API tools faq
paste
Advertisement
Gh0ster

How To: Securely Harden Android Device

Gh0ster
Feb 28th, 2015
3,660
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 14.34 KB | None | 0 0
raw download clone embed print report
  1. ________.__ _______ __
  2. / _____/| |__ \ _ \ _______/ |_ ___________
  3. / \ ___| | \/ /_\ \ / ___/\ __\/ __ \_ __ \
  4. \ \_\ \ Y \ \_/ \\___ \ | | \ ___/| | \/
  5. \______ /___| /\_____ /____ > |__| \___ >__|
  6. \/ \/ \/ \/ \/
  7.  
  8.  
  9. .::Android Security Hardening::.
  10. =================================
  11.  
  12. /This guide was created to help you to securely configure your Android device to stop spying and eavesdropping from various companies and government agencies. I hope this guide helps you along the path to becoming truly Anonymous. Enjoy!
  13.  
  14.  
  15. .::[Rooting]::.
  16. =================
  17.  
  18. /It is strongly suggested that you root your device ASAP because it will give you plenty of awesome things like modifying system files, installing pirated apps, running any other mobile OS [Like CynogenMod], running root privilege apps, spoofing IMEI, ESN and MEID IDs and much more.
  19.  
  20. /To root your device you will need the devices system drivers and a pre-made root kit. There are plenty of ways to root your android. I suggest you head over to http://forum.xda-developers.com.
  21.  
  22.  
  23. .::[Security Hardening]::.
  24. ============================
  25.  
  26. /First, you need to enable Developer Options on your device if you haven't done so already. To do this go into
  27. -> Settings -> About Device -> Tap Build Number or Kernel Version OR Baseband Version. Its different for every Android OS.
  28.  
  29. Settings -> Lock Screen -> Pattern/PIN -> ON
  30. Settings -> Security -> Device Encryption -> ON
  31. Settings -> Security -> SD Card Encryption -> ON
  32. Settings -> Security -> Unknown Sources -> OFF
  33. Settings -> Security -> Passwords Visible -> OFF
  34. Settings -> Desktop Backup Password -> ON
  35. Settings -> Security -> Password -> USB Debugging -> OFF
  36. Settings -> Developer Options -> Do Not Keep Activities -> ON
  37. Settings -> Developer Options -> Limit Background Processes -> At Most 2 Processes
  38. Settings -> My Device -> Power Saving Mode -> ON
  39. Settings -> My Device -> Voice Control -> OFF
  40. Settings -> Accessibility -> Google Subtitles [CC] -> OFF
  41. Settings -> Accessibility -> Samsung Subtitles [CC] -> OFF
  42. Settings -> Date and Time -> Automatic Date and Time -> OFF
  43.  
  44.  
  45. .::[Network Hardening]::.
  46. ===========================
  47.  
  48. /Make sure you check these off, prevents location tracking and bluetooth MITM attacks and spoofs location in apps.
  49.  
  50. Settings -> Connections -> Bluetooth -> OFF
  51. Settings -> Connections -> NFC -> OFF
  52. Settings -> Connections -> S Beam -> OFF
  53. Settings -> Connections -> Nearby Devices -> OFF
  54. Settings -> Connections -> Screen Mirroring -> OFF
  55. Settings -> Connections -> Tethering and Mobile Hotspot -> OFF
  56. Settings -> Accounts & Sync -> OFF
  57. Settings -> Location Services -> OFF
  58. Settings -> My Device -> Smart Screen -> OFF
  59. Settings -> Developer Options -> Allow Mock Locations -> ON
  60.  
  61. /It is highly recommended that you run a VPN service on your device, as it will guarantee anonymous communication. You can configure VPN access by adding its certificates to the root [/] filesystem of the device. Either internal storage or SD Card. If your device does not have VPN configuration you can use the OpenVPN apps to do this.
  62.  
  63.  
  64. .::[Applications]::.
  65. =====================
  66.  
  67. /These applications will need to be configured after installation.
