How to face security Issues on Android 4.2

Hello we will look at integrating the changes and will look at towelroot again.
http://seclists.org/fulldisclosure/2014/Nov/51

2 Likes

Thereā€™s an old Swedish saying: ā€˜Itā€™s easy to say ā€œTulip Roseā€, but hard to make oneā€™.
Letā€™s face it. What makes the internet a wonderful invention is also what makes life on the web vulnerable.
If you want to be able to do everything, everywhere, at any time, you are vulnerable. If you want to make use of any app ever found in Google Play Store (or maybe downloaded from an obscure website), if you want to be constantly updated through various RSS feeds, if you find it essential to get real time updates from a plethora of communities such as Facebookā€¦
ā€¦then you are vulnerable.
You can never get a 100 % guarantee that security patches will reach your phone (and install themselves) in time to block each and every potential threat. (Incidentally, enabling for automatic updates of each and every app you installed will probably cause you more trouble and more security risks than if you update manually with afterthought).
Youā€™ll have to make a choice. Either you put safety first. For one reason or another, you have to handle sensitive inormation using your phone. Then youā€™d better get a Blackberry. Create a profile (e-mail address and so forth) that you never, never, never link to facebook or instagram or reddit or whatever. And connect to the internet only when you really need a connection, and only through encrypted networks. Then use a second phone for leisure activitites. And if you must do banking stuff on your phone, make sure that your bank offers a reasonable level of security, e.g. using a card reader that generates 1-time login and signature codes. Not even these are 100 % safe, though.
Or you acknowledge that the internet is risky. You use your phone with reasonable prudence, but you also realise that sh*t happens. Itā€™s a tedious toil having to create new accounts and passwords replacing the compromised ones, just as itā€™s tedious having to replace bank cards, driving license &c when your wallet gets lost. But itā€™s part of life.
Or you get a tinfoil hat and a few carrier pigeons.
Please note before replying: Iā€™m not saying that security patches and updates are unimportant or superfluous. And Iā€™m grateful to the FP developers doing their best to patch the biggest holes. All Iā€™m trying to say is that even if we live in the best of worlds it is far from perfect. The great thing about being human is that we can develop strategies for handling this lack of perfection, which in my humble opinion is a wiser strategy than hoping to achieve perfection

4 Likes

Sh#t doesnā€™t ā€˜happenā€™; it needs a as*hole to be produced :smile:

Actually the production of feces initiates more cranially in the gastrointestinal tract than in the canalis analis, but I think weā€™re getting off topic hereā€¦

3 Likes

There is a way to disable the Android Browser and it is quite easy. You only need adb installed on your PC. I followed this guide Enable and disable system apps via ADB - Android Enthusiasts Stack Exchange. I will see how it works and if i encouter any serious side effects. If not i will update here with a short guide how to do it and what happens. See you soon.

5 Likes

A week i go i shared this great guide from StackExchange on how to disable System Apps via Adb (Android Debug Bridge).
With this method you can easily disable the build in browser. You need a PC with Linux, Mac or Windows and with Android Debug Bridge installed (on Ubuntu simply run sudo apt-get install android-tools-adb) and set allow developer remote access to your fairphone (Settings -> Developer Settings).

Open a Terminal (Hit Super (Ubuntu) or CMD+Space (Mac), then type Terminal on Ubuntu) (or Cmd Prompt on Windows).

  1. Open the ADB shell by typing adb shell (You are now working on the device)
  2. Gain super user rights with su.
  3. Use the build in package manager to disable the browser: pm disable com.android.browser
  4. Leave the ADB shell with: exit

Use your Fairphone and see that Browser has magically disappeared from your Apps. And the best think is: If you ever need it again, you can replace ā€œdisableā€ in step 3 with ā€œenableā€ and the browser is back!

If been using my Fairphone without the Android Browser since week with no problems at all.

Source

6 Likes

Hi,

I wounder if this affects the WebView Component of Android. As far as I understood it is based on the default browser and was replaced with Android 4.4, too.

Have you noticed some changing at Apps? For example that they couldnā€™t display there ā€œchangesā€ texts anymore or something like this?

regards,
Shiny

No, it does not affect the WebView (at least if it did i did not notice it). That is good because apps requiring the WebView component still work and bad because they are still affected by the security issues.
So this is more of a cosmetic fix, which prevents you to use the insecure Browser out of convenience or habit. A use case i would think of is giving the Fairphone to not so tech-savy people who do not want to think about which browser to use for example.

2 Likes

I have followed your tutorial and yes the ā€œnativeā€ browser disappears. However, apps, like gReader still use the webKit component. Therefor, you should still check every app you use, if it uses webkit. Or install a firewall.

1 Like

Actually I followed your ā€œhow toā€ and ended up with a dysfunctional PTP and USB storage function. Therefore, it is not advisable to use your fix. Furthermore, your soluton only hides the old browser. The problem is, however, the unpatched webkit component. Fairphone should upgrade the OS to Android 4.4 or 5, because many applications use the webkit component. This includes gReader and almost any app using ā€œin appā€-advertisment.

