Oct 11, 2014

Hardening Android (3 of ??)

Alternate title:  Let's check the windows

Thanks for coming back! If you are new to the show, please backtrack a bit and read the Hardening Intro, Hardening Android episode 1 and 2 before moving further in.


In the last episode we explored the entry way into the Nexus 7 and the configurable options we encountered and were beginning to understand the interface and navigation. Today we're going to explore the system's Settings app and see what can be done.  This understanding will enable us to plan our next steps toward a more attack resistant and quieter system.

For those who are getting excited about locking more stuff down, I have a little bad news.  Today won't involve any Reducing or Restricting.  We need to have a clearer understanding of the impact to be sure we don't eliminate any features we might want to have enabled before we go flipping any more switches.


Why don't we want to do any hardening at this point? We've been doing some so far.  There are 2 reasons and one we haven't really talked about yet.
  1. These feature controls were placed in a specific location by the manufacturer and not directly on our path. Similar to the Google Settings which we did explore because we had some experience with their apps, these features are more likely to have an impact beyond the featured apps that Google has specifically deployed for our use so we need to have strong understanding to help ensure we can troubleshoot any problems down the road as we add apps on top of our hardened platform.
  2. The second is an extension to the first but more relevant  given our scientific approach to hardening. Because these settings are likely to have a more global impact, we need to have a better mechanism to identify and understand the behavior changes any modification will have.
On with the tour

When I first open up the Settings app I see a long page of options to explore.




























































Hmm.. Wi-Fi can only be turned on and off? Is that all? Let's try that Hold action again. It works and I see a list of wireless networks. There are those 3 dots again. Hmm... That smells like a feature so let's touch it. Ahah! A menu appears giving me options to Scan, enter my WPS Pin, something called Wi-Fi Direct, Advanced and Help. Well, I'm not usually the type to read the manual so let's start with the Advanced first. Here are the options I see with their options.
  • Network notification with a check box that is marked. It says Notify me when open networks are available. Touch and hold does nothing but turn it off or on.
  • Keep Wi-Fi on during sleep. It is set to Always. Touch an hold gives me options to Never do this or do it only when plugged in. Interesting, a power saving option there. Thanks Google!! Now I can also consider Reducing my resource utilization to save my money and the environment.
  • Scanning always available – Let Google's location service and other apps scan for networks, even when Wi-Fi is off. Good, it is disabled just like I told it to earlier. Touch and hold again only turns it on/off.
  • Install certificates – This is interesting because now I know where to go to install an identity cert so I can see inside any SSL traffic coming out of this device using Charles Proxy.
  • Wi-Fi optimization – Minimize battery usage when Wi-Fi is on. Another options with only on/off and a means to reduce my cost and impact on the environment. Go Google!!
  • MAC address -Touch and hold does nothing but now I know what to look for on the network at Layer 2
  • IP address – Both IPv4 and IPv6. More info for monitoring the output. Yipee!!
So let's go back. How exactly do I do that Ahh...let's use that curved arrow. Nice! Back to the list of wireless addresses. Let's see what happens when I touch and hold the one I registered earlier. Options to Forget Network or Modify Network. Interesting. Let's see what I can modify. Ok, the usual stuff. Wi-Fi password, Proxy, how I get my IP address. Good to know cause now I know I can set up the Proxy for Charles. Let's go back and see what happens if I touch and hold one of the others. Only Connect to Network. Onward...

Next I see Bluetooth with an off/on switch and it's off by default. That's good. Hold shows me where a list of devices would show up and the 3 dots give me Rename, Visibility timeout, Show Received Files and Help. Good to know.


Speeding up the process


So by now I think you get the idea and my fingers are getting tired so the rest of this will be quick pointers to the controls most interesting in terms of our goal of a hardened device using the three R's. 

