Smartphone Hardening

A smartphone like the Samsung S4 bought only a few years ago will most probably run Android 4.4.x “Kitkat” (or 5.x  if upgraded), as this is the stock ROM it contained right after market introduction. New devices are still sold for ~ 150€ running Android 5.x “Lollipop” which is nearly equally old. I already flashed Cyanogenmod 11 back then to have more control over the device along w/ root access which enabled me to configure netfilter and install VPN S/W.

But if you follow the Android OS version history it becomes immediately clear that  – as the ppl at LineageOS state – 7/10 run outdated operating systems on their phones. This is a matter of upgrading your device, and that is what I just did, involving testing of lots of different ROMs and Android versions, which I’m going to skip in this post.

The steps to upgrade a S4 LTE (official release date may 2013) from 4.4.x to a quite actual and rooted 8.1 “Oreo” are as follows if you reduce them to the minimum and exclude all the time spent on testing and research:

Step 1: Use heimdall to flash TWRP recovery system onto the device. This can simply be done from the commandline after you put the phone in Download Mode (by pressing VolumeDown+Power while turning the phone on):

sudo heimdall flash --verbose --RECOVERY recovery.img

Step 2: Use heimdall to flash an updated baseband firmware containing an updated kernel and phone/modem related firmware. I prefer the GUI for that step as it gives a far better overview of what we are doing.

This is not as hard as it looks: After you downloaded the .tar file, extract it to a temp folder and see which files it contains. Afterwards, use heimdall to download the devices partition layout table (PIT). Next thing to do is select the PIT file, then hit the “Add” button and select each partition and its according file from the folder you extracted the .tar file, select “No Reboot” and “Resume” and finally hit the start button.

Step 3: Flash a new ROM onto the device via TWRP. Start the Device by pressing VolumeUP + Home + Power to enter its recovery mode. From there, select relevant files in the right order (and compare its checksums) which in my case were:

lineage-15.1-20180915-UNOFFICIAL-ks01ltexx.zip d3213c4895e2565ee3a7f3dd0d47aedcbe9f621eb8f89f9c51351d92573ae5dd
addonsu-15.1-arm-signed.zip  b5cc465abb3d9b7ad0177e74693e1bbd085775fd38808f640be537e8dcd1a3e8
open_gapps-arm-8.1-nano-20181013.zip  e544ad0aea8702d73f2b2451e42c83cb96157881ce7879dcdea11e2bb4835718

It appears to me that it is easily possible – and even by means of only using freely available S/W – to update all those horribly insecure smartphones out there, and it’s even far more easy to achieve than back in the days. So – I ask myself – why is there no public service offered by the shop you bought your phone at that enables non-technical ppl to get this done eradicating that bad thing called planned obsolescence ?

Addendum: Upgraded from stock Android 6.0 onto LineageOS 15.1 / Android 8.1 on a SM-T585 Tablet (2016) as well (search for “sm-t585” or “gtaxllte” for relevant TWRP and LineageOS images):

sudo heimdall flash --verbose --RECOVERY recovery.img
Initialising connection...
Detecting device...
      Manufacturer: "SAMSUNG"
           Product: "Gadget Serial"
...
100%
RECOVERY upload successful
Ending session...
Rebooting device...
Releasing device interface...

Interesting to note that this time the device itself does not really get identified. Last but not least: Do not forget to create and redundantly store  backups of the device(s) when finished w/ configuration et al.

Addendum 2: Doing the same for a S4 mini LTE a.k.a. GT-I9195i a.k.a. serranovelte (official release date june 2015) running stock android 4.4.4. TWRP already flashed, important to note that heimdall v1.4.2 – as for the two previous devices – has to be built from source to really work:

git clone https://gitlab.com/BenjaminDobell/Heimdall.git
cd Heimdall
cmake . && make && sudo make install

Remember to install some dependencies (like libusb-dev, libqt5 etc.) mentioned in cmake warnings / errors and it builds w/o error and flashes the device successfully. Flashing the lineage 15.1 image now is only a matter of copying a ZIP to SD or USB-OTG and booting the device into recovery.

GT-i9506

images

If you buy a smartphone or a tablet (which is basically the same) nowadays and start using it, you are sending out tons of data about what you type, where you are, etc. while most of the time being unable to block, control or even notice any of these data transfers. At the same time, this is vastly contributing to the effort of turning you into a uniquely identifiable individual – transparent for industry, commerce, or who else might be interested 1984-style.

A quick way to take a peek at what data your android device  is sending to whom could be using your local wireless network while monitoring all traffic from the android device passing the router (e.g. by BPF filtering “host 10.10.23.42”).

To overcome this inacceptable pity, you are free to root your phone and install a custom operating system (or rather a modification of the stock android). The steps I undertook to transform my device into a rather acceptable (and not bugging-me) device were – amongst others – :

  • Flash Clockworkmod Recovery
  • Optional: Create backup of (mostly) stock firmware
  • Flash Cyanogenmod 11
  • Install (some of) Google Apps
  • Create backup of CM11 firmware (repeat this after “milestones”)
  • Save all the  backups on at least one different storage media
  • disable everything you do not need (NFC, Bluetooth, autosync features, …)

When it comes to COMSEC/OPSEC, you have quite some options. In general, it is better to use F-Droid than Google Play.

  • Advanced Task Killer
  • OpenVPN
  • APG (together w/ K9Mail and only via VPN)
  • AFWall+
  • ChatSecure (Jabber + OTR)
  • HTTPS Everywhere for Android/Firefox
  • Textsecure
  • Owncloud (as in YOU OWN that cloud)
  • think twice before installing an app 
  • store sensitive data GPG encrypted

Always try to use servers that you – or friends/ppl who you trust – own, control and monitor (e.g. VPN, Mail, Cloud/Hosting. etc.) so that you have an additional layer of security.

A message to the ppl behind Cyanogenmod: Thank you, I have been running your customized android O/S for many years successfully on:

  • Google G1
  • HTC Desire
  • Samsung Galaxy S3 LTE
  • Samsung Galaxy S4 LTE+