Hardening Android (1 of ??)

Alternate Title: They're coming to take you away haha?

So let's begin the experiment.

I propose to take us through the three R's of hardening while also demonstrating the scientific approach to hardening instead of simply relying on someone else's suggestions. My intent is to show you how hardening by someone else's standards can lead to unexpected and potentially undiscovered impacts while a scientific approach will lead you more efficiently to a workable platform.

DISCLAIMER: This workable platform may have unknown risks however so I want to state firmly that use of this process and guide is at your own risk and I express no fitness of the end result and accept no liability in providing you these suggestions.   You should always question the work of others and consider several opinions before making your stance against the threats eager to take the things you (and they) consider valuable.

Legal Environment

Before we start tearing into the technology to see what happens it is important to note that legal expectations exist around “access”, “authorization” “reverse-engineering” and “alteration” that need to be considered to avoid potential transfer of liability under warranty, deviation from intended use, breach of copyright and authorized use.

It is crucial to preventing undesired impact for the owner of any device and user of any service to take precautions by understanding the legal context surrounding both their use of any solution and alteration of the default service as well as a clear sense of “appropriate use” as defined in the terms of service.

This is the first step to “Reduce”. The technology isn't the only place to find vulnerabilities. You have to look at the context and “process” around the device to assure the conditions match your—or in the case where you are the expert delivering a solution for the technology—the owner's risk tolerance.

In this experiment I will be using a Nexus 7 2012 version (aka v1) which I purchased prior to the deadline described in the DMCA ruling.   That ruling changed the classification of tablets and made “circumvention of computer programs on mobile phones to enable interoperability of non-vendor approved software applications (often referred to as “jailbreaking”)” legal for phones but not for “tablets”. However, further review of Google's terms of service (April 14, 2014 version) suggests that use of the Services (inclusive of Products) is only misuse if you “access them using a method other than the interface and the instructions we provide.” Since Google provides a way to install bootable images and provides access to software that allows superuser control of the Android platform I feel pretty safe that I am in bounds of both the DMCA and terms of service (and others seem to agree). This is especially important since I will be demonstrating things that could be considered incriminating under a “reasonable” understanding of the intended uses of the device.

To extend on that “intended” uses of the solution point I want to touch on a few techniques I will use to ensure my written intent is clearly spelled out for the sake of educating my both my security and legally defined peers (I encourage you to read the article linked under intended again to understand why I say this and share with your friends and family to raise their awareness.

Again, with the intent of educating my peers, I will be using the following techniques in this experiment:

• system administration and configuration
  
• debugging
  
• log analysis
  
• network monitoring and analysis using a packet analyzer or “sniffer”
  
• proxy of network and application traffic with the intent of monitoring content
  
• restriction of communication through network and application interface restriction tools
  
• Port scanning
  
• Vulnerability identification through system provided information using a vulnerability scanner
  
• Threat and impact assessment as part of a risk assessment
  
• Malware Analysis
  
• Forensic analysis
  

A final area to consider is the legal aspects of Privacy policies since we are talking about devices that are marketed more for their personal use and less for potential shared use.   Given the benefit of measurement (early and often) to marketers, sales and manufacturers of products and services it is common for clauses to have rights to collect and use information.   Often these follow a best practice and industry standard but there is no clear requirement that is standard across all nations and municipalities.   This results in a Privacy policy of companies as a high level document that generalizes a lot of the deeper meaning.   Rather than saying we will make your data available to marketers specifically so they can target sales.   This might not be what you really want but the only opportunity you often have to avoid this information sharing is an opt out process that potentially is nothing more than the option to cease using the service.   Another area where these policies gloss over the possibilities is in saying they "secured your information".   Since there is no clear standard to define what negligence looks like it is difficult for the common customer to bring suit resulting in businesses making decisions to do the minimum to avoid class action lawsuits or news driven remediation while purchasing insurance to avoid the cost of passing liability for credit monitoring to the customer.

To illustrate the point above, consider the following quotes from Google's terms of service and privacy policy.

From the same Terms of Service referenced above:

Your Content in our Services

Some of our Services allow you to upload, submit, store, send or receive content. You retain ownership of any intellectual property rights that you hold in that content. In short, what belongs to you stays yours.

When you upload, submit, store, send or receive content to or through our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content. The rights you grant in this license are for the limited purpose of operating, promoting, and improving our Services, and to develop new ones. This license continues even if you stop using our Services (for example, for a business listing you have added to Google Maps). Some Services may offer you ways to access and remove content that has been provided to that Service. Also, in some of our Services, there are terms or settings that narrow the scope of our use of the content submitted in those Services. 

From Google's Privacy Policy (March 31, 2014)

Information we share

We do not share personal information with companies, organizations and individuals outside of Google unless one of the following circumstances applies:

• With your consent

            We will share personal information with companies, organizations or individuals outside of Google when we have your consent to do so. We require opt-in consent for the sharing of any sensitive personal information.

By agreeing to use the service you have to agree to both the Privacy Policy and the Terms of Service.  Since the Terms of Service broadly allows sharing/use and the Privacy policy is peppered with "examples" instead of specifics there is plenty of room to drive a truck through the intended meaning again defined by the "reasonable" and average person in our community.

As for Security, I will just reference the section and highlight the key points and let you decide if that is really enough.  A question to ask yourself is where are all the tools and techniques I'm proposing to use to harden the Android device covered?

Information security

We work hard to protect Google and our users from unauthorized access to or unauthorized alteration, disclosure or destruction of information we hold. In particular:

• We encrypt many of our services using SSL.
• We offer you two step verification when you access your Google Account, and a Safe Browsing feature in Google Chrome.
• We review our information collection, storage and processing practices, including physical security measures, to guard against unauthorized access to systems.
• We restrict access to personal information to Google employees, contractors and agents who need to know that information in order to process it for us, and who are subject to strict contractual confidentiality obligations and may be disciplined or terminated if they fail to meet these obligations.

The lesson learned on this point, to come back to the earlier point on the difference between the past and today, not only can the companies you give information to hear your yelling at your wife/kids/neighbor but they record it so it can potentially be used against you.   So it is critical that you be clear on the policies you agree to and take all available steps to maintain your identity across the systems it can pass through.  No one else cares to do this for you as you are one in millions of pennies or dollars they want to make and you can always "stop using our Services at any time".

Note: The above references Google's privacy policy but I am not singling them out as a unique offender.  Review a few privacy policy to see if you agree that this is a wide spread issue or not.

To close the legal discussion, it may help some to consider the actions I am about to take as “Research” and it could be considered that since I am using the scientific method to assess the reality, form conclusions and test hypotheses, that it is research. Unfortunately, in the security field, Research has become a broad and confusing term so I'm going to label what I'm doing as not Research. I'm just telling a story about using the scientific method along the lines of Nullius in verba and Quis custodiet ipsos custodes. Take it as you will.

More to come soon...Hardening Android 2 - Opening the door.