The following are all within the Settings app with indentations indicating a sub-view or option.
  • Data Usage > 3 dots
    • Auto-sync data – This is turned on. Wonder what that syncs. Will have to investigate later.
    • Mobile hotspots – Can restrict apps from using certain networks with a prompt to decide whether apps will use them. Will have to try this out someday.
    • More
      • Airplane mode – To turn off all wireless activity
      • NFC (Near Field Communication) – Defaults to On.
      • VPN – Can configure VPNs here. An always on feature which is nice. Several options.
    • Sounds – Several noises the thing routinely makes that can be disabled.
    • Display
      • Brightness – Turn down the power utilization when not needed to reduce power cost and extend the battery life.
      • Sleep – Timing to activate the screen lock
      • Font size – Can increase the font size to reduce the impact on older eyes and extend the life of one's body parts.
    • Storage – Can jump to where you can research how certain types of data objects are using the storage space.
      • Cached data – Can clear all cached data.
      • 3 dots > USB computer connection – Can switch whether your computer will see the device as MTP or PTP for file transfer to your computer.
    • Battery – Can see how much charge is left and what apps are using the power most. Might come in handy to find busy background processes that could be malicious.
    • Apps > Downloaded – See all the apps you have downloaded. Tap on them gives you several controls.
      • Force Stop – Kills the process until next reboot or you tap on the icon.
      • Uninstall updates – Back out to factory setting (for default apps only)
      • Disable – Turn off the app complete even after reboot.
      • Clear data – Reset all the settings and delete all data created since the app was installed.
      • Clear cache – Clear the temporary storage used by the app to keep state information.
      • Launch by Default (with Clear Defaults option) – Shows the apps that will activate this app for certain types of events.
      • Permissions – Shows what the app can access or do on the device.
    • Users – Can create new users that are hidden and/or allow only a limited profile.
    • Users > settings button (becomes Application and Content Restrictions) – Can turn apps on/off for the restricted user.
      • Settings > settings button – Allows/disallows location settings.
    • Location – On/Off button that controls the location data (does it really?)
      • Recent location requests – Can see what apps are using the location?
      • Google Location Reporting – When this is activated it points to the Google Settings where I can Turn off Location History and Location Reporting. (Can it really do this?)
    • Security (now we're talking!)
      • Screen lock – Set type of password control (Slide, Face Unlock, Pattern, PIN, Password) We could probably spend days checking this out but I'll have to save this for another time.
      • Automatically lock – Controls how soon after sleep mode the thing locks.
      • Power button instantly locks – on/off
      • Enable widgets – On/off – off by default. Wonder what this does.
      • Owner Info – Can put a message in such as “Do not touch!!”
      • Encrypt tablet – Yeehaw!! Off by default. Only works with PIN or password. WHAA?!! Allows use of 4 digit PIN??
      • Make Passwords Visible – Determines whether you see the character you last entered for a second while you enter it. On by default.
      • Device administrators > Android Device Manager – Allows control by this to enable it to lock or erase a lost device. Turning it on allows Google Play services to erase all the data, change the screen-unlock password and lock the screen. Wonder how one would activate that feature?
      • Unknown sources – Allow installation of apps from stores other than the Play Store, potentially untrusted stores. Disabled by default.
      • Verify Apps – Disallow or warn before installation of known or suspected to be bad apps Enabled by default.
      • Storage type – Says hardware backed but can't change this. I'm guessing it has something to do with SD Cards. Since the Nexus 7 is sealed there is no way to add any additional storage except through a USB converter.
      • Trusted Credentials and Security > Install from storage – Use for management of certificates.
      • Trusted Credentials > System – Location of trusted CA certs.
        • User – Location of manually installed user certs.
      • Clear credentials – Used for deleting credentials.
    • Language and Input
      • Language > Spell Checker – Does this use on-line resources or local?
      • Keyboard & Input Methods
        • Google Keyboard
          • Settings button – Sound on keypress – Another place to control the noise output of the device.
          • Personalized Suggestions – Captures information about your typing from the Google apps and services – Where does this get stored? Sent?
          • Improve Google Keyboard – Sends usage statistics to Google – Default is on.
          • Send feedback – Can send logs to Google about the keyboard.
