Mission Possible: Securing and liberating Android 4.4
This is an incomplete and propably also out-of-date article written in Mid-2015
Introduction
As already stated, I think the "Mission Impossible"-Article is still great and probably the most-complete tutorial, so I won't rephrase the article but instead list the things which are either outdated or missing from my point of view. There are some things I disagree with, so I'll try to explain why I chose another route. Actually these are the things which I'd like to read before 1-2 weeks, so I hope it will be useful.
Choosing the right ROM
TL;DR = Unless you have a device which is supported by Replicant, choose OmniROM. If there isn't already a OmniROM build for your device, try to make one - it might still be easier than securing CyanogenMod. If all fails, use CyanogenMod (or look for other ROMs).
In 2014, Cyanogenmod was probably still the best choice, although it became already clear that this won't last long. In 2015, when using Cyanogenmod while targeting for a fully OpenSource ROM, you have to actually work heavily against it (like removing Google Analytics and other proprietary stuff). It doesn't seem that this will change in future, given that the CM Devs founded a company (Cyanogen Inc.), started to commercialize the project and are currently having a partnership with Microsoft. So in 2015, CM doesn't seem to be a good base any longer, and I would generally recommend OmniROM instead of CM (if it is already available for your device). OmniROM is AOSP-based, community-driven and aims to be a fully OpenSource ROM - it's basically a reaction to the commercialization of CM. OmniROM has also a much more advanced built-in tool for handling permissions for Apps and comes with some developer tools which might be handy.
((The developer of the free-cyangn project, which removes Google Analytics from CM (and also substitutes some other proprietary bindings) switched to OmniROM, too, but he is still maintaining the free-cyangn code.
((The Replicant project is currently based on CM, but is also thinking about using OmniROM as a base in future. I think it would actually make much sense to see those projects merged together, given that they both aim to be fully OpenSource.
Google Apps
TL;DR = Don't use Google Apps.
I would strike the "Google Apps" part completely, even if it is marked as optional. I think it would better to write a part about why you should not install Google Apps. It should state that:
- these are proprietary apps, which
- have root access on your device.
- This is especially bad from the european perspective of view, where AFAIK you don't have any laws which could protect you from the NSA doing everything they want on your device
Even when you're not using (and never started) apps like News&Weather, Google Maps, etc. they are all still trying to make connections to various Google Servers. Disabling Backups in the Settings won't prevent the Backup Transport Service from connecting Google, and so on. When using AFWall+ with configured notifications, you'll see permanently popup messages even without doing anything (and, of course, even without geolocation being enabled).
Of course, it's possible to disable access to nearly everything like the author of the MI-Article did - which is a lot of hassle - but if you succeed, you're actually not getting a secure device, but only a secure snapshot. There will be updates for Google Apps, and you will have to adjust. So, when installing Google Apps you are actually leaving the "Mission Possible" route and are back at "Mission Impossible".
Installation
Preparing the Installation
- When downloading F-Droid from your desktop, you can (and should) verify the checksum with GPG.
- I think it's better to place the APK in the Android filesystem while you're still at the recovery mode after flashing the ROM, so you have F-Droid as a verified and bundled system app and don't need to allow ADB access or tick "[ ] Enable Installation from untrusted sources" in the Android settings after the first boot. This may be just a personal choice, but I think it's better because a) it's better scriptable (in the end, we want to have a script which automates all steps, right?), and b) you avoid the risk of forgetting to disallow/untick any options in the Settings (you are a human after all).
- When downloading TWRP and OmniROM, download also the MD5 Checksums. Transfer the MD5 Checksum file also to the Android device, since it will be used by TWRP to verify the transferred Image.
gpg --recv-keys DD5DCE7A gpg --verify org.fdroid.fdroid_910.apk.asc org.fdroid.fdroid_910.apk
Superuser: OmniROM doesn't come with a bundled Superuser-App, so you will have to provide your own. Unfortunately I didn't try if it's possible to just simply install the one from F-Droid after first boot, I downloaded and flashed it manually
Flashing
After flashing TWRP, reboot into it. Use ADB to push your ROM (and ROM Checksum) and flash it with TWRP. Don't reboot now, but if you ever reboot manually from TWRP, you might be asked if you want to install SuperSU - do not confirm. You want to use "Superuser" instead, which is OpenSource.
