Android security trade-offs: Rooting “Rooting” has been part of the Android ecosystem pretty much since its creation. Within the context of this blog post, I define rooting as a method to disable standard sandboxing mechanisms for particular processes, which is a superset of Nick Kralevich’s earlier definition because many posts mix up the intentional, user-driven root access with exploitation of vulnerabilities. In this post I mean granting select apps and their processes the “root” privilege, which entitles them to ignore access control mechanisms on the system and kernel levels.
Android security trade-offs The Android ecosystem is highly diverse, complex, and has many different stakeholders typically not visible in the limelight. Consequently, making decisions about features in the platform itself — what we call AOSP (Android Open Source Project) — is hard, and often in surprising ways. Over a year and a half ago, I came to Google as the new Director of Android Platform Security. Even though my research group had been working on Android security for over 7 years, many of those complexities were completely new to me.
Why Tor allows to anonymize Internet traffic through onion routing, typically via 3 separate hops. At INS, we run one of the fastest Tor exit nodes in Austria, and provide statistical data on its usage. For more details, please check those project websites.
On my personal home network, I use Tor - among other reasons - to test various devices such as mobile phones, tablets, etc. with apps I do not necessarily trust, “smart home” / IoT style devices, or wearables.
Disclaimer This web page is written primarily in English, but uses German words originating from the Austrian law. There seems to be little point in artificially translating these terms when they are special definitions of a law written in German. I have tried to explain the terms when I first use them - if something is unclear, feel free to send me an email.
Introduction Since the beginning of 2000, the Austrian government has begun introducing its digital signature scheme in form for the so called “Bürgerkarte”.
Creating X.509 certificates programmatically in Java My probem statement was simple: create a X.509 certificate with only a few fields being configurable, sign it with an already existing CA private key/certificate combination, and write the new certificate in PKCS12 format. Then it became complicated: I needed to it with Java, on a PDA.
I spent about 2 days to get this seemingly simple task to work, so I thought it might be good to share my findings in the hope that they will serve others with similar problems.
How to set up an OpenWRT router/gateway as an IPsec/L2TP gateway for Andoid and iPhone clients The only “reasonable” (that is, not counting PPTP due to its known security issues) VPN protocol supported by default on non-rooted / non-jailbroken Android / iPhone phones as clients is the combination of IPsec and L2TP. Most probably, this was chosen due to its out-of-the-box support by newer Windows clients and MacOS/X as well.
Introduction After (again) suffering under KMail’s recent sluggishness when dealing with my email spool and general Eclipse slowness when run with many plugins (such as the excellent Android ADT or the still-to-mature Scala plugin), I decided that the best update for my Lenovo Thinkpad X201s laptop would be a solid state disk (SSD). Some preliminary web article research yielded the Crucial C300 256GB as one candidate with near top-level performance and reasonable pricing.
USB sticks become increasingly common to carry around. When one keeps confidential data on such an USB medium, it should be protected against loss (and it should also be possible to use it for transferring files to and from an untrusted machine, just for convenience). An encrypted container that is usable under Windows XP, (Vista, ) Windows 7, and Linux as a virtual drive is a good way to do that.
Introduction After some work on getting the Austrian Bürgerkarte to work under Linux, I have now decided to acquire some know-how about using more general smart cards under Linux. After some quick research, the Aladdin smart cards seem to be supported fairly well, so I ordered a bunch of different types. This page details how to make them work (my principal systems are running Debian or Ubuntu, but most should be applicable to any Linux distribution).
Howto create a Debian chroot on an Android phone (HTC Desire and Motorola Milestone) This page will grow once I have everything running, but this is a starting point:http://www.android-hilfe.de/anleitungen-fuer-motorola-milestone/26870-ho…
[HTC Desire, unbranded, European version]: Flashed (pre-rooted and with busybox included) firmware from http://android.modaco.com/content/htc-desire-desire-modaco-com/315108/04…, taking file 2.09.405.8-update-bravo-stock-rooted-busybox-withradio-signed.zip On a Debian squeeze (amd64, but with i386 it will be similar) box: sudo apt-get install debchroot qemu-user Download qemu-arm-static from http://packages.