I am not sure PTP and USB storage are in anyway related to disabling the Browser. I have been using (not PTP) but USB and MTP storage regularly since applying and had none issues with them.

You are right that the WebKit component is still available. There is no easy fix for that as far i know. It is also no alternative to a proper fix, but i figured for me, it is better then nothing.

Actually, I wondered myself and in general it makes no sense. However, I can reproduce the error by disabling com.android.browser and ā€œfixā€ it by enabling it again. Im am not sure why this is happening (therefore I lack necessary information on the internal architacture), but it is reproducable. When I am back from conference I might give MTP a try and disable the browser again :wink:

1 Like

@Shiny (and other XPrivacy users): can XPrivacy be used for solving the WebView issue? Or will an app be able to activate WebView even if one blocks the appā€™s own internet privileges?
My reason for asking: I have a Solitaire app installed and since I canā€™t see any reason why this app should have access to the internet, Iā€™ve set my firewall to block it. Nevetheless, if i run the app while connected to the internet, ads are displayed. My guess is that the app uses WebView for this, and that WebView still have access to the internet even if the app itself is firewalled. And my guess is that this goes for a number of other apps as well
Would XPrivacy be a more efficient way to block access, or would the result be the same, meaning that WebView can never be disabled, not even partially?

Itā€™s a bit odd, really: considering that Android is UNIX-based and the FP is rooted, it ought to be possible to disable WebView simply by commenting out a line somewhereā€¦

Which Firewall app did you install? I think this could be a misconfiguration behavior because if you filter an app by firewall, it shouldnā€™t go outside and download ads (maybe theyā€™re already cached in your device or embedded in the app without going to the Internet so you still see them?)

Well I donā€™t think itā€™s so easy as commenting out a line somewhereā€¦Android is Java based (simplifying too much) and apps use components by ā€œlinkingā€ other components present in the file system (think something similar as Windows DLLs) so unless you delete/rename the component(s) which represent the ā€œWebviewā€ system component, any application will always be able to use it, but I donā€™t suggest to remove them because I suspect this could end in an unusable device (or with very limited usage capabilities).

To answer your first question: with XPrivacy module you should be able to block Internet access to your Solitaire app (and also to other more sensible components like Contacts database, or Clipboard history and so on) in order to avoid it going somewhere on the Internet, I strongly suggest use XPrivacy because I found it very useful.

And I suggest also to look for a solitaire app in F-Droid repo :wink: their apps are open source and most of the time ads-free :smile:
Bye!

2 Likes

@kgha: I donā€™t use Addware (if I like a software I buy the pro Version or I use real ā€œfreeā€ software). So I canā€™t answer your question for shure. XPrivacy offers the posibility to deny Internet Access for the Add and it allows to deny the right to ā€œshow in browserā€ so you should have a chance.

It you Post me a link to your App I will install it, deny everything and see wahat happens it you want to know it for sure.

regards,
Shiny

2 Likes

@DjDas, @Shiny,
thanks a lot for your comments.
I use Avastā€™s firewall, and generally it seems to work (I have, for instance, firewalled the default Android browser and it is quite dead). But when I check Avastā€™s network activity meter, it does show a little activity stemming from my likewise firewalled Solitaire app.
Sadly there are no open source soliutaire apps that can competeā€¦ but Shinyā€™s advice to get the pro version is of course a good one. And I really should consider trying out XPrivacy.
Shiny, if you really want to bother, you can find the app here:

Well, I feel very comfortable with AFWall+, itā€™s very easy to use, furthermore I also use AdAway to filter ads (not from apps but generally while browsing). You can find both on F-Droid :smile:
Bye!

1 Like

Hi @kgha,

fastcinationg Experiment. I refused the rights "Identify Phone, Access Internet, and Show in Broser). And thought.everything is fine because I didnā€™t see any Adds. To make sure that XPrivacy did the Job I grated the right to access the Internet in my separate Firewall App AFWall+ and restated the game. Now an Add for Amazon was displayed. To exclude the possibility that it is a Add from the App resource I enabled the Protection of AFWall+ again and resarted the card game once more. Now it was Add Free again.

So it seems that XPrivacy fails like your Firewall but AFWall+ does the Job. I canā€™t say why but this shows again that having a second line in protecting your data is a good idea. I use AFWall+ besides XPrivacy because it allows a more detailed control. Here I can allow an App to access the Web while WIFI is connected but deny it if its just a mobile connection etc. XPrivacy simply allows to block all internet access and like this experiment shows it doesnā€™t make a perfect job by doing this.

regards,
Shiny

2 Likes

Hi @Shiny,
heartfelt thanks for taking the time to dig deeper into this! AFWall+ seems to be the best choice, thenā€¦ the Avast firewall also allows me to choose between blocking wifi, mobile data, or both but apparantly itā€™s not as efficient.

You are welcome @kgha.

It was very interesting and I learned something, too. Maybe I will find some time this evening to look a little deeper to the XPrivacy options, trying to understand if I make something wrong or if XPrivacy itself has a problem to block this traffic.

regards,
Shiny

2 Likes