Advertisement
Custom software developers/ programmers in India
Can customize existing open source ecommerce, crm, cms, mailing list scripts. Expert PHP perl developers/ programmers.
Weekly Edition
Return to the Security page
| |||||||||||||
Guardian: Better privacy and security for AndroidWith more and more of our "computing" happening on mobile devices instead of on traditional computers, securing these devices has become important. Unfortunately, most mobile platforms, including Android, are a step backward when it comes to security, privacy, and anonymity: by default, the user's files on an Android smartphone are not encrypted, instant messaging communication can be sniffed, and web browsing is not anonymous. One project that wants to do something about this — focusing on Android — is The Guardian Project. The project describes its aim on its home page: The Guardian Project aims to create easy to use apps, open-source firmware MODs, and customized, commercial mobile phones that can be used and deployed around the world, by any person looking to protect their communications and personal data from unjust intrusion and monitoring.
This is a fairly extensive vision. For now, the Guardian project is in its first phase: enhancing existing applications and developing new secure applications. But the ultimate aim is to customize Android on even lower levels to create a secure mass-market consumer smartphone solution, based on CyanogenMod, a popular alternative Android firmware. This requires enhancements to or replacements for the Android Application Framework, as well as adding new libraries and core security services. The kernel, Android runtime, and Dalvik virtual machine will also have to be secured, and the project is even considering securing or removing hardware drivers. However, until the project is able to create their own Android firmware, the developers recommend using CyanogenMod. Transparent proxying through Tor![[Orbot]](/images/2011/orbot-sm.png)
To be able to browse the web, chat, and email without being monitored, Guardian has developed the Orbot application, which brings the power of Tor to Android and is actually the official port of Tor to Android. When first started, Orbot shows a wizard explaining what the user can do with it. If the device is rooted and the firmware is updated to an iptables-capable ROM such as CyanogenMod, Orbot can transparently proxy all web traffic on port 80 (HTTP) and 443 (HTTPS) and all DNS requests, so nothing else has to be configured. The built-in browser, Firefox Mobile, and applications like Gmail, YouTube, and Google Maps use standard web traffic so are routed through Tor transparently. The wizard also allows the user to select individual applications to route their traffic through Tor. If you don't want to root your Android device, you can only route an application's traffic through Tor if it supports an HTTP or SOCKS proxy. Orbot runs an HTTP proxy on localhost:8118 and a SOCKS 4/5 proxy on localhost:9050. For instant messaging, the Beem application (a Jabber client) supports this, as does Gibberbot. For web browsing there's the Firefox Mobile add-on ProxyMob which exposes settings for HTTP, SOCKS and SSL proxies and is configured by default to use with Orbot. For users that are still on an Android 1.x device, there's the Orweb browser. After the Orbot wizard is completed, the user can activate Tor by pressing the grey button, which turns to green when the Tor connection is set up correctly. Orbot's settings offer a lot of options, such as automatically starting Orbot when the Android device boots, using a Tor bridge to connect to the Tor network, relaying, and enabling hidden services on the Tor network. Concerned users can always confirm that they're browsing via Tor by visiting the web page check.torproject.org. End-to-end encryption![[Gibberbot]](/images/2011/gibberbot-sm.png)
While the Guardian developers previously recommended the Beem project to offer anonymous instant messaging through Tor, they are now developing their own Jabber instant messenger as a replacement for the Google Talk application: Gibberbot. It's still an alpha release and the developers warn that there are still bugs and potentially even security flaws, but the release seems promising. Gibberbot is based on code from the Google Talk IM application, but with support for Tor (via Orbot) and end-to-end encryption (using the Off-the-Record OTR4J library). The OTR protocol not only encrypts instant messages, but also attests that your correspondents are who you think they are. Moreover, the messages a user sends do not have digital signatures that can be traced to the user afterward, even though during a conversation, the correspondent is assured that the messages are coming from the user without any modification. Another nice feature is that no previous conversation is compromised if the user's private key is lost. Of course, to be able to chat securely with Gibberbot, a correspondent should be using an OTR-compatible chat client, such as Gibberbot on a smartphone, Pidgin or Adium with the OTR plugin on a computer. The Guardian project recommends some third-party applications, which all offer encryption. The first one is the email client K-9 Mail, which supports OpenPGP encryption using Android Privacy Guard. The project also recommends two projects developed by Whisper Systems, the company of security researcher Moxie Marlinspike: RedPhone, which offers end-to-end VoIP encryption using ZRTP (at the moment it's US-only), and TextSecure, which allows users to send and store SMS messages using an encryption protocol based on OTR but designed with space efficiency in mind. Both Whisper Systems applications only work if both parties use the same