks, this topic here is becoming more relevant with each revelation. Since the trojan-coding company FinFisher has highly likely been hacked and some cool whisteblowers are publishing very sensitve data like price lists and handbooks on their Twitter account GammaGroupPR, more details of their secret software FinSpy Mobile is being revealed. And this is exactly the type of software that I am talking about here in this thread. I want to know how users can protect themselves from crap like that. According to the video that has been leaked, It is being installed through a fake update, or even through messages via E-Mail to "please" install this "very important update":
And just to make everyone more curious, FinSpy Mobile has been leaked on Twitter! It obviously works for all operating systems, including Android, Blackberry, Windows Mobile, and Symbian. Another trophy is source code of FinFly Web, which found its way the code hosting platform GitHub. It is designed to provide remote and covert infection of a Target System by using a wide range of web-based attacks. FinFly Web provides a point-and-click interface, enabling the Agent to easily create a custom infection code according to selected modules. Target Systems visiting a prepared website with the implemented infection code will be covertly infected with the configured software. Regarding FinSpy Mobile and similar software: How would law enforcements possibly attack a cautious member of XDA (or any other site)? I mean, people that have been in the field of flashing new ROMs, updating their firmware and recovery themselves, not installing strange APKs sent via E-Mail and controlling installed Apps through TitaniumBackup should be somewhat immune to such type of attacks, right?
It appears to me as if their software might work for the general masses, but highly-likely not on people like @jcase or other Android security-gurus. Since I linked you, I'd be very happy if you could expand on that a little. I am sure such companies might even have the possibility of messing with the baseband of a target phone through only knowing the phone number of a target. But I am really curious what their "standard procedure" is if they face a target with thorough Android knowledge, maybe even a security-enthusiastic Android developer. Wouldn't their only option be to manually manipulate the handset?
There are two methods to keep away all kinds of trojan and malware...
1. use a SIM with data connections only: There are SIM cards on the marked you can use in a USB Stick for Notebooks or tablets.
You won't have a cell phone number and can't receive SMS. You won't be able to use the circuit switched (GSM & UMTS-cs) part of your cell phone. For communication you have to use a VoIP provider - with Secure SIP and SRTP.
2. Web browser, Apps, e-mail client and all other connection must be use VPN.
But there is one more stepp to take.
The virtualization of all services and Apps you are using. This works like Team Viewer on a PC. The App is running on a cloud server while you only see the desktop of the remote controlled application. This technique is already used when you want to use flash with iOS device (photon, cloudbrowse, puffin and so on..)
More details about this you can find here: http://itwatch.info/Products/ReCAppS
But i am sure there are more projects about this out there...
He3556 said:
There are two methods to keep away all kinds of trojan and malware...
1. use a SIM with data connections only: There are SIM cards on the marked you can use in a USB Stick for Notebooks or tablets.
You won't have a cell phone number and can't receive SMS. You won't be able to use the circuit switched (GSM & UMTS-cs) part of your cell phone. For communication you have to use a VoIP provider - with Secure SIP and SRTP.
Click to expand...
Click to collapse
I know this works, but the only guy who is so insane and is already doing that is probably @InvaderX.
Honestly, what's the purpose of a phone if I can't receive SMS and call anyone without internet connection?
He3556 said:
2. Web browser, Apps, e-mail client and all other connection must be use VPN.
But there is one more stepp to take.
The virtualization of all services and Apps you are using. This works like Team Viewer on a PC. The App is running on a cloud server while you only see the desktop of the remote controlled application. This technique is already used when you want to use flash with iOS device (photon, cloudbrowse, puffin and so on..)
More details about this you can find here: http://itwatch.info/Products/ReCAppS
But i am sure there are more projects about this out there...
Click to expand...
