[Q] Custom Rom For Enterprise Deployment - Android Q&A, Help & Troubleshooting

Ok... I am Software Engineer and I have been developing mostly for Windows environments, but recently started getting into Android. I want to get more into the Operating System from a lower level. I am looking to build a custom ROM that must meet certain requirements to be used.
What I would like to do for a specific device:
1) Strip stock ROM of bloatware
2) Use SSH Tunnel for all data traffic (3G/4G, WiFi, etc.)
- This will have to be an embedded setup so that the device will always be using the SSH Tunnel to encrypt data accessing from company resources.
- If at all possible, block sites that are normally blocked when on the physical network.
3) Company Email, Contacts, and Calendar information to be synced from Lotus Notes to native android applications using only the SSH Tunnel connection.
4) Enforce password requirement for phone lock screen.
5) Change the OTA Device Update server to create my own.
- Insight as to how I would host my own on my internal network would be appreciated, if it is at all possible.
6) Detect company secure WiFi Access Points and only permit automatic switching to these sources for data, others (unsecured) will need to manually connected.
Now, I know how to make a custom ROM, where I am stripping bloatware and pre-rooting and such so I don't need help with requirement 1.
However, I have no clue where to start with the security aspect of this. Is it possible to embed all the settings into the OS configuration for routing data over a secure and encrypted source? This is an absolutely imperative thing, where Corporate Security mandates that the syncing of emails and such must be done over an encrypted connection. If SSH tunneling is not the best solution, perhaps VPN? Our company currently deploys Cisco AnyConnect for VPN from company laptops. Again, this has to be built into the configuration of the device. The user cannot have the ability to turn off/on this feature (unless the root or do various other violations to corporate policy). Speed is not a concern, these are work devices and only need to be reliable in accessing work resources.
As for requirement 4, is there any way to force a password lock on the device? Maybe deploy the ROM in some sort of initial setup mode (similar to Microsoft's OOBE for windows), where they are prompted to create there phone password and enter various other credentials to setup the email syncing with the native email client?
For requirement 5 & 6, well these are just pipe dreams. If they could be done, and not require a UI to manage them, then it would be great. However, I figure this would be not so easy to do.
The reason why this all has to be built in and configured, is because the user cannot be given the option to disable these features with a simple UI. Also, the phones can not receive carrier specific OTA updates, that would wipe this system configurations. The update server has to be possible, as all the carriers currently host there own. There has to be a way to build my own and deploy my ROM as an official release to the device without having to have a custom recovery or root.
Any insight into any of this would be great. For the most part I am looking for the built in network access features that I discussed above and insight on how to accomplish this if at all possible. Everything else could just be whatever input you are willing to provide. I realize this is a big project, but the result will be a phenomenal step in securing and expanding company resources. I realize there may be enterprise solutions out there that will already accomplish most of this, but I am looking to stay away from those options.

mkruluts said:
Also, the phones can not receive carrier specific OTA updates, that would wipe this system configurations. The update server has to be possible, as all the carriers currently host there own.
Click to expand...
Click to collapse
Hello mkruluts,
where did you get that the carriers host their own servers?
I would seriously be interested.
Optimally, do you have a link?
I read on this forum that even the branded updates come from a manufacturer's server:
http://forum.xda-developers.com/showpost.php?p=43915102&postcount=574
"HTC gets the go ahead to push it OTA from their servers"
http://forum.xda-developers.com/showpost.php?p=8525999&postcount=141
"The vendor's servers are tied to the carrier network."
--Droiderino