  68.  
  69. /The ones marked with "**" are essential for privacy and security. Also note some apps listed here MUST be configured! I added a "Configuration" section under the apps that need to be.
  70.  
  71.  
  72. **SuperSU
  73. Download: https://play.google.com/store/apps/details?id=eu.chainfire.supersu&hl=en
  74. Description: SuperSU allows for advanced management of Superuser access rights for all the apps on your device that need root. SuperSU has been built from the ground up to counter a number of problems with other Superuser access management tools.
  75.  
  76. **DroidWall
  77. Download: https://code.google.com/p/droidwall/
  78. Description: Blocks all incoming and outgoing packets from your apps.
  79. Configuration: Be sure to disable all system applications and other applications that may eat up your network bandwidth speed.
  80. Enable Root Browser, RomToolBox, Wireless Tether, DroidWall, Busy Box, SuperSU and any other relevant Application.
  81.  
  82. **Root Explorer
  83. Download: https://code.google.com/p/p500/downloads/detail?name=Root%20Explorer%20%282.19%29.apk
  84. Description: Accesses your devices root system files.
  85.  
  86. **OpenVPN
  87. Link: https://play.google.com/store/apps/details?id=de.blinkt.openvpn
  88. Description: OpenVPN is a client software to connect to an OpenVPN server and not a free VPN software.
  89.  
  90. **OpenVPN Installer
  91. Download: https://play.google.com/store/apps/details?id=de.schaeuffelhut.android.openvpn.installer
  92. Description: OpenVPN Installer will try to install OpenVPN [2.1.1] in /system/xbin or /system/bin. Your mileage might vary depending on your device.
  93.  
  94. **OpenVPN Settings
  95. Download: https://play.google.com/store/apps/details?id=de.schaeuffelhut.android.openvpn
  96. Description: UI similar to Wi-Fi settings; Restart tunnel when connectivity changes [e.g. from wifi to 3G]; Start on boot; Passphrase; DNS; Script-Security; Write and View Log File; Open Source [GPLv3].
  97.  
  98. **OpenVPN Connect
  99. Download: https://play.google.com/store/apps/details?id=net.openvpn.openvpn
  100. Description: OpenVPN Connect is the official full-featured Android VPN client for the OpenVPN Access Server, Private Tunnel VPN and OpenVPN community.
  101.  
  102. Wireless Tether
  103. Download: https://code.google.com/p/android-wifi-tether/
  104. Description: This program enables tethering via wifi for rooted devices.
  105.  
  106. **Call Control
  107. Download: https://play.google.com/store/apps/details?id=com.flexaspect.android.everycallcontrol
  108. Description: Call Control is full featured call blocker that's super easy to use and is a trusted call blocker by more than 10M users to block unwanted calls and texts. Calls are blocked silently without you ever knowing someone called.
  109.  
  110. **RomToolBox
  111. Download: https://play.google.com/store/apps/details?id=com.jrummy.liberty.toolbox
  112. Description: ROM Toolbox combines all the great root apps into one monster app with a beautiful and easy to use interface. ROM Toolbox has every tool you need to make your Android device fast and customized to your liking.
  113.  
  114. **BusyBox
  115. Download: https://play.google.com/store/apps/details?id=stericson.busybox
  116. Description: This is the only installer that is ad free and requires no internet permission.
  117.  
  118. **NoBloat
  119. Link: https://play.google.com/store/apps/details?id=com.tvkdevelopment.nobloatfree
  120. Description: NoBloat lets you delete unwanted apps that come per-installed with your device.
  121.  
  122. **ORBot
  123. Download: https://play.google.com/store/apps/details?id=org.torproject.android
  124. Description: Orbot is a free proxy app that empowers other apps to use the internet more securely. Orbot uses Tor to encrypt your Internet traffic and then hides it by bouncing through a series of computers around the world.
  125.  