Click to collapse
Better yet: Living under a rock should solve all these problems. Seriously though, can such law enforcement agencies silently update stuff on my phone (possibly baseband) that goes unnoticed even when using TitaniumBackup and flashing a fresh ROM every month? From the things you mentioned as for protection, I highly doubt that I'll move that way. And no matter how hard I try, the bad guys (or, to put it in the wording of those companies: the agencies that are "protecting our freedom") will likely always find a way in - even if that means tapping the phone through listining in on my calls or deploying an IMSI-Catcher. But talking about this makes me wonder: It seems as if the probability is high that most of the time they are selling a fake update to the target. Is there a convenient way of knowing that stuff like FinSpy Mobile has been installed, where such agencies can't possibly tinker with any records of what was happening on the phone? I especially check the Trust - Event Logger by @Dark3n very often. Could they change such records? Is there a better App to warn about unauthorizes access or (hidden) App installation?
Trust is not a security app!
If an attacker has root, you can just alter the database of apps like Trust, which would be the easiest way.
There are probably also ways to alter the system so it does not broadcast certain events(which is how Trust monitors most things).
It is just not build to withstand such attacks.
SecUpwN said:
Seriously though, can such law enforcement agencies silently update stuff on my phone (possibly baseband) that goes unnoticed
Click to expand...
Click to collapse
Maybe? But there are much easier ways if it is not desired to target specific persons.
I'll brain storm a bit for you:
I would divide the attack vectors into those that work with root and those that don't.
Without root apps can still do plenty of malicious actions, including tracking your position or uploading all files on your sdcard (INTERNET;SDCARD;LOCATION permissions) etc.
If an attacker gains root permission he could install rootkits, modify existing apps, inject malicious code into dex files of installed apps etc.
Basicly do what the hell he wants.
While not using a rooted device would certainly make it more difficult to do malicious things, it's doesn't prevent it.
A normal app you install could still root your phone through vulnerabilities. It works the same way apps such as TowelRoot or ZergRush root your phone.
Downloading new apps that request root is also very dangerous ofc, once you pressed "grant", it's too late, anything could have been done. So be wary when trying out new root apps of devs you don't know/trust?
Abusing trust in existing apps is probably the biggest danger.
The most obvious danger here is downloading apps you usually trust but from unknown sources.
Sure there could be signature issues when updating over your current app, but what if you don't have it installed? I could also think about a few ways to inject malicious code without altering the signature (did not try, just a thought, might be impossible).
The issue is that you probably wouldn't even notice, as the compromised app retains it's original functionality.
Want a botnet?
Inject malicious code into a popular root up that is paid, crack it and upload it somewhere.
While this more dangerous (or worth for an attacker) with root apps, it's still viable for non root apps, just pick one that already aquires many permissions.
It's way too easy, people constantly underestimate the danger of this. It's not all about piracy it's bad, it's a barn door sized security hole.
A bit more difficult variant would be abusing known security holes in existing apps that can be root or nonroot apps, such as modifying files the other apps uses, such that it executes your malicious code for you, so some type of code injection. First thought would be looking for root apps that use scripts or binary files and then check the permissions on those files to see whether they are writeable.
Now those are all ways to target a broad mass of users.
If a single user is the target, it would be more difficult, but there are still plenty of options:
- MITM attacks at public hotspots,
- Pressuring developers of apps you use. What dev wouldn't implement a security hole into an app of his, if a guy in a black suit comes up and points a gun to his head? Well that escalated quickly... But with "secret courts" and all the **** that happens secretly sanctioned or is just done by some agencies because they are above the law, is it really such an impossible scenario? The ends justify the means? Do they?
- My favorite plan yet, making a popular app themselves that they know you will try
It is usually never impossible, just a matter of resources and whether its unfeasible to spend so many resources on that goal.
edit: So the best course of action? Don't install anything you don't trust. Don't trust the manufactor either? Install a custom ROM, but as those often use binary blobs for certain parts of the software, it's not really a 100% solution... There could also be compromising hardware built in, but now I'm really climing up the tinfoil tree, but as recents new story suggest that the NSA is intercepting hardware packets from manufactors such as cisco to modify them, what's really impossible?
TL;DR Best course of action that is feasible to adhere to is probably to just not install stuff one doesn't know or trust.
edit2: More specific answers to your questions.
You might be able to monitor files changes on an a system level, but if your attacker gains highlevel priviledges, what keeps him from changing the monitoring system?
SecUpwN said:
Seriously though, can such law enforcement agencies silently update stuff on my phone (possibly baseband) that goes unnoticed even when using TitaniumBackup and flashing a fresh ROM every month?