Related

[Q] i9100 - Disc encyption question

Hi there,
Has any one tested the hardware disc encrytion that Samsung touted pre-launch? Are there any white-papers on how this works?
"Samsung has also taken steps to include Enterprise software for business users, that include On Device Encryption, Cisco’s AnyConnect VPN, MDM (Mobile Device Management), Cisco WebEx, Juniper,[28] and secure remote device management from Sybase.[36]"
Source https://secure.wikimedia.org/wikipedia/en/wiki/Samsung_Galaxy_S_II#Bundled_applications
Regards, F.
I asked on the CM forums, and CM does not have any disc encryption, yet. DOes anyone know about Samsung's offering?
BR.
Shame-less bump, in case some one has bought the i9100 by now and found the encryption option. Any one?
I found this gumpf about it. Its a third party product provided by Sophos.
"Antivirus & Firewall Security for Android Devices with Disk Encryption
SophosWith rising security threats and growing demands for the need of end point protection and data security are growing and so does Sophos comes forward and launches a mobile control which is mainly designed and is developed for smart phones like Android. This product comes with Sophos Anti-virus, Sophos Client Firewall and Sophos Disk Encryption which protects from threats and provides the disk encryption.
Basically, the SOPHOS secures the smart phones by centrally configuring all the security settings and then also it enables the lock down of unwanted features. With strong set of password and security policy it can even control the installation of apps, blocking use of cameras, browsers like You Tube etc. Also, additionally you can easily secure the access to the corporate mail by setting up the registered devices to access the mail.
Sophos Mobile control secures the mobile devices by centrally configuring security settings and enabling lock down of unwanted features. The features like strong password policy and lock period, control and installation of applications and blocking usage of cameras and browsers will help in enabling the enforcement of consistent "
Source: hxxp://androidadvices.com/antivirus-firewall-security-for-android-devices-with-disk-encryption/
galaxy s II I9100 has disk encryption built-in but disabled
I went through the files in initramfs and i found :
1) lots of encryption related strings and error messages in the /init executable
2) /init.rc has an event handler "on property:encryption.bootmode=remount"
3) /res/encryption.conftab - a configuration file that maps directories like /data to /dev/mapper/data to /dev/block/<data block device>
important point is that /init executable contains the name of this file and error messages relevant to the processing of this file.
4) /res/images contains images that together are a encryption graphic UI
Conclusion: Block-device level encryption is available and configured through dm_crypt by the init executable and some configuration files. Some flag probably exists somewere to enable this encryption.
Guess: after the flag is flipped the device should ask during boot for encryption password and encrypt /data /efs /cache /sdcard directories. On consecutive re-boots the same password will be asked to be able to mount through the configuration file(s).
Anyone knows how to enable the damn thing? Apparently Sybase have an app called Afaria AES for samsung that enables this functionality. I guess that they are doing it using some unpublished samsung security API. Maybe an extension of the DeviceAdmin class. Anyone know a way to check this?
I configured the standard email client to connect to my exchange server which enforces an encryption policy and then I got prompted to that my SGS2 would then encrypt itself.
I've no idea if there is a way to do it manually or even how to un-encrypt it if I ever remove the exchange account.
dwod said:
I configured the standard email client to connect to my exchange server which enforces an encryption policy and then I got prompted to that my SGS2 would then encrypt itself.
I've no idea if there is a way to do it manually or even how to un-encrypt it if I ever remove the exchange account.
Click to expand...
Click to collapse
Hi, When you say, the SGS would encrypt itself, did you mean that the internal discs would be encrypted, or was this referring only to the connection over Email. I think the latter and if so then this is not the correct thread for this discussion. If the former then this is remarkable.
I am also looking for a way to enable encryption. The ability to use hardware-assisted file encryption was the first thing that caught my eye when they presented the SGS II at MWC.
I have contacted Samsung about this (twice) and they were not really helpful at all. They only replied that you need third party tools to use the SGS II encryption features and that there is no tool included with the handset. They also ignored my inquiry for a documented API which would make it possible to write a little program to switch encryption on.
It seems that Sybase Afaria is one of the solutions with the desired ability, a Microsoft Active Sync server is another, both enterprise level products. The Sophos product mentioned above might be yet another.
If we could only get some information about the API all these products must use to administer the phone!
fryandlaurie
@forgetmyname:
I'm pretty sure that it is about file level encryption: Connecting to a corporate exchange server allows the server (if configured accordingly) to enforce a host of security policies on the phone. One of these policies may well be the encryption of all mail traffic but I doubt that you would be prompted to acknowledge that.
fryandlaurie
It would be great to be able to file encrypt private photos, I don`t think its enough with a program that requirre a password to show the hidden files. As if one have physical access to the phone one can easely get the pictures.
Two options for i9100 Encryption
oleost said:
It would be great to be able to file encrypt private photos, I don`t think its enough with a program that requirre a password to show the hidden files. As if one have physical access to the phone one can easely get the pictures.
Click to expand...
Click to collapse
On Stock Samsung ROMs pre-ICS you can use Galaxy Device Encryption free or pro by hellcat (see google play) for full device encryption, including optional encrypting of the external SD card. Note, it has to be stock rom for this to work on GB and this only works on certain Samsung models that they added the encryption ability to the OS but didn't give the user a way to activate.
ICS supports encryption natively and gives the user access to turn this on without a push from an exchange server or the like, assuming this hasn't been removed/disabled by the developer of the ROM you're using.
Ed