With Kubuntu Intrepid 8.10, I can delightedly say that installing Linux in form of a Debian variant - my kernel/operating system of choice for most tasks - on a new Dell Latitude XT went flawlessly and got most of its hardware to work out-of-the-box. The remaining adaptations that I did on my system are mentioned here.
Note: I couldn’t get Kubuntu Hardy 8.04 in its AMD64 version to install - the kernel wouldn’t find its installation CD with the Latitude XT attached to its Mediabase.
To get an encrypted home directory under Debian Linux, only a few steps are necessary. The performance hit for the encryption is, at least for current processors and normal (i.e. slow compared to all other PC components) harddisks, negligible. This howto describes the necessary configuration options for automatically mounting the encrypted volume at login and unmounting it again afterwards. First of all, you need the following packages to be installed on your Debian system (or on other distributions, but I don’t know the package names for them):
Here is another small thing to make working with Linux more convenient: auto-mounting of hotplug-able devices. This is again specific to Debian GNU/Linux, but might be applicable to other distributions with only slight changes. Quite a few of the following steps have been taken from Ubuntu - well done folks!
The whole auto-mounting described here is based upon hald, a daemon that monitors the system’s hardware.
Update: As of 2010, none of this is typically required.
Imagine the following setting: there is some (possibly 802.11a/b/g wireless) network, which can range from a single access point to a complete backbone network of access points working together via WDS, or even a wired network infrastructure. This (W)LAN should serve two purposes:
act as an open “hotspot” type network where users do not need any special client configuration to use it (other than maybe a username/password combination or some prepaid account) simultaneously allow registered/special users to use it for purposes that are not open to the first public group These are usually seen as two different use cases, and both are already in extensive use.
I, as many others, have been bitten by Cyrus’ strictness when it comes to RFC-compliant email headers. Although it cost me about a full day, I still appreciate that Cyrus interpretes the RFC strictly and thus forces email to be syntactically correct. It may not strictly adhere to the “be liberal in what you accept” approach, but this way is less likely to cause problems later (with IMAP clients, indexing, searching, etc.
USB sticks are really useful. Not only for transferring files between computers, but also also rescue media, or more generally, to boot from. However, making a USB stick bootable can turn out to be tricky. This small howto describes the tricks that I discovered over the last years. The following commands assume the necessary package to be installed under Linux. It has been tested with Debian GNU/Linux sid (unstable as of 2006-06-26) with packages mbr (1.
I’ve documented my current selection of smart phones and their respective features, advantages, and disadvantages elsewhere. The Nokia N900 does many things right (in my point of view), but is missing one crucial component by default: SyncML synchronization to HTTP servers. Fortunately, being largely open source, other developers have already taken care of this issue by porting the SyncEvolution package over to Maemo (the Debian-based Linux distribution running on the Nokia N900).
This is just a quick page describing what works on my notebook under Linux and (sometimes) how I got it working :-) It is no longer up-to-date, but might still be of use to somebody. Since about a year, I now work with an IBM/Lenovo Thinkpad T42p.
I would not have been able to set all that up without the help of many other webpages like this one. Therefore I want to give a short summary on the infos I have gathered, especially trimmed for the Gericom Phantom notebook (which is IMHO a very nice one).
Howto use Debian GNU/Linux on a Thinkpad T42p Many of the hints on this page have actually been collected from similar pages scattered over the web; the Thinkpad series of notebooks already has strong support for running Linux on them and a wealth of information is available. Thanks to all other web authors who provided their experiences that helped me in setting up my machine as it is now. However, a few bits and pieces in here are mine, so it might be helpful to others if I share them.
Using the SpeedTouch 330 ADSL USB modem with kernel 2.4 The SpeedTouch 330 USB ADSL modem is becoming quite popular, because a lot of ISPs now give it to customers for free. Therefore, I felt obliged to include out-of-the-box support for it in Gibraltar. For kernels >= 2.6.10, it has now become very simple to use it under Linux with the new kernel driver. One just needs to obtain the matching firmware file from Alcatel/Thomson, extract the two parts of it (boot code and firmware code), install it in the correct directory (e.