"Can I fully control my Android phone?": No, you can't.
– in our tests, AFWall+ leaked DNS queries of all apps on the device (including blocked apps), making it easy to determine apps installed on the phone
– updating Android doesn't imply that firmware vulnerabilities get fixed
– apps from F-Droid/Play Store etc. can still leak personal data as shown in our /e/ article
– besides, your proprietary baseband processor, GPS, sensors etc. remain out of control
@infosechandbook I'd like to know more about the Pla Store/F-Droid issue, could you link to me than article, please?
Thank you 😊
Examples are in this section:
Some apps do not use HTTPS while others send information about your device to the internet.
The solution: Monitor the complete traffic of your device (including HTTPS/DNS etc.) and check it for personal data and security aspects.
@infosechandbook Alright, that's a very good analysis of the /e/ Android ROM, thank you for your work 😀
In general, we privately report all security-related findings before posting anything in public.
If the contacted party decides to do nothing, we write about findings on infosec-handbook.eu since oftentimes people's security is at risk.
The same is true for privacy-related findings, however, this isn't the main focus of our blog.
And you should consider that the app can be aware if the network connection is using wifi or cellular data. It could leak only using cellular data connectivity to avoid router analysis like you do.
What's your point of view on this?
As mentioned in an earlier toot, you can't fully control your Android (or any) phone. Thus, it's very hard to collect all traffic of a mobile device.
@infosechandbook WTF. Is there any way around this? Is this true under all conditions?
– AFWall+: As soon as we allow Android system apps to connect to the internet and open an arbitrary, blocked app, the OS sends/receives DNS packets for the blocked app.
This is the expected behavior since DNS is normally handled by the OS, not by the application (apart from DNS-over-HTTPS). However, this leaks the presence of the app on the device, and may be counter-intuitive.
– Android updates: Normally, the vendor provides fixes for firmware. It is unknown which LOS ROMs contain such fixes.
– Apps: You must monitor your apps to learn about any communication with Google.
– Proprietary chips: You can't do anything about it (except professional reverse engineering). The only solution would be a 100% open hardware device and continuous monitoring of the complete traffic.
The point here is that your DNS provider learns about apps installed on your phone if the queries are somewhat unique. For example, it is very easy to identify messaging apps by looking at DNS queries.
Some may think that they can hide their apps for network-level parties by blocking the apps using AFWall+, however, the DNS traffic remains unaffected.
This is seemingly not so nice if you have to use public WiFi, or cellular networks, and can't control your DNS resolver.
@infosechandbook As the whole thread started with AFWall+ – why not use the very same, add a custom script, and enforce a trusted DNS server? That should then make those "DNS leaks" mostly irrelevant (and by "trusted" I e.g. mean trustworthy, no logging etc. DigitalCourage comes to mind.
Still not perfect, but certainly better, right? Though we cannot achieve the impossible, we can aim for it (and get closer).
mastodon.at is a microblogging site that federates with most instances on the Fediverse.