[Q] How to configure and deploy a large scale android installation (2.3.3.)

Hi,
I am about to assist in deploying a large amount of android device. The requirement is, that the devices (700+) need to be charged, configured and provisioned with the relevant applications for the end-users before delivery.
Device info:
Android 2.3.3
Samsung Galaxy SII
This is not windows mobile, so I am unsure if I can code/design a solution to avoid this enormous manual task.
Is it possible to code something for an sd-card that will be automatically triggered on insertion (as on WM)? This would then provision the device etc.
Is it possible to bypass the initial prompts - To my knowledge you will be prompted for entering the info for your google accounts?
If above is not possible, do I then need to create 700+ google accounts?
Hope someone can help
Brgds
It can also be via an active sync (ish) connection using a computer du provision the device?
A suggestion I received from another forum, was that I could: Make an update.zip for apps .Copy on SD card .Boot in recovery . Apply update.zip.
Would this be a feasible way to go?
odaugaard said:
A suggestion I received from another forum, was that I could: Make an update.zip for apps .Copy on SD card .Boot in recovery . Apply update.zip.
Would this be a feasible way to go?
Click to expand...
Click to collapse
We just deployed 100 EVO 4G's prior to the deployment we sent a mass email requesting the users create their own Google account and email us the info so we could setup their new phone with email and corporate email access. It took awhile to setup 100 android devices but it went smooth.
Sent from my PC36100 using Tapatalk
You can use SureMDM from 42Gears for mass provisioning, application deployment and password policy enforcement on Android devices, including smartphones and tablets.
It does not require Google accounts. Install the agent directly on the devices and then use the web-based console to perform all of the above actions from one place. For e.g. you can push an apk on hundreds of devices with a single click.
On non-rooted phones installation of .apks will prompt the user to continue the action.
Free trial is available on the website 42Gears dot com
Similar situation here and am fielding any suggestions or ideas if things have changed in the last several months regarding deployment.
Scenerio:
Deploying approx 200 Asus Transformers in an educational setting
Wish List:
Setup all units using the same Google account, populate static name on the lockscreen, install 3 specific apps on each and the ability to identify each one individually on the market for individual app install by an "administrator".
Currently we are doing each unit manually and then having to wait a few minutes for the Market to populate the new unit and then changing the nickname to the bldg/room number. If we don't wait for the Market to refresh for the new device they will all show as Asus Transformer TF101 and obviously we will not know which device to send specific apps to when they are requested.
There just has to be a better way! I checked out SureMDM and it has a lot of features that we really don't need and it doesn't appear to accomplish what we do need.
Any suggestions or comments would be greatly appreciated!
I know this is an old thread, but what about rooting and building a custom ROM for each unique device to let it do what you want? I'm thinking of doing something similar at the moment.
stephendt0 said:
I know this is an old thread, but what about rooting and building a custom ROM for each unique device to let it do what you want? I'm thinking of doing something similar at the moment.
Click to expand...
Click to collapse
Probably would work although Google now has a way to streamline deployment:
unfortunately I cannot post the direct link but goto developer dot android dot com/edu

Most secure ZU config: firmware, phone settings, application settings, user behavior