  126. **RedPhone
  127. Download: https://play.google.com/store/apps/details?id=org.thoughtcrime.redphone&hl=en
  128. Description: This application will encrypt your voice calls if both users are is running it.
  129.  
  130. F-Droid
  131. Download: https://f-droid.org/
  132. Description: F-Droid is an installable catalog of FOSS (Free and Open Source Software) applications for the Android platform. The client makes it easy to browse, install, and keep track of updates on your device.
  133.  
  134. Aptiode
  135. Download: http://m.aptoide.com/installer?lang=EN
  136. Description: A free market place to download pirated and cracked apps.
  137.  
  138. **Xabber
  139. Download: https://f-droid.org/repository/browse/?fdfilter=xabber&fdid=com.xabber.androiddev
  140. Description: Xabber is a full Java implementation of XMPP, and supports both OTR and Tor. Its UI is a bit more streamlined than Guardian Project's ChatSecure, and it does not make use of any native code components (which are more vulnerable to code execution exploits than pure Java code). Unfortunately, this means it lacks some of ChatSecure's nicer features, such as push-to-talk voice and file transfer.
  141. Configuration: Go into settings and check the following.
  142. Notifications -> Message text in Notifications -> Off (notifications can be read by other apps!)
  143. Accounts -> Integration into system accounts -> Off
  144. Accounts -> Store message history -> Don't Store
  145. Security -> Store History -> Off
  146. Security -> Check Server Certificate
  147. Chat -> Show Typing Notifications -> Off
  148. Connection Settings -> Auto-away -> disabled
  149. Connection Settings -> Extended away when idle -> Disabled
  150. Keep Wifi Awake -> On
  151. Prevent sleep Mode -> On
  152.  
  153. **Offline Calender
  154. Download: https://f-droid.org/repository/browse/?fdfilter=offline%20calendar&fdid=org.sufficientlysecure.localcalendar
  155. Description: Offline Calendar is a hack to allow you to create a fake local Google account that does not sync to Google. This allows you to use the Calendar App without risk of leaking your activities to Google.
  156.  
  157. **K-9 Mail
  158. Download: https://f-droid.org/repository/browse/?fdid=com.fsck.k9
  159. Description: E-mail client supporting multiple accounts, POP3, IMAP and Push IMAP. Can do encryption if APG and/or OpenKeychain is installed depending on the version. Settings and account configurations can be exported so that they can be imported easily if you are switching packages/signatures: a file manager will need to be already installed to achieve this.
  160.  
  161. **APG
  162. Download: https://f-droid.org/repository/browse/?fdid=org.thialfihar.android.apg
  163. Description: APG is a port of OpenPGP for Android. Use it to encrypt and decrypt files, and in conjunction with K-9 Mail, to seamlessly add support for encrypting and decrypting emails, as well as adding and verifying digital signatures.
  164.  
  165. OSMAnd~
  166. Download: https://f-droid.org/repository/browse/?fdfilter=osmand&fdid=net.osmand.plus
  167. Description: A free offline mapping tool. While the UI is a little clunky, it does support voice navigation and driving directions, and is a handy, private alternative to Google Maps.
  168.  
  169. VLC
  170. Download: https://f-droid.org/repository/browse/?fdfilter=vlc&fdid=org.videolan.vlc
  171. Description: Video and audio player that supports a wide range of formats, for both local and remote playback.
  172.  
  173. **Firefox
  174. Download: https://f-droid.org/repository/browse/?fdfilter=firefox&fdid=org.mozilla.firefox
  175. Description: Better browser then Chrome and the built in android browser.
  176. Configuration: Go into Firefox settings and disable the following:
  177. Settings -> Sync -> OFF
  178. Settings -> Mozilla -> Telemetry -> OFF
  179. Settings -> Mozilla -> Crash Reporter -> OFF
  180. Settings -> Mozilla -> Health Report -> OFF
  181. Settings -> Privacy -> Remember Passwords -> OFF
  182. Settings -> Privacy -> Use Master Password -> OFF
  183. Settings -> Privacy -> Tracking -> Do Not Track
  184. Settings -> Privacy -> Cookies -> Enable Cookies; Excluding 3rd Party
  185. Settings -> Developer Options -> Remote Debugging -> OFF
  186. Download NoScript, HTTPS-Everywhere, Adblock Edge. Also be sure to edit the "about:config" options withing Firefox. See my other Firefox guide for more configuration here: http://pastebin.com/fn7VHwhm
  187.  