Remove Components
I recommend to remove any shipped APKs which you don't need or want, are proprietary, unsafe to use or hurt your privacy. They are located in either /system/app or /system/priv-app/. While still in recovery mode, you can easily use "adb pull /path/to/apk" to make a backup, and "adb shell rm /path/to/apk" to remove them. Packages I removed on both, CM+OmniROM:
- Email (AOSP Email Client): no one seems to develop or maintain this anymore. Google wants you to install Google Apps and use the GMail Client, so they are not interested in this any longer. Same is true for Samsung and other companies, everyone seems to ship their own Mail solution instead of developing the AOSP Email Client. K9-Mail is better anyway, so it don't hurt.
- Browser (AOSP Browser): basically the same like the AOSP Email Client. Google wants you to install Google Apps and use Google Chrome, ... and so on. It is a bad idea anyway to use a Browser which updates are only shipped with OS Updates. Users are regularly advised to install another Browser from the App Store just for security reasons, and so do we.
- Apollo Music Player: not really sure about this, but I never used it so it had to go. Do this with every package you don't want.
SoundRecorder: same like Apollo - I don't need it and removed the microphone anyways.
Sample Code (only works for APKs located in /system/app/):
for app in Email Browser Apollo SoundRecorder ; do echo "removing $app" adb pull /system/app/${app}.apk "${app}.apk" && adb shell "rm -f /system/app/${app}.apk" done
CyanogenMod
Packages I removed on CyanogenMod (or: why you shouldn't use CM):
- CMAccount: I didn't have an CM-Account (and didn't wanted to have one), but regardless of this it connected to various servers in the USA.
- CMUpdater: I configured CM to only check for updates manually, and I felt much disrespected when it tried to connect to different servers, so I decided to go the "really manually updating" way.
LockClock ("cLock"): as far as I understand, this is the Clock+Weather widget I never used. I used DashClockWidget instead of it, but regardless of this LockClock made connections to different servers. To be fair: maybe this would have stopped if I have activated it once and configured it to not poll for weather data etc. - I don't know.
There are probably much more packages which I would have removed, but after I realised that the CM developers had also integrated Google Analytics, it became clear that CM is a "Mission Impossible" of it's own. If you have to use CM, it's probably best to start with the free-cyangn tool which subtitutes the built-in Google Analytics with NoAnalytics. I did not, I switched to OmniROM. Note that the developer of free-cyangn also switched to OmniRom, so he is not developing it further, but he is still maintaining it.
OmniROM
Packages I removed on OmniRom:
OpenDelta (OmniROM Updater): I don't really recommend to remove this, but there was no option to search only for updates manually, and I wanted to start off with an empty Firewall log (and prepare for germany's upcoming data retention).
QuickSearchBox: it connected to Google even without doing anything, so I wanted to eliminate it. Again, this is a personal choice - you might want to have a search box widget on your Home screen, I don't.
Since I'm using a WiFi-Only Tablet and don't plan to phone with it: VoiceDialer, TeleService, TelephonyProvider, CellBroadcastReceiver.
Add Components
Now it's time to add some stuff - at least the F-Droid package, which should be placed in /system/priv-app/ so it is a "privileged system app" and therefore you won't need to tick "Allow installation from untrusted source". Other packages should be fine in /system/app/. I found it handy to also push other data, like some configuration files from a prior Android installation, or a textfile with the password for my WiFi-Hotspot, so it's possible to copy&paste it while being in Android OS.
So, basically it goes like this:
adb shell mount /system # should be already mounted adb push org.fdroid.fdroid_910.apk /system/priv-app/ adb push dev.ukanth.ufirewall_171.apk /system/app/ adb shell mount /sdcard # should be already mounted, too adb push wifi.txt /sdcard/ # password for WiFi adb push settings.k9s /sdcard/ # K9-Mail configuration file from prior installation adb push black.png /sdcard/ # I didn't want to install an app for setting a solid black wallpaper
clients3.google.com -> localhost
Every time you're connecting to a WiFi-Hotspot, http://clients3.google.com/generate_204 will be polled (see Line 64 + Line 376 @ https://android.googlesource.com/platform/frameworks/base/+/android-4.4.4_r2.0.1/core/java/android/net/CaptivePortalTracker.java ). Quick'n Dirty Workaround:
adb shell "echo '127.0.0.1 clients3.google.com' >> /system/etc/hosts"
2.android.pool.ntp.org -> localhost
It doesn't matter if you're disabling NTP in the System Settings or not - 2.android.pool.ntp.org will be queried (see Line 1045 @ https://android.googlesource.com/platform/frameworks/base/+/android-4.4.4_r2.0.1/core/res/res/values/config.xml ). Quick'n Dirty Workaround:
adb shell "echo '127.0.0.1 2.android.pool.ntp.org' >> /system/etc/hosts"
First Boot
I guess it's possible to configure following steps via CLI even before the first boot, but for now, I'm just documenting these:
- Launcher / Home Screen Settings: adjust to your personal preference: "Show Search Bar", "Enable hotword recognition" (and other Hotword options)
- Android Settings: FIXME (and also have a look at the MI Article)
Recommended Software
Office
K9-Mail + OpenKeyChain
K9-Mail shouldn't need a further explanation. I recommend OpenKeyChain instead of AGP, because the development of AGP is stalled, the last AGP updates only pulled code from OpenKeyChain.