Say I wanted to have the most secure Sony Xperia Z Ultra possible (without "too much" sacrifice of useability).
In the context of this thread I define security as broadly anything barring network anonymity ie. hiding your device public IP address.
So I want security from network attackers (eg. drive-by download, WiFi attacks), physical device attackers (eg. customs searching devices for IP violations ... no really, that's about to become a thing apparently, GF and/or mistresses) .
How would you do it?
Could you please use sections of
Code:
firmware
phone settings
app settings
behavior
because I want to curate the best answers from users in this post for the good of the forum.
My thoughts so far are:
Firmware:
Root is disabled
Bootloader should be locked.
^^ These I'm not sure about - see if we don't have root then we don't have iptable firewall and hosts level server blocking.
One recovery should be used
Honestly I'm not sure which ROM is more secure than another but I'm assuming the latest and greatest is more secure so that would be MM atm. No idea if Sony is more secure than another flavour of ZU Android.
Phone settings:
Developer options off
Sideload apps off
Do not connect to unknown WiFi
NFC Off by default
Bluetooth Off by default
PIN unlock required
Auto-lock ON
App settings: (this includes apps you should have/not have and their settings)
I figure every additional app that I don't use is a needless attack surface so start with no apps at all - uninstall everything. Only install what you use ... for which you need root unless the ROM is premade like this.
Firewall app (Netguard no-root Firewall, DroidWall if we have root)
Adblock (if we have root)
AV - honestly most mobile AV seems pathetic at being secure and not acting like malware (notifications, popup windows etc) but Avast at least seems to not hog resources.
-Auto update every app
User behaviour:
NEVER:
-install apps from anywhere other than Google Play. Or possibly FDroid
-let another person use your device
I'd like to hear your suggestions, critique and everything else, cheers!
So you're not gonna install from other than google play, then what ad blocker are you going to use? Where is adblocker connecting to?
You're talking about still having a lot of apps connecting through servers that you don't control.
morestupidemailnames said:
You're talking about still having a lot of apps connecting through servers that you don't control.
Click to expand...
Click to collapse
Well if you are worried about connecting to servers that you dont control - isnt that all servers?
At which point you may as well remove all WIFI and Mobile Data capabilities and just stick to 2G
panyan said:
Well if you are worried about connecting to servers that you dont control - isnt that all servers?
At which point you may as well remove all WIFI and Mobile Data capabilities and just stick to 2G
Click to expand...
Click to collapse
Exactly my point.
The op is a long winded question that leaves you with more questions.
Probably why there's been such a landslide of security tips here

Multiple VPNs on Android

Hello, developers!
I'm a student wanting to build an application for android that allows for a non-rooted phone to have a firewall (Such as Netguard), then route to the choice VPN provider (such as OpenVPN).
One thing that everyone is questioning (including myself) is why nobody else made this yet.
So I have come to the forums to ask if there is some Android Kernel reason that is preventing people from making such an app, or if VPN developers and non-root firewall developers just didn't decide to make it?
TLDR:
What is stopping developers from making an app that routes from a non-root firewall to a VPN provider?
The abillity to alter iptables with a non-root device. If you're a first year student you might be done at the end of your study. But then we'll probebly have Android Twix and your software will be useless. I'd place my bet elsewhere.
I'm not worried about the version upon release, I intend for this to be open-source, thus be useful in allowing others to make and use this in the future, so motivation worries asside-
The abillity to alter iptables with a non-root device is what the worry is?
Why could I not, for example, take netguard and modify that to just build in more VPN capabilities?
As far as I am aware, Netguard sets up a VPN on your device, so the idea was to just set the VPS to a choice provider.
Perhaps I just don't understand IP tables well enough, so just let me know if that is the case.

