On 12/05/2016 11:44 PM, Rick Moen wrote: > Hey, Bill (Broadley), I wonder if you've seen this useful page from the > Tor folks about doing the best one can with Android security: > https://blog.torproject.org/blog/mission-improbable-hardening-android-security-and-privacy >
Ha, looking at your link and found: Because the download integrity for all of these packages is abysmal .... Couldn't agree more. Looks pretty promising to me. Hugely complicated, but making progress. Seems like f-droid is the wrong approach. Would be nice to have copperhead OS, then something automated like: * launch container/sandbox without rw to /system * use google play to download APKs and verify signatures. * save downloaded APK to /tmp * shutdown container * have copperhead install and verify the APKs (after checking they won't overwrite copperhead APKs) That way no google play services, and no way for google to change any copperhead files. For most installing signal via: Download the apk. Unzip the apk with unzip org.thoughtcrime.securesms.apk Verify that the signing key is the official key with keytool -printcert -file META-INF/CERT.RSA You should see a line with SHA256: 29:F3:4E:5F:27:F2:11:B4:24:BC:5B:F9:D6:71:62:C0 EA:FB:A2:DA:35:AF:35:C1:64:16:FC:44:62:76:BA:26 Make sure that fingerprint matches (the space was added for formatting). Verify that the contents of that APK are properly signed by that cert with: jarsigner -verify org.thoughtcrime.securesms.apk. You should see jar verified printed out. Is *WAY* to complicated. The updates process sound pretty painful as well. Kinda surprised they are trying to sign the entire /system, seems like they should just build a dependency tree and check the signatures of the dependency tree. RHEL does similar, grub tests the kernel signature, kernel checks the module signatures, and then hands control over to user space. For similar reasons apple and google are moving from whole disk encryption to per file encryption. Entire immutable images are just too inflexible. After all what good is whole disk encryption if your device is booted and unlocked close to 24/7 anyways? Not to mention who wants their phone to reboot at night to upgrade security and not be able to receive calls/texts/email/notifications/podcast downloads etc until the user signs in? With all the said, copperhead sounds awesome and a significant security upgrade. Good stuff. _______________________________________________ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech