Android Hardening

First Disclaimers

  • Proprietary vs Open Source Code - While Open Source Code is not necessarily more secure than proprietary code, one thing is clear: You as a user can't know whether proprietary code is secure, because unless you sign a Non-Disclosure Agreement, all you can do is to trust the promises of the developer/manufacturer. In addition, proprietary code is obsolete the moment the manufacturer abandons it: open source code can at least be updated by volunteers afterwards.
  • Driver Backdoors - Unfortunately, most ARM devices use proprietary drivers which not only hold the system back from updated Linux kernels, but also could hide backdoors within.
  • ARM Trustzone - Even without a baseband, this piece of proprietary system inside every modern ARM smartphone can be a threat.
  • Hardware Backdoors - If a high level hostile actor (a government or a corporation) gets direct hardware access to your device through various means, don't expect your protections to hold up for long.

This is why you should avoid smartphones entirely if you are under scrutiny from a powerful targeted threat, from a government to even a wealthy corporation or hacking group.

Before you start

The first step is to understand what sort of targeted threats you might face, before you figure out what kinds of vulnerabilities to patch. Targeted threats are actors who are specifically threatening you and your data directly. They do not necessarily encompass random attacks, though in the case of cryptocurrency they might as well be the same. These are questions that can help narrow down what you need.

  • Are you trying to generate encryption keys or secure large amounts of cryptocurrency? - Securing cryptocurrency and (to a lesser extent) GPG/SSH or other private keys is the most important legitimate use case that demands the utmost paranoia. You are your own bank and security guard in this case: however, there are ways to do this with the utmost security.
    • Use hardware smart card systems to store your private keys and cryptocurrency (Yubikey, OpenPGP Card, Fidesmo). With these, just like a phone SIM card, the private keys never exit the card, so no private key exists on the computer to steal. Input comes in, encrypted output goes out. For cryptocurrency, the Trezor and Ledger work as cryptocurrency wallets on the same principle: especially look for wallets with hardware buttons that you can press for confirmation.
    • Make sure while you are generating keys, do not connect to the internet and do not have the swap partition active. You best bet is to use a minimal liveCD/liveUSB system that runs only in RAM, such as Lubuntu or Ledger's airgapped key generator.
    • The way random numbers are generated is also important. Pseudorandom numbers could possibly have mathematical backdoors involved which could make encryption ineffective from the actor who discovers such exploits. Thus, ensure that your random number generator is not encumbered with such security problems, by getting randomness from dice, mouse movement, or environmental detectors (radiation is most useful).
  • Are you under direct threat from foreign governments or foreign actors? - Get assistance and support from your country of citizenship immediately, and if possible, use devices that they trust with security clearance. Even Windows and other proprietary systems may sometimes be acceptable in this case, since direct clients get direct input into the source code. If no support is given, follow the next step instead.
  • Are you under direct threat from your own government or people in power? Avoid all electronics as much as possible. Watch out for any cameras or microphones nearby. Especially do not use a smartphone or even a cellphone with a baseband, since these can be exploited to read the data on your phone.
    • Your best bet is to get a ThinkPad X60 (super cheap on eBay), software flash it to Libreboot, and use TAILs or Trisquel to communicate using Onion Networks like Tor or i2p only.
  • Are you in China? Buy a iPhone (64-bit 5 or newer still updated by Apple), since it has the most compatibility despite providing the most privacy options relevant to protecting a Chinese citizen/resident. Apple consistently refuses to provide its own government access to backdoors, and it would not be allowed by US agencies to directly provide it to China of all countries. (though you should still be wary of zero day exploits) For example, all uses of microphone, location, and other permissions of privacy importance require user consent before they are accessed. Although many Chinese apps demand all permissions or stop functioning, such as WeChat, you might as well not use them in that case.
    • Signal Private Messenger works fine to and from China.
    • Avoid any Chinese-designed Androids entirely. They often come built in with invasive apps, some of which may have backdoors for the government. Even if you install a custom ROM, backdoors could exist at the hardware level.

Service Provider Leaks

Although the day-to-day probability of having your own home network hit is low (unless you explicitly or inadvertently allow them in), the probability of attackers breaking into large service providers that could leak your data and grab data from your devices at the highest level is unfortunately significant.

Although tech focused companies like Google, Amazon, and Facebook tend to have very competent security systems, government, corporate, and financial systems are unlikely to be as focused on security and can be very vulnerable to data leaks. The recent leaks of Target credit cards, US Government background checks, the Ashley Madison leak, and Equifax credit report data have been especially damaging to implicated users out of no fault of their own.

There often isn't much that you yourself can do to stay outside of these databases and services, other than not use them. Sometimes it isn't even legitimately possible to avoid becoming part of a database, such as in the case of Credit Reports in the US, which are often checked just to get a job or a car, especially as they act as surrogates for a US National ID. Legislation must be made to force non-compliant businesses to abide by good security practice, or allow users to opt out, since otherwise there is little incentive for a non-tech focused company to do so.

  • Freeze your credit history. One powerful method in the case of credit history is to freeze your credit report so that it is not accessible unless you consent to it. Many states in the US allow credit history to be frozen at will for free: unfortunately, other states allow them to charge a $10 fee, but even then the benefits may outweigh the costs. You can then unfreeze anytime at will when a major credit event is coming up, such as a new credit card, job application, new loan, etc: then just freeze back again.

Random Acts of Hacking

If none of the above apply to you, you're still at threat of random attack events, whereby an attacker from anywhere on the internet obtains or hijacks your machine, identity, or accounts after achieving an exploit in your network, device, or service provider.

Devices to Use

There are three levels of classification that we abide by for information, as inspired by US Government information protocols.

  • Top Secret - Grave danger to your person, your livelihood, or that of your friends and family.
    • Public/private keypairs - HTTPS certificates, SSH/GPG signing and authentication keys, cryptocurrency wallets
  • Secret - Possibility of harm to your person, your livelihood, or that of your friends and family. Generally, information that the government knows (such as financial information) is considered Secret rather than Top Secret.
    • Your location, your address.
    • Account passwords.
  • Confidential - Embarassment, deanonymization, or possible risks to your person, your livelihood, or that of your friends and family.
    • Contact information, usernames
    • Unfortunately, if your personal data has been publicly leaked online, consider it only confidential.

Due to the prior possibility of backdoors, you should not consider smartphones to be suitable for Top Secret information. If you have no other choice (such as an emergency situation), try to mitigate your risks by sharing data only through means and services your adversary might not have or be able to compromise in time.

Top Secret

  • Devices: Open Source Hardware only: Libreboot laptops, Beagleboard, Raspberry Pi without VGA Blob.
    • No smartphones are allowed. The proprietary baseband and unlocked bootloader could have unlimited access to your RAM and your storage.
    • They're not going to be the best devices ever, and maybe not even the ones you use each day, but at least they're something you can trust.
  • Operating Systems: G. Reproducible builds if at all possible.
  • Networking: Onion Networks, i2p or Tor (hidden services only!!!)

Secret

  • Chat: Encrypted chat and email.
  • Networking: HTTPS encryption

Confidential

  • Chat: Normal chat and email.
  • Networking: HTTPS encryption