Follow

"Can I fully control my Android phone?": No, you can't.

– in our tests, AFWall+ leaked DNS queries of all apps on the device (including blocked apps), making it easy to determine apps installed on the phone
– updating Android doesn't imply that firmware vulnerabilities get fixed
– apps from F-Droid/Play Store etc. can still leak personal data as shown in our /e/ article
– besides, your proprietary baseband processor, GPS, sensors etc. remain out of control

@infosechandbook I'd like to know more about the Pla Store/F-Droid issue, could you link to me than article, please?

Thank you 😊

@captainepoch

Examples are in this section:

infosec-handbook.eu/blog/e-fou

Some apps do not use HTTPS while others send information about your device to the internet.

The solution: Monitor the complete traffic of your device (including HTTPS/DNS etc.) and check it for personal data and security aspects.

@infosechandbook Alright, that's a very good analysis of the /e/ Android ROM, thank you for your work 😀

@infosechandbook @captainepoch if you find privacy issues with apps distributed via @fdroidorg you should report them!

We happily verify your findings and add appropriate Anti-Feature warnings to our store listings.

gitlab.com/fdroid/fdroiddata

@uniq @captainepoch @fdroidorg

In general, we privately report all security-related findings before posting anything in public.

If the contacted party decides to do nothing, we write about findings on infosec-handbook.eu since oftentimes people's security is at risk.

The same is true for privacy-related findings, however, this isn't the main focus of our blog.

@infosechandbook

And you should consider that the app can be aware if the network connection is using wifi or cellular data. It could leak only using cellular data connectivity to avoid router analysis like you do.

What's your point of view on this?

@tuxicoman

As mentioned in an earlier toot, you can't fully control your Android (or any) phone. Thus, it's very hard to collect all traffic of a mobile device.

@infosechandbook WTF. Is there any way around this? Is this true under all conditions?

@hrthu

Answer (1/2):

– AFWall+: As soon as we allow Android system apps to connect to the internet and open an arbitrary, blocked app, the OS sends/receives DNS packets for the blocked app.

This is the expected behavior since DNS is normally handled by the OS, not by the application (apart from DNS-over-HTTPS). However, this leaks the presence of the app on the device, and may be counter-intuitive.

@hrthu

Answer (2/2):

– Android updates: Normally, the vendor provides fixes for firmware. It is unknown which LOS ROMs contain such fixes.

– Apps: You must monitor your apps to learn about any communication with Google.

– Proprietary chips: You can't do anything about it (except professional reverse engineering). The only solution would be a 100% open hardware device and continuous monitoring of the complete traffic.

@infosechandbook @hrthu

Dns issue: any app on android can anyway query the whole list of other

@infosechandbook @hrthu …installed apps. So does not seem a new issue then.

@infosechandbook @hrthu @rugk and snoop snitch is a nice app you can use to analyse your system update status

@rugk @hrthu

Regarding SnoopSnitch:
We used version 2.0.8 to identify the patch level of /e/ in March 2019. Obviously, SnoopSnitch 2.0.8 doesn't check for patch levels newer than October 2018.

Today, we tested version 2.0.9, and there are also no checks for patch levels after October 2018.

@rugk @hrthu

The point here is that your DNS provider learns about apps installed on your phone if the queries are somewhat unique. For example, it is very easy to identify messaging apps by looking at DNS queries.

Some may think that they can hide their apps for network-level parties by blocking the apps using AFWall+, however, the DNS traffic remains unaffected.

This is seemingly not so nice if you have to use public WiFi, or cellular networks, and can't control your DNS resolver.

@infosechandbook @rugk @hrthu ahh okay, then i misunderstood this. Thanks for the explanation.

What about blocking app network access with built-in Android settings however? (You can block for WiFi and for all networks.)

@rugk @hrthu

Can you give examples and the Android version? We also tried NetGuard, blocked everything, and observed the same behavior.

@infosechandbook
just dont allow internet connection for the system, DNS leak fixed
Why does the system need internet? It doesnt need
@hrthu

@infosechandbook As the whole thread started with AFWall+ – why not use the very same, add a custom script, and enforce a trusted DNS server? That should then make those "DNS leaks" mostly irrelevant (and by "trusted" I e.g. mean trustworthy, no logging etc. DigitalCourage comes to mind.

Still not perfect, but certainly better, right? Though we cannot achieve the impossible, we can aim for it (and get closer).

Sign in to participate in the conversation
Mastodon

mastodon.at is a microblogging site that federates with most instances on the Fediverse.