application. Developers, developers, developersThese applications are the most visible deliverable of the Guardian project, but the developers are also building libraries, tools, and source code for other developers, so that they are able to add security-oriented features more easily to their own Android applications. For instance, there's the Orlib library that's a drop-in replacement for Android's standard Socket and HTTPClient libraries, adding Tor support to any application because it uses the HTTP and SOCKS proxies that Orbot offers. With respect to encryption, Guardian offers SQLCipher, an extension to the SQLite database that provides transparent 256 bit AES encryption of database files. Developers that want to better protect the privacy of their users, can use SQLCipher instead of Android's default SQLite library to encrypt their database files. The Guardian developers are also working on a port of LUKS (Linux Unified Key Setup) to Android. The README emphasizes that it's still alpha software and should be "used with a grain of paranoid salt" with an explanation of why it's so hard to use LUKS on Android: While the LUKS project itself has been put through the paces on Linux desktops and servers, we are still determining the right conditions for its secure use on Android. With the many combinations of closed hardware, proprietary basebands, multitudes of kernels, firmwares and other mods, it is fairly impossible to guarantee security for any user. That said, we feel this effort is a useful public step forward in providing an increased level of protection for file storage, and exploring the limits of what we can provide as after-market software developers building open-source tools.
The Guardian developers are also collaborating with the human rights organization WITNESS to develop a secure camera application named Camera Obscura. They aim to support some common scenarios for activists, such as an easy way to remove all traces of any captured images when the phone is compromised and automatically blurring the faces of people in the background when recording a video interview of a spokesperson at a protest. There are also collaborations with the developers of the personal firewall DroidWall and with the developers of DroidTracker, an application that shares your location with your friends or colleagues. Other features that the Guardian project is working on are a remote data wipe and better physical access control. All code developed in the Guardian project can be found on GitHub. Paranoid AndroidsThe Guardian project is not the only one to secure Android phones. Apart from the ones we already mentioned because Guardian is collaborating with them or recommending them, there's also WhisperCore, a custom Android ROM created by Whisper Systems. By default, WhisperCore encrypts the phone's entire data partition, and it can optionally encrypt the phone's SD card as well. WhisperCore is closed source software (but free for individual use) and is in an early beta phase. Currently it only supports the Google Nexus One and Nexus S phones. One of the components of WhisperCore is WhisperMonitor, a personal firewall for Android users. When enabled, it intercepts all outbound network traffic and asks the user whether the application is allowed to connect to a specific server/port combination. This way, WhisperMonitor determines egress filter rules for the firewall, giving the user complete control over what each application is able to send over the network. It also provides an interface to modify or update rules defined per application, as well as a complete connection history of all applications. Of course there are many other small tools, each of them helping in its own domain to secure Android. For instance, the SSH Tunnel application offers an easy-to-use interface to create an SSH tunnel to the user's server in order to use an encrypted channel on an untrusted network. On a rooted phone, the application can even set up system-wide tunneling. Much work to doWhile the Guardian project and other projects to make Android more secure are still in their infancy, many of their applications are already usable for more technically-inclined people. However, if you look at the use cases they're aiming for, it's clear that there's still much work to do to create a privacy-enhanced mobile phone operating system that is consumer-ready. The core developer team is small, but they are eager to collaborate with partner organizations and they have opportunities for internships and jobs. If you're a security-conscious developer who wants to make a difference, the Guardian project is definitely a project to consider joining. But even if you don't have any developer skills, you could help by joining the project as an alpha tester. (Log in to post comments)
Guardian: Better privacy and security for Android Posted May 12, 2011 5:26 UTC (Thu) by bronson (subscriber, #4806) [Link]
Very impressive! The need is very real but it sounds like a huge amount of work... Who's funding or driving this project? Where do the developers developers developers come from?
Guardian: Better privacy and security for Android Posted May 12, 2011 15:17 UTC (Thu) by felixfix (subscriber, #242) [Link]
I'm more curious about long term survivability. In addition to wondering if phone makers will try to prevent users from loading projects like this, how well will it adapt to future platforms? Cell phones have a notoriously short consumer life; a lot of people upgrade every time their two year contracts run out, and would upgrade more often if they weren't locked in for two years. Does it take so much effort to port to new phones that the useful life is only half the phone's life?
I suppose the chances of Google merging this back into their mainstream are pretty low ...
