Oct 5, 2014

Hardening Android (2 of ??)

Alternate title: Walking in the dark and not tripping over your feet

This is continuing on the Art of Hardening and Hardening Android episode 1.

Before we can begin to Reduce, Restrict or Respond we need to understand environment.  So let's "walk the grounds".  Note: I'm going to intentionally do this without too much more than the skills and techniques described above.   I don't want to take anyone's word for what I'm looking at beyond the trust I have built in using the tools above over the span of 17+ years and a reasonable grasp of the English language so I can interpret the intent of the developers and designers of the device.   As I go I will keep the features I activate to a minimum with the thought that if Google gives me a choice, it's probably because it isn't critical to a base image that is functional for at least some needs.

I start with a clean install, turn the thing on and see "Welcome".  (Didn't all those hardening guides and auditors say you shouldn't say "Welcome" since it suggests that access is authorized).  Well I suppose that's OK since it is mine but will have to take a note about this.  That won't fly well with the auditors if it isn't compensated somehow.



I'm getting prompted to pick a language.  I select English and continue and am prompted to log onto a wireless network and there is no feature to allow me to bypass this.

After I log in it asks me if I "Got Google?"  Yes or No?  So I must have to get an email address.  I log in with an old one but not my personal or work one.  After entering my password it prompts me to accept the Terms and Conditions and Privacy Policy for Google, Chrome and Google Play.  (Hmm...  Wonder what would happen if I entered the wrong password?   Will have to check that out later.)  I select Ok and it starts signing me in.  (Hmm....Wonder what it's doing that takes so long?)

Ok now we're getting somewhere.  It asks me if I want to Upgrade to Google+.   I can stream stuff, automatically backup my photos and do video calling and messaging.   Since we're going for a hardened situation let's leave this off for now.   Next I get prompted for Google Services.  Do I want to:

  • Use the Backup and Restore feature  Hold up a minute, they need to copy my Wi-fi password?   Backups are good but do I want Google having my Wi-fi password?  Nope, there has to be a better way.
  • Location - Let Apps better determine your location?   Nope.  Not yet sure why that helps me so let's leave it off for now.
  • Location - For improved accuracy and "other purposes" (?!) scan for Wi-Fi networks, even when Wi-fi is OFF(!?!)    That would seem to be telling a lot of people where I am so not yet.   But we'll keep track of this one as it could be useful for finding new restaurants.
  • Keep me up to date with news and offers from Google Play?  Hmm...let me figure out what I'm going to do with this thing first and what it does for me before I decide whether I need more mail to sift through.

At this point I have disabled everything except the initial registration with my email.   I am doing pretty good and Google seems to be very sensitive to my personal choice.   Excellent.

Next is a slide called Entertainment where I can set up Google Wallet to buy stuff.  That's a nice feature since Google keeps the card in their network and not on this device by they want me to set it up through this device?  Not yet.  I want to know more about whether this thing is vulnerable before I enter my personal info into it.

Next it wants me to enter my name and it pulls my name from my Google account.   Well I've learned from using PCs that the info you enter to name yourself to the computer can get picked up by some software and websites without my knowledge.  So I follow my usual habit of naming this for the tool it is.  Steves Droid.

Aha...  Setup is complete.   Some nifty guidance here on how to use a library.   Don't need that yet so let's Remove it.  How?  Ahh.. OK, just hold, drag up and it removes it from the screen.  Wonder if that really (uninstalled it or not?)  So I have a Google search bar at the top and a bunch of icons across the bottom.   Most look pretty explainable and there is the Google Play shopping bag.  Let's go check this out.  Whoa, what's that going on in the top right?!  Touching the top right doesn't do anything so I drag down.  Aha.  It is updating stuff.   Some need approval.  This is a base build, why would it need approval?   So I touch that and it opens Play Store and I see all kinds of Downloading going on.  So I slide up to scroll down.  Nothing seems to be asking for me to do anything.  Odd.

Wait a sec.  There is a lot of Google stuff here but why is this HP Print Service Plugin there?  I thought this was supposed to be the naked-est Android platform available?   So I touch on it.   There is no remove or uninstall feature.  Interesting.  So Google must think of it as necessary.  I could imagine it would cause a lot of support calls if people couldn't print and HP is a market leader in the space so that sort of explains it.  But I don't need it.  We'll have to see about this later.

Hmm, going back one page I now see that everything is updated but I have an "Update All" button to consider.  Wonder what that means.  Right below it are 4 apps that say "Update".   I'm guessing these are the ones it needs me to approve.  Let's see what the first one is about.

Google.  I touch it and I have buttons for Open and Update.  Odd.  Why wouldn't Google just update this automatically?  Let's Open it first and see what it does.  Ahh...  Google Now.  Well I don't usually use this, I already turned location services off and I have a search bar so we'll leave this config for later.  I jump back to the Play Store and click Update for that.  Wow!!  This thing needs a ton of permissions?



Again, why does Google ask me for this?  They already got me to sign over my data.   This seems like a gate I don't need to go through so I'll skip this for now.

Going back I see Google Calendar, Google Talkback and the HP Print Service Plugin.   They probably want more permissions too so I'll skip this for now too.

Wonder what else I can do here.  There in the top left is what looks like a title bar that says "My Apps", a magnifying glass like I saw for the Google Search bar on the top right, and the navigation buttons at the bottom.  Is that all I can do here?  We'll see later.  I want to find the real controls.  So I click the home button.