      • Voice Search > Bluetooth headset – Records audio if bluetooth headset is attached. Off by default.
    • Backup & Reset
      • Back up my data – Covers app data, WiFi passwords and other settings to Google servers. We saw this before. It is still disabled.
      • Backup account – Controls the userID used for backups.
      • Automatic restore – Controls automatic restore of backed up settings and data if reinstalling an applications
      • Factory data reset – Erases all data on tablet – Hmmm... Does it wipe or just delete?
    • Accounts > Google
      • My email – Can manage synchronization of App Data, Calendar, Contacts, Drive, Gmail, Google Photos, Google Play Books, Google Play Movies & TV, Google Play Music, Google Play Newsstand, Keep, People details, Sound Search for Google Play (what is this?)
        • 3 dots
          • Sync now – Kicks off sync manually
          • Remove account – Deletes the account entirely from the system.
      • Search > This is Google Now and it is off as I'd requested.
        • Tablet search – Controls where it looks for info – Wonder where it keeps all this info and how often it pulls it?
        • Accounts & Privacy
          • Google Account – Can designate the account or completely sign out.
          • Commute sharing
            • Choose who can see your location using Google+ - It tries to make me log into Google+ when I open this so I assume I can only set using those I've already friended in Google+ if I want. Wonder if it shares with everyone if I don't set someone?
            • Let them see your commute updates – This is off by default.
          • Google location settings – Already discussed this.
          • Web History – Already discussed this except they warn that not having it on could effect Google Now, smarter search results, etc.
          • Manage Web History – Gives me control of my history so I can pause, delete or remove individual items.
          • Personal results – I'm guessing this helps Google know me better so they provide the results I am most likely to choose.
          • SafeSearch filter – I'm guessing this is to check to make sure I don't go where Google thinks it is dangerous on the Internet. It is turned off by default.
          • Contact recognition – Let's Google Now store my devices contacts to understand who you're trying to reach. Now wait a minute. Why do they need to store what they already have? 2Nd copy? Different algorithms?
          • Search engine storage – Storage scheduled for deletion – Enables me to clear storage – Good to know so I can get back space if I need to.
    • Date & Time > Automatic data & time – Use network provided time – On by default.
    • Accessibility
      • Talkback – A feature that tells you what you just did. “P A S S W D”
      • Large text – Makes the text large so I (and the bad guy nearby) can see what I type.
      • Speak passwords – Default is off
    • Printing – Can install, enable and disable print services
    • About – Touch Build Number 7 times and get to Developer mode
    • Developer options
      • Desktop backup password – Allows setting or change of the password used to encrypt my backup file.
      • Enable Bluetooth HCI snoop log – Off by default. Says it will capture all Bluetooth HCI packets. Will have to look into this one.
      • Process stats > Click on one of the apps – Allows for force stop, shows some usage info (e.g. RAM, run time) and related services
      • Developer options
        • Debugging
          • USB debugging – enables connection via USB to control with adb commands.
          • Revoke USB debugging authorizations – Ahh...interesting. So this means somehow I have to authorize the debug connection.
          • Power menu bug reports – Gives me an option to take a bug report as part of the power up?
          • Select debug app – Not sure what this means but definitely need to investigate to see if it can help me understand the internals of the OS or apps.
          • Verify apps over USB – On by default. Checks apps installed through the debug connection for harmful “behavior”. Interesting...
          • Wireless display certification – Off by default – Display what?
      • Input > Show touches – Off by default. Will probably light up where I touch the screen so would make seeing the keys I press easier to spot.
      • Monitoring > Show CPU Usage – off by default – This could help with monitoring for strange behavior to aid in Responding.
      • Apps > Background process limit – A configurable to limit how many apps can be started in the background
WOW! That was a lot of useful stuff to find. Amazing that it was most of the settings available too.

Now that we have these features identified we can start to consider their impact and usefulness for the three R's.  Before we do that we also have to have a sense of the impact any changes to these might have on the system and future use cases.  So next we'll have to figure out what we can see from the outside and figure out how to look deeper under the covers so we can understand the behavior of these features and the change when we disable one.

See you soon...
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)