Tasks
App for managing tasks. If you want to sync your tasks via CalDAV with DAVDroid, you have to install this first.
DAVDroid
Use DAVDroid to sync Contacts, Calendar and Tasks (see above) with your own server via CalDAV.
Flym
Nice RSS feed reader with offline support. It's possible to configure a Proxy, too. So if you are using "Automated Refresh", think about using TOR as a proxy, since speed won't matter in this case.
Fennec (Firefox Mobile)
To be honest, I can't recommend Firefox any longer. I'm listing it here because it's better to have a browser which is getting security updates regularly (in contrast to the AOSP Browser), but in regard to Privacy, Firefox/Fennec should have an own "Mission Impossible"-article. Fennec seems to regularly send pings to Google, for whatever reason. Following steps could not stop Fennec to try sending data packets to Google:
Preferences -> Customize -> Home -> [ ] Show site suggestions
Preferences -> Customize -> search -> [ ] Show search suggestions
Preferences -> Privacy -> [x] Do not track
- about:config
- browser.safebrowsing.enabled false
- geo.enabled false
privacy.tracking protection.enabled true (https://support.mozilla.org/en-US/kb/tracking-protection-firefox)
- network.dns.disablePrefetch true
- network.prefetch-next false
Note: data packets has been tried to sent to Google even without doing anything, right after the first start of Fennec without typing anything in the URL bar, and without tapping anything. Changing the default search engine from Google to Wikipedia also didn't make a difference. Worse: these "pings" are still trying to be sent when Fennec is in background while using another app, so it is needed to explicitly close Fennec to stop these. At some point, I allowed internet access for Fennec, so it could get updates (or whatever it wants from Google) and had the hope that after that it would stop sending packets to Google. It didn't helped, I firewalled Fennec again, and at the next day there were hundreds of data packets in the firewall log which couldn't be sent from Fennec to Google.
TODO: why are packets being send to port 4882 at the local gateway / router?
Backups
I disagree with the "Backups"-part in the MI-Article, mainly for two reasons:
- It is perfectly fine to make backups from the recovery mode. No need to allow adb access from a running Android OS, so there is also no need to remember to disallow it after the backup has been run.
- Backing up from the recovery mode makes sure that you'll get a consistent backup - there are no open apps or files.
Of course, when backing up via recovery mode, you'll have to use a cable - but on the other hand you don't have to configure your firewall and ADB for wireless usage (and disabling it after that), therefore wireless backups IMHO aren't convenient anyway.
FIXME this needs to be verified
TODO
Configuring
- unknown components (pacprocessor?)
Things I like to see in 2016:
- GPG verified checksums for TWRP
- GPG verified checksums for OmniROM
A simple script which downloads TWRP, OmniROM (for a given device), F-Droid, optionally also AFWall+ and SuperUser (not everyone should need them), and verifies the checksums for all of them. Since it's all about trust, it would be great if this could be reviewed and signed-off by an Organisation like FSFE. In a perfect world this shouldn't be needed, but I really lost much time while trying to find the correct GPG-Keys for F-Droid, trying to validate if twrp.me is really the official website for TWRP (all Wiki entries about TWRP I found pointed to another URL which was not reachable anymore) and so on.
Another simple script which flashes TWRP+OmniROM in fastboot mode, boots into recovery, pushes F-Droid&Friends with adb as system-apps, and removes unwanted system-apps (of course, it could make a backup with "adb pull" of those, too) - then just "adb reboot".
- An updated "Mission Impossible"-Article which is only half that size because you can use those scripts.
OmniROM as a base for the Replicant Project, or even both projects merged together since they both aim for a fully OpenSource ROM.
A tablet and/or a phone with OpenHardware! All goals listed above are acutally really easy to achieve, but the choice of the right hardware is still pretty much "Mission Impossible".