I'm looking at these icons across the bottom and all of them make sense except the circle with the dots.  So I click it to see what happens (There can be a lot of this exploring in security.  That's why I love my job!)   Now we're getting somewhere.   It tells me I can add an app to the Home Screen bu touch and hold.  Neat.  OK.   Aha!  This looks like all the apps available.  There are two that really interest me at this point since they suggest global feature controls.  Google Settings and Settings.

Google Settings takes me to a list of topics.



I think by now you get the point of what I'm doing so I'm just going to tell you what I found most interesting here.


  • Connected Apps - a host name called sfg.google.com that says it can access my Calendar.  I try to Disconnect and it said I couldn't.  Then why did it give me the option? 
  • Game Profile - Nice, it's hidden out of the box and everything is unchecked except level up Notifications.  That makes me feel good cause my kids might use this someday.
  • Location is On?  I thought I said No!?  Let's turn that off.
  • Search and Now is off.  Oh good.  That's off by default.  That explains some of why they were asking me for a bunch more permissions.  I'll have to look into this later but for now we'll leave it off.
  • Ads - An Opt Out feature?  Nice.  Let's Opt out as this probably shares something about me to tailor the ads and we have the option. Interesting.  And I can reset my advertising ID?  I have the opportunity to reset my Google identity?  Nice!  I can be reborn!!  I'll have to remember that one.
  • Android Device Manager - Allow remote lock and erase?  That might be good, but it's enabled by default so that means something somewhere could possible activate this.  Will disable this one for now till I know more.   Let's take a note:  How would they do that?
  • Drive-enabled apps - That would be Google Drive, Google's cloud storage feature.  It says to update over WiFi only and no other options.  Well, this is only WiFi so it's not like changing this is going to do anything but it makes me think "What apps are drive enabled and how can I tell?"  I don't necessarily want all my stuff stored up in Google's network yet. Another to file away in the possible Restrict bucket for later.
  • Account History - Good stuff.  The Search History is paused.  Let's see what this Google Location History option does.  Interesting.  Several things grayed out because the Location History is disabled.  Will have to turn that on sometime and see what I can do.  What is that pen symbol?  Ahh.  It takes me to my Google history on Google's site.  I've been here before.  I know I can review and delete history and stuff.  For the sake of cleanliness I delete everything since the beginning of time form my history.
  • And what are those 3 vertical dots in the top corner that I keep seeing? Help and Feedback.  OK.  Will have to remember to look for those dots again.

Next we'll go to Settings.  (Always have to explore the settings.  After you've had root or admin, you can't resist investigating the control points...)   What do I see?   Wow.   That's a lot of stuff to look at.
Let's take a break though and recap what I've found and addressed or not placed in the Reduce, Restrict and Respond buckets.


  • I have to log in to a WiFi network to before I can do anything on the system.   This is probably for registration but I'll have to investigate further to see what information it provides to Google and if there is an opportunity to Reduce that information sharing.
  • A valid Google email account is required to access the device and Google's services (which I'm not yet sure) but I need to experiment to see whether I will be Restricted from accessing the device without a valid email address.
  • My name is collected from my Google email account registration but I could change it and did to Reduce the possibility that someone can pull my real name from the default system features.
  • I had an option to setup Google+ to backup all my photos and get some other features that I didn't want yet so I declined to Reduce the active features and Restrict access to my photos.   May want to revisit this later as a backup option for the Respond bucket.
  • I had an option to enable a Backup and Restore feature but it was going to record my Wi-fi password.  I don't like the idea of sharing passwords with anyone so I disabled this feature to Reduce the features and Restrict access but I leave myself open without a backup solution so I won't be able to Respond to get my data back if something goes bad.   Maybe this is why Google provides so many options to store data outside the device?   Certainly would keep the footprint small but it also gives them access to my data so there is  trade-off discussion to be had.
  • I had an option to enable Location features to enable apps to know where I am.  Definitely Restricted this one until I see a clearer benefit as that leaks my location in space and time over time which is really no one's business unless I am willing to share.
  • I disabled a feature to allow my Wi-fi to scan for networks even when I actively disable Wi-fi, again for the sake of preventing others from identifying me by my wireless broadcasting.  That broadcasting includes the Mac Address that so far I haven't found a way to change.  So this unique identifier points to me personally via the purchase and is thus personal information I would rather not share until there is a clear benefit to me.
  • I Restricted the right for Google to send me announcements to Reduce the amount of information I receive.  By eliminating these I will know that any emails that look like Google Announcements are very likely Phishing attempts and will delete the email instead of taking the bait.  I will have to see how this effects my ability to Respond later since I need to be aware of when security fixes are available.
  • I Restricted the device's access to my Google Wallet because I'm not ready to trust this thing to have authority to purchase products in my name.
  • I learned how to Reduce the information on my home screen by removing the Library widget but I don't know if it really removed it from the system or just the home screen.
  • I learned about the automatic updating of the apps that are native on the device so that seems to take care of some of the Respond goals there.  Unfortunately some wanted additional access to my device which I Restricted until I see a clear use case that fits my goals.
  • I found an HP app installed.  This is clearly not a Google product and I did not see a way to Reduce or Restrict that (yet).
  • I found some interesting settings that appear to be specific to the Google services and found a few things to Reduce and Restrict.  The most notable is some remote access feature that could be used to destroy my data and find me (Restricted), the location service which was on even though I had declined earlier (Reduced), automated Ad generation with an Opt-out feature (Reduced), a feature to control whether the Cellular network would be used for Drive enabled apps but no feature to disable it and a means to block storage of my history (which was already Reduced) where I found things recorded (Responded by deleting).   Will have to look at that later to see what apps may want to store history.
  • I found the tablet's settings folder with lots of features to explore but I've run out of time so I'm closing this entry for the day.

More to come...
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)