Click to expand...
Click to collapse
How does TiBu help prevent such injection? Flashing a new ROM would probably undo such changes, but what prevents "them" from just doing it again.
SecUpwN said:
And no matter how hard I try, the bad guys (or, to put it in the wording of those companies: the agencies that are "protecting our freedom") will likely always find a way in - even if that means tapping the phone through listining in on my calls or deploying an IMSI-Catcher.
Click to expand...
Click to collapse
This is the thing, with enough resources, there is always a way.
SecUpwN said:
It seems as if the probability is high that most of the time they are selling a fake update to the target.
Click to expand...
Click to collapse
Exactly disguising as something legit is the cheapest way, "trojan horse".
SecUpwN said:
Is there a convenient way of knowing that stuff like FinSpy Mobile has been installed, where such agencies can't possibly tinker with any records of what was happening on the phone? I especially check the Trust - Event Logger by @Dark3n very often. Could they change such records? Is there a better App to warn about unauthorizes access or (hidden) App installation?
Click to expand...
Click to collapse
I don't know any surefire way to detect this. The issue is that with enough priviledges (which can be gained without authorization, zero day exploits are worth a lot money to "agencies" as well as criminal organisations, though I'm no longer sure where the difference is), you can just clean up your track of malicious behavior.
Whoa, this has to be the longest answer I've received since registering here. Huge thanks! Grab a coffee..
Dark3n said:
Trust is not a security app!
If an attacker has root, you can just alter the database of apps like Trust, which would be the easiest way.
There are probably also ways to alter the system so it does not broadcast certain events(which is how Trust monitors most things).
It is just not build to withstand such attacks.
Click to expand...
Click to collapse
Ok, fair. Will keep it anyhow.
Dark3n said:
Maybe? But there are much easier ways if it is not desired to target specific persons.
I'll brain storm a bit for you:
I would divide the attack vectors into those that work with root and those that don't.
Click to expand...
Click to collapse
Just to mention it here: An awesome site to see which attack vectors and vulnerabilities exist is Smartphone Attack Vektor by @He3556.
Dark3n said:
Without root apps can still do plenty of malicious actions, including tracking your position or uploading all files on your sdcard (INTERNET;SDCARD;LOCATION permissions) etc.
If an attacker gains root permission he could install rootkits, modify existing apps, inject malicious code into dex files of installed apps etc.
Basicly do what the hell he wants.
Click to expand...
Click to collapse
Ok, I get the point. Also like @jcase already pointed out: If we root, we pwn ourselves. And if we don't, too.
Dark3n said:
While not using a rooted device would certainly make it more difficult to do malicious things, it's doesn't prevent it.
A normal app you install could still root your phone through vulnerabilities. It works the same way apps such as TowelRoot or ZergRush root your phone.
Downloading new apps that request root is also very dangerous ofc, once you pressed "grant", it's too late, anything could have been done. So be wary when trying out new root apps of devs you don't know/trust?
Click to expand...
Click to collapse
I only install trusted Applications.
Dark3n said:
Abusing trust in existing apps is probably the biggest danger.
The most obvious danger here is downloading apps you usually trust but from unknown sources.
Sure there could be signature issues when updating over your current app, but what if you don't have it installed? I could also think about a few ways to inject malicious code without altering the signature (did not try, just a thought, might be impossible).
The issue is that you probably wouldn't even notice, as the compromised app retains it's original functionality.
Click to expand...
Click to collapse
Guess if I use the F-Droid Store I should be pretty safe, right? But don't worry, I don't rely on it - as for me, smartphones are huge bugs with touchscreens. That is why I also built a phone signal blocking pouch for myself and friends. Further good recommendations can be found on the bottom of my GitHub.
Dark3n said:
Want a botnet?
Inject malicious code into a popular root up that is paid, crack it and upload it somewhere.
While this more dangerous (or worth for an attacker) with root apps, it's still viable for non root apps, just pick one that already aquires many permissions.
It's way too easy, people constantly underestimate the danger of this. It's not all about piracy it's bad, it's a barn door sized security hole.
Click to expand...
