Mobile Device Security
"Security" here is intended is keeping the data safe from unauthorized access, coping or transmission.
Threats to security
- Physical theft / lack of custody
- Malware in the Hardware / Firmware (that you bought)
- Malware in the Operating System (that you, the mobile provider or the manufacturer loaded)
- Malware and/or inappropriate permissions in the Software (apps) (that you installed)
When I first owned a mobile/PDA you paid for the device and in return you possesed the device and the manufacturer no longer posessed it or exterted any control over it. It was yours, under your control. It did your bidding.
That is no longer the case. Along with Smart TVs (I have one, during lockdown I started similar research on it) when you purchase a mobile phone now that is not the transaction, it is the beginning of a revenue stream for Google / Apple whomever can exfiltrate data.
There are advantages (automatic upgrades) and disadvantages (Apple slowing devices down, apps that "steal"data) - it comes down fundamentally to dishonesty and the fact that cheap(er) devices mean we are the product.
Physical theft / lack of custody
Encryption at rest does help if you can prevent access without a power cycle. Possibly the best attitude is that an sensitive data should simply not be on a mobile device and that which there is should be encrypted.
Probably access control / biometrics should be considered here, but I'm not doing that.
Targeting devices for physical theft one at a time is difficult and I'm not that interesting!
Malware in the Hardware
It's really hard to find someone to have discourse with about this. I have some understanding of this and to my mind whilst there could be malware in the firmware it's only ability to egress data is the same communication channel contemplated below (Operating System). So whilst I have no way of "looking" at the firmware I beleive my mechanism WOULD catch someting that tried to "call home".
This Bloomberg article is evidence that my mechanism to verify the OS could capture anything suspicious in the hardware /firmware.
Malware in the Operating System
An Android phone with gapps installed is simply too noisy, so the method I'm using to start and form a base line is LineageOS 16 / Android 9 with SU without a GSM SIM added to a wireless SID on an isolated VLAN to capture all traffic.
I've kept these 2 captures (taken on 2 different reboots) to ensure that both a sufficiently similar to find any anomalies.
Analysing those captures (times are relative times in Wireshark)
- 0-1.13s : DHCP and IPv6 set up
- 1.16s : RFC7858 attempt (I do not run DNS over TCP - see the IP4 and IP6 TCP RST packets at around 1.3s and I prevent forwarding these ports because I want the data of DNS look ups)
- 1.2s : Some DNS lookups
- ipv4only.arpa - explaination
- www.google.com - my research
- connectivitycheck.gstatic.com - explaination
- time.android.com -there is an NTP exchange at around 1.35s
- At 1.5s there is a lookup for xtrapath2.izatcloud.net, this led me to CVE-2016-5341, but as is evident from the next https exchange this is now encrypted. More informatino here
- 1.56s download.lineageos.org - UpdatesCheckReceiver.java
If you do open the packet captures you'll notice some lookups that are not covered. These are for my email accounts and are as a result of K9mail that I had already installed before doing the test.
The remaining traffic is DHCP / IPv6 and ARP. None of it suspicious.
Malware and bad permissions in Apps
Many apps are provided free of charge. Developers do have a right to a quid pro quo. That creates a disparity. An app may be provided by
- an altruistic dev, it's free there is no catch (my Follow Me app)
- someone who makes the effort for add revene or (3) there may be telemetary / data egress. It's not always clear what the quid pro quo is.
A balance view on the "If You're Not Paying, You're The Product" view
Installing only from trusted (signed) sources isn't a solution. Malware can be signed - intentionally by a bad action or unintentionally by a author who has inadvertently included it from a library. An author should be trusting by establishing their intent/motivation and workflow, this isn't always possible.
Checking app permissions, specifically on newer Andorid versions help, but some apps (say a softphone) legitimately have access to contacts and the internet, but then might exgress the contacts in accordance with the permissions but not inline with the oweners intent.
How to check what's going on when the device is set up?
Checking Network Access
I compared traffic captures of the GS5 contemplated here with a "stock" LG V20 over (the same) 1 hr period. Neither was interacted with during that time. The capture for the LG V20 was 250KB whilst for the GS5 is was 3KB
The V20 extrapolates to 6MB/day of background data sync.
Encryption makes it impossible to examine content so I resorted to DNS lookups block RFC7858 (I need plain text), install a local caching NS and block all other1 port 53 access.
The V20 is a burner phone with little to no pesonal data. My further analysis here is limited to the name lookups I've found the GS5 making.
- safebrowsing.googleapis.com
- tzurl.org
- leanplum.com
./data/data/org.mozilla.firefox/shared_prefs/__leanplum__.xml
./data/data/org.mozilla.firefox/databases/__leanplum.db
./data/data/org.mozilla.firefox/databases/__leanplum.db-wal
./data/data/org.mozilla.firefox/databases/__leanplum.db-shm
https://support.mozilla.org/en-US/kb/how-do-you-use-leanplum-firefox - shavar.services.mozilla.com
- clients4.google.com
I'm confortable that my GS5 as set up when this analysis was done is not harbouring any malware.
1 Ensure ALL DNS is logged. I noicted that my LG WebOS Netflix app was looking up names directly using the Google 8.8.8.8 server (not what I supplied it via DHCP)