Guardian: Better privacy and security for Android Posted May 12, 2011 19:12 UTC (Thu) by njs (guest, #40338) [Link]
I think it depends which of the many pieces of tech described here we're talking about :-).
Many of them are just applications, so no reason they wouldn't keep working on future devices, so long as Android itself survives.
Some of the more intrusive pieces seem plausibly usable upstream -- IIUC, iPhones support whole disk encryption as a standard feature, no reason Google wouldn't want to do the same. OTOH, that doesn't mean that they'd want to merge any particular third-party implementation. On an analogous note, CyanogenMod includes a patch to add an "incognito browsing" mode to the standard Android browser. I'm sure Google would be happy to add this *feature* to Android -- they already ship it in Chrome -- but I think there's no way they're going to use CyanogenMod's implementation, which is based on going around and adding 'if (!privateBrowsing) {...}' around all the places they could find where data is stored to disk. I'm not convinced the CM developers even understood what the correct behavior for this mode is, and if they do, then I still wouldn't trust an implementation like that to work reliably.
Guardian: Better privacy and security for Android Posted May 24, 2011 12:13 UTC (Tue) by robbe (guest, #16131) [Link]
> IIUC, iPhones support whole disk encryption as a standard feature,
Last I checked iOS only allows applications to store some (all) their data encrypted. As they have to specifically request it (maybe even with a hard-to-use API), many applications will not do it.
Guardian: Better privacy and security for Android Posted May 24, 2011 16:08 UTC (Tue) by njs (guest, #40338) [Link]
Huh, a cursory google suggests that you're right, and that's still true.
Though I guess this makes some sense -- if you have the phone turned on but locked in your pocket, then the disk itself needs to be accessible (because the OS is running), but you would like the actually sensitive data to be encrypted with a key that you can throw away when the phone locks.
Guardian: Better privacy and security for Android Posted May 16, 2011 0:38 UTC (Mon) by jtc (subscriber, #6246) [Link]
"Who's funding or driving this project?"
This appears to be answered, at least partially, on their Partners and Funding page:
Guardian: Better privacy and security for Android Posted May 12, 2011 16:28 UTC (Thu) by RogerOdle (subscriber, #60791) [Link]
"are a step backward when it comes to security, privacy, and anonymity: by default, the user's files on an Android smartphone are not encrypted, instant messaging communication can be sniffed, and web browsing is not anonymous."
Just so we don't cause widespread panic. This is not a step backward but a step forward. All major operating system in use operate in this unsafe way in their default configurations. Even encrypted hard drives for laptops tends to be the exception rather than the rule. This is because speed sells. Most end users believe their systems are secure up until the moment their system displays a security violation message.
If all systems were encrypted then the public would be conditioned to accept that level of performance. Only some clever people out there would sell acceleration kits for these platforms that remove the encryption.
Mobile devices have an advantage here in that the end user does not expect the level of performance that the laptop or desktop systems have. So if these are slowed down by security measures then the user may not notice or care. But young people will care if they can't play the latest video game because the files can not be read from the file system at a fast enough rate.
It would be better if security sensitive data would be stored in a separate device or partition from main storage. Encryption works worst when the contents contain repetitive patterns as you may find in media files that contain frames of data. Encryption works best when the contents of the encrypted material are not known. You should use encryption sparingly by only encrypting what is important.
Be smart with your mobile devices and always assume that they are insecure and can not be secured. Do not rely on encryption for security. Do not use your cell phone to make Internet purchases when you can do the same thing with your desktop computer.
Guardian: Better privacy and security for Android Posted May 16, 2011 12:51 UTC (Mon) by cesarb (subscriber, #6266) [Link]
> Encryption works worst when the contents contain repetitive patterns as you may find in media files that contain frames of data.
If the encryption system you are using is vulnerable to known plaintext or repetitive patterns, it is not a good encryption system.
Guardian: Better privacy and security for Android Posted May 16, 2011 18:31 UTC (Mon) by dlang (✭ supporter ✭, #313) [Link]
not to mention the fact that almost all media files are compressed, specifically to remove the repetitive patterns.
and most encryption software compresses the data to be encrypted as well
Guardian: Better privacy and security for Android Posted May 24, 2011 12:10 UTC (Tue) by robbe (guest, #16131) [Link]
I think RogerOdle was referring to the framing given by the container format, which has high regularity. Of course this applies as well to your soopersekrit.odt office document. Known plaintext is a fact of life, even choosen plaintext attacks are to be expected in this context.
Full-disk encryption does not usually compress.
Encrypting only "valuable" data is not a good solution IMO.
|
|||||||||||||