Click to collapse
Actually, no. I already have two or three. Or maybe even four?
Dark3n said:
A bit more difficult variant would be abusing known security holes in existing apps that can be root or nonroot apps, such as modifying files the other apps uses, such that it executes your malicious code for you, so some type of code injection. First thought would be looking for root apps that use scripts or binary files and then check the permissions on those files to see whether they are writeable.
Now those are all ways to target a broad mass of users.
Click to expand...
Click to collapse
Good to know we've come to an end here. Reading all this makes me want to throw my phone out of the window.
Dark3n said:
If a single user is the target, it would be more difficult, but there are still plenty of options:
- MITM attacks at public hotspots,
Click to expand...
Click to collapse
I DON'T use public hotspots. Why? Because you can be almost certain that stuff will be logged and analyzed once you use that. Over here in my town, we've got a HUGE Apple Store. And guess what - FREE WIFI for everyone! Yeyyy... not.
- Pressuring developers of apps you use. What dev wouldn't implement a security hole into an app of his, if a guy in a black suit comes up and points a gun to his head? Well that escalated quickly... But with "secret courts" and all the **** that happens secretly sanctioned or is just done by some agencies because they are above the law, is it really such an impossible scenario? The ends justify the means? Do they?
You are right, threats against family, friends and relatives are a no-go. If I remember correctly, something similar had happened to my beloved XDA developer @idcrisis who invented CrossBreeder. He left development of his toolset because starnge things occured in his life which he linked to his development. Shortly after leaving his project, he proposed a new license: The Aware License. Hope this guy is still living a happy life, though. Added to the above security-issues: Trust NOONE! How come? Well, just read this stunning story I discovered yesterday where a US critical infrastructure company last year revealed that its star developer had outsourced his own job to a Chinese subcontractor and was spending all his work time playing around on the internet adn surfing cat videos. ^^
Dark3n said:
- My favorite plan yet, making a popular app themselves that they know you will try
Click to expand...
Click to collapse
I don't quite get what you meanb by that. Please clarify, it sounds interesting.
Dark3n said:
It is usually never impossible, just a matter of resources and whether its unfeasible to spend so many resources on that goal.
Click to expand...
Click to collapse
The way I see it: The only thing that we have no real access to, is the baseband. I am sure that these are full of backdoors and switches for agencies that they just need to trigger - just like the Samsung Galaxy Backdoor discovered by Replicant.
Dark3n said:
edit: So the best course of action? Don't install anything you don't trust. Don't trust the manufactor either? Install a custom ROM, but as those often use binary blobs for certain parts of the software, it's not really a 100% solution...
Click to expand...
Click to collapse
Nope, I don't trust the manufacturer either. And I am SICK of bloatware! hence, I am a happy user of AOKP since several years - but regarding the binary blobs, I would certainly love to try out Replicant (sadly not yet available for the HTC One).
Dark3n said:
There could also be compromising hardware built in, but now I'm really climing up the tinfoil tree, but as recents new story suggest that the NSA is intercepting hardware packets from manufactors such as cisco to modify them, what's really impossible?
Click to expand...
Click to collapse
Nothing is impossible, everything can be done. A wise man once said: Everything you can imagine, will happen.
Dark3n said:
TL;DR Best course of action that is feasible to adhere to is probably to just not install stuff one doesn't know or trust.
Click to expand...
Click to collapse
Good advice, I already do follow that one. As already said, if I were a spy company, I'd just team up with manufacturers of basebands..
Dark3n said:
You might be able to monitor files changes on an a system level, but if your attacker gains highlevel priviledges, what keeps him from changing the monitoring system?
Click to expand...
Click to collapse
Highly-likely nothing. I already know that there is not much I can do to prevent them to get in, but at least I do want to detect them - and having such a detection mechanism raises the bar in disguising their actions even further - and who knows, maybe they're not interested anymore then?
Dark3n said:
How does TiBu help prevent such injection? Flashing a new ROM would probably undo such changes, but what prevents "them" from just doing it again.
Click to expand...
Click to collapse
Not much.
Dark3n said:
This is the thing, with enough resources, there is always a way.