  188. **Launch App Ops
  189. Download: https://f-droid.org/repository/browse/?fdfilter=permissions&fdid=com.adstrosoftware.launchappops
  190. Description: In Android 4.3 there is a new activity/screen, not accessible from settings, called App Ops, where you can manage permissions for different apps. This app simply allows you to launch this activity.
  191.  
  192. OS Monitor
  193. Download: https://f-droid.org/repository/browse/?fdfilter=os%20monitor&fdid=com.eolwral.osmonitor
  194. Description: OS Monitor is an excellent Android process and connection monitoring app, that can help you watch for CPU usage and connection attempts by your apps.
  195.  
  196. **CCleaner
  197. Download: https://play.google.com/store/apps/details?id=com.piriform.ccleaner
  198. Description: Cleans all the useless crap that can slow your phone down such as logs, cache, empty folders and more.
  199.  
  200. **Titanium Backup PRO
  201. Download: https://play.google.com/store/apps/details?id=com.keramidas.TitaniumBackup&hl=en
  202. Description: You can backup, restore, freeze [With pro version] your apps, data, market links. This includes all protected apps & system apps, plus external data on your SD card. You can do 0-click batch & scheduled backups. Backups will operate without closing any apps [With pro version]. You can move any app [or app data] to and from the SD card. You can browse any app's data and even query the Market to see detailed information about the apps.
  203.  
  204. dSploit
  205. Download: http://m.banzai13fr.store.aptoide.com/app/market/it.evilsocket.dsploit.debug/1/4903638/dSploit
  206. Description: Once dSploit is started, you will be able to easily map your network, fingerprint alive hosts operating systems and running services, search for known vulnerabilities, crack logon procedures of many TCP protocols, perform man in the middle attacks such as password sniffing [With common protocols dissection] and real time traffic manipulation and more.
  207.  
  208. Terminal Emulator
  209. Download: https://play.google.com/store/apps/details?id=jackpal.androidterm&hl=en
  210. Description: Access your Android's built-in Linux command line shell.
  211.  
  212. ========================
  213.  
  214. /After you install and configure these applications, it is recommended that you use Titanium Backup to either freeze or uninstall EVERYTHING that has to do with Google. These include:
  215. Google Account Manager
  216. Google Backup Transport
  217. Google Calender Sync
  218. Google Contacts Sync
  219. Google Partner Setup
  220. Google Play Services
  221. Google Play Store
  222. Google Search
  223. Google Services Framework
  224. Google Text-to-Speech Engine
  225. Google+
  226. LocationServices 1.0
  227.  
  228. Doing this means you will have no Google Play Store, No syncing with your Google account, No Google Maps, No Google search, No Google Play Services, No YouTube, No Google+, No Google Contacts, Nothing Google at all. This will ensure that those asshats from Google are not tracking you, eavesdropping on your texts and calls, logging all of your metadata and so on. Also, it is VERY important that you DO NOT to install an app that uses a lot of permissions. Such as Facebook, Facebook Messenger, Twitter, Steam, Netflix and so on.
  229.  
  230. /So there you have it! You are now running a securely hardened Android device. If you are interested in reading more about this topic head over to: https://blog.torproject.org/blog/mission-impossible-hardening-android-security-and-privacy
  231.  
  232. /Feel free to suggest any more techniques for enhancing security and I will gladly add them above!
  233.  
  234. .-.
  235. ( " )
  236. /\_.' '._/\
  237. | |
  238. \ /
  239. \ /`
  240. .(__) /
  241. `.__.' @Gh0sterSec
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!