Exactly disguising as something legit is the cheapest way, "trojan horse".
Click to expand...
Click to collapse
Absolutely right. But what I am really curious of: How do people from the security-community really protect their phones? Do you have friends that are using their phones to just communicate via VPN and VOIP, not sending SMS and never calling people? Perfect place for @InvaderX to chime in, he told me before to really do a combination of that approach.
Dark3n said:
I don't know any surefire way to detect this. The issue is that with enough priviledges (which can be gained without authorization, zero day exploits are worth a lot money to "agencies" as well as criminal organisations, though I'm no longer sure where the difference is), you can just clean up your track of malicious behavior.
Click to expand...
Click to collapse
Sigh.. mobile phones are a total threat to humanity, I get it..
At least I am not the only one paranoid about this kind of thing. LOL
lostangelintx said:
At least I am not the only one paranoid about this kind of thing. LOL
Click to expand...
Click to collapse
It doesn't have much to do with "Paranoia". The very reason you started to care about this, is because phones are in fact very insecure devices - most people just don't realize or care about it. Another very interesting thread I found lately: Android Security for Conscious Mind.
a tool against 0-day exploits
don't freak out to early - this tool is only for windows desktops.
But at least it shows how it could work for mobile devices, too.
It is called Enhanced Mitigation Experience Toolkit (EMET 5.0) ...is a utility that helps prevent vulnerabilities in software from being successfully exploited.
These technologies function as special protections and obstacles that an exploit author must defeat to exploit software vulnerabilities. These security mitigation technologies do not guarantee that vulnerabilities cannot be exploited. However, they work to make exploitation as difficult as possible to perform.
SSL/TLS certificate pinning - This feature is intended to detect (and stop, with EMET 5.0) man-in-the-middle attacks that are leveraging the public key infrastructure (PKI).
Ok, they do not guarantee 100% security - but who could? Even this software comes from Microsoft, it's still a good solution and closes the gap between anti-virus, firewall and keeping your software updated.
Here is a test from 2010 (EMET 2.0) http://www.rationallyparanoid.com/articles/emet-testing.html
And one of 2014 http://www.offensive-security.com/vulndev/disarming-enhanced-mitigation-experience-toolkit-emet/
Does anybody know a APP for Android, iOS, WP8 or BB?
Just a small side note:
In regard to device security vs. rooting.
There are essentially 2 schools of thought. On the one side we have those who believe we should trust the device manufacturers experience and knowledge to keep malware out of AOS, and you phone from spilling your data when stolen, which also means keeping users from rooting their devices, simply because they know security better, than the average user. (I think @jcase may be one of those, but he'd have to answer for himself.) On the other hand we have people like me, who firmly believe that the best way to keep your device secure is by being rooted, since we cannot trust anyone, especially large companies who scream "TRUST US". For us, we own the device and everything it does, and that your phone should not be able to send a single photon of radiation, without your permission. Then at least we have the choice to provide our own security by Firewalls, open source baseband, and encrypted phone calls etc. So no, this is not part of the majority of phone owners. But we think it should be. So who's right? Well, we're both right of course. What we need is to be able to make this choice at the time of purchase, and independent of the device you like. To be able to choose if you have a fully open device that you can secure on your own or if you like one that is claimed as secure, but you will never be able to check or control on your own. But unfortunately, this is not possible in most circumstances.
I trust neither the ODMs, nor the custom roms. However I KNOW the average custom rom is just as if not MORE vulnerable than current stock roms, add su into the mix and it is without a doubt more vulnerable. Show me a custom rom dev that claims he ships a secure firmware, and I'll show you someone ignorant of the facts. Ask most of them what CTS is, and they will look at you like you are referencing 18th century medical terms.
That is my stance. In regards to root making a device more vulnerable, I can back that statement time and time again. From key compromises of the superuser apps, to vulnerabilities in the app, to vulns in the su binaries, to vulns in apps that typical make su requests, to stupid users who will grant it to anyone. Having any access point to "root" makes turning a small vuln to a complete compromise relatively easy.
E:V:A said:
Just a small side note:
In regard to device security vs. rooting.
There are essentially 2 schools of thought. On the one side we have those who believe we should trust the device manufacturers experience and knowledge to keep malware out of AOS, and you phone from spilling your data when stolen, which also means keeping users from rooting their devices, simply because they know security better, than the average user. (I think @jcase may be one of those, but he'd have to answer for himself.) On the other hand we have people like me, who firmly believe that the best way to keep your device secure is by being rooted, since we cannot trust anyone, especially large companies who scream "TRUST US". For us, we own the device and everything it does, and that your phone should not be able to send a single photon of radiation, without your permission. Then at least we have the choice to provide our own security by Firewalls, open source baseband, and encrypted phone calls etc. So no, this is not part of the majority of phone owners. But we think it should be. So who's right? Well, we're both right of course. What we need is to be able to make this choice at the time of purchase, and independent of the device you like. To be able to choose if you have a fully open device that you can secure on your own or if you like one that is claimed as secure, but you will never be able to check or control on your own. But unfortunately, this is not possible in most circumstances.
Click to expand...
Click to collapse
@jcase : So I think we agree on that what you say, but from another perspective, we can ask ourselves whether or not a stupid user with root, can possibly endanger a smart user with root? I think this is not generally possible, apart from some automated DDOS attack, which would ultimately originate from a smart user with root, using the stupid user as a transport.
To what extent should ODM's be able to decide who is a smart root user and stupid root user? (And regardless their decision, why should we believe them?) There may not be an answer here, but the discussion is interesting also from a political point of view. How much should the "government" be responsible for a certain individual's action, regardless of their intelligence? Personally I think they're not, and should only provide security to prevent individuals from directly hurting each other, and not preventing them from hurting themselves, if they choose to do so.
Reading all this, it makes me wonder if the antivirus apps help at all..
stefeman said:
Reading all this, it makes me wonder if the antivirus apps help at all..
Click to expand...
Click to collapse
Let's put it this way.
In 6 years of heavy 24/7 PC use, my anti-virus have prevented me from a "possible" remote exploit exactly once, while having annoyed me with lengthy uninterruptible scans and ignoring my ignore settings about a 1000 times, due to adware and various other false positives. Then only god knows how many different countries governments are already present in my PC. Go figure. And yes, I have tweaked every possible setting and tried multiple well know AV's.
Forget AV's and get a good FW and with a well tuned host file, and well tuned common sense.
E:V:A said:
@jcase : So I think we agree on that what you say, but from another perspective, we can ask ourselves whether or not a stupid user with root, can possibly endanger a smart user with root? I think this is not generally possible, apart from some automated DDOS attack, which would ultimately originate from a smart user with root, using the stupid user as a transport.
To what extent should ODM's be able to decide who is a smart root user and stupid root user? (And regardless their decision, why should we believe them?) There may not be an answer here, but the discussion is interesting also from a political point of view. How much should the "government" be responsible for a certain individual's action, regardless of their intelligence? Personally I think they're not, and should only provide security to prevent individuals from directly hurting each other, and not preventing them from hurting themselves, if they choose to do so.
Click to expand...
Click to collapse
Really, I dont want to do this again, this conversation.
Most stupid people don't realize they are stupid, they assume they are smart. (We are all stupid in some regards).
I think I could endanger a user from root, pretty sure I can either screw the phone up, or possibly catch it on fire. If it had a sim in it, and was on the network I am certain I could make them regret ever rooting their device.
Here is a question, how many of you understand how these unlocks/exploits work?
I sometimes leave messages hidden in mine, and have only had ONE person reply to the hidden message, out of 100,000s of runs. People don't even know what they are running to gain root, let alone any idea what these "rom devs" do.
Open source is the answer right? Everyone can read the code, and everyone does! Thats why no backdoors or vulns have ever been in open source projects. Every open source project gets a line by line audit by a team of security professionals.</sarcasm>
I'll join back in when someone shows me a custom rom/open device that has the same or better security precautions taken by leading ODMs. Until then, it is generally just as easy or (generally) easier to abuse and exploit one of these custom roms floating around.
stefeman said:
Reading all this, it makes me wonder if the antivirus apps help at all..
Click to expand...
Click to collapse
Won't help a lick for anything originating from a government.