General about GrapheneOS

Hey guys,
what do you think about GrapheneOS? (https://grapheneos.org)
I think there are some disadvantages:
- only Pixel devices (because only these have some security "flags")
- no root access
- hardcoded Google domains
and some advantages:
- good hardware support
- hardenized aosp
- closed bootloader after flashing
Now I would like to discus about this ROM
I too would be interested to hear about anyones experience regarding this OS
johndoe118 said:
Hey guys,
what do you think about GrapheneOS? (https://grapheneos.org)
I think there are some disadvantages:
- only Pixel devices (because only these have some security "flags")
- no root access
- hardcoded Google domains
and some advantages:
- good hardware support
- hardenized aosp
- closed bootloader after flashing
Now I would like to discus about this ROM
Click to expand...
Click to collapse
I'm interested in this ROM too. I have a Pixel 3a. I haven't flashed it yet because I'm trying to find out what people's experiences are first. There doesn't seem to be a lot of posts about it. Did you ever flash it? Also, what do you mean by "hardcoded Google domains"?
Well, the captiveportal contacts the Google servers regularly when you connect to a WiFi. That was one reason why I lost interest in the ROM. The other was the limited device support and missing root access. I absolutely need access to the iptables. As a one-man show, the ROM can be adjusted at any time.
johndoe118 said:
Well, the captiveportal contacts the Google servers regularly when you connect to a WiFi.
Click to expand...
Click to collapse
Do you have some kind of reference for that? I'm using it now and would really like some proof to bring up in their subreddit as a WTF.
graphene seems great, no root does not
I don't want the bootloader locked.
I want Magisk extensions
I need root for LP _only_ to remove ads. Is there something like LP that allows (interactively) disabling app activities?
hardcoded google domains info from faq
https://grapheneos.org/faq#device-support
GrapheneOS leaves these set to the standard four URLs to blend into the crowd of billions of other Android devices with and without Google Mobile Services performing the same empty GET requests. For privacy reasons, it isn't desirable to stand out from the crowd and changing these URLs or even disabling the feature will likely reduce your privacy by giving your device a more unique fingerprint. GrapheneOS aims to appear like any other common mobile device on the network.
HTTPS: https://www.google.com/generate_204
HTTP: http://connectivitycheck.gstatic.com/generate_204
HTTP fallback: http://www.google.com/gen_204
HTTP other fallback: http://play.googleapis.com/generate_204
Click to expand...
Click to collapse
nay_ said:
hardcoded google domains info from faq
https://grapheneos.org/faq#device-support
Click to expand...
Click to collapse
Thanks, right from there
I have Graphene OS taimen-factory-2020.07.06.20.zip on my Pixel 2 XL.Under "System update settings" is "Check for updates" but nothing happens if I tap.Only the field becomes darker.Has someone experience with this?
Update with adb sideloading to 2020.08.03.22 works.
OTA update from 2020.08.03.22 to 2020.08.07.01 likewise.
I'm personally not a fan of these kinds of projects, they aren't really all that 'secure', you're still using proprietary vendor blobs and such
help please
Hello! In the description
I pointed out that you can change servers just not through the GUI.
Has anyone tried this?
```
Providing a toggle in the Settings app for using connectivitycheck.grapheneos.org as an alternative is planned. The option to blend into the crowd with the standard URLs is important and must remain supported for people who need to be able to blend in rather than getting the nice feeling that comes from using GrapheneOS servers. It's possible to use connectivitycheck.grapheneos.org already, but not via the GUI.
```
captive portal leak + location services data leak
Few points:
1. General idea is that privacy/security oriented OS (as graphene is advertised) should limit network activity as much as possible, and not ping google using captive portal service every few seconds providing perfect IP-based location to google
It is possible to switch it off, but should be off by default
2. Connections of android location services to get GPS constellations were shown before to send sim card imsi and connected cellular tower id to provider (qualcom/google):
"blog.wirelessmoves.com/2014/08/supl-reveals-my-identity-and-location-to-google.html"
Graphene still allows those connections (check their FAQ on website)
W/O root no way to switch this off. Even some devices ignore config files and still leak data (on the level of cellular modem most probably)
3. Android services make other weird connections. Example: AOSP dialler app is querying phone numbers against online database leaking all contacts to google. How was this taken care of in graphene? Are all AOSP services/apps security-verified to not leak any data?
w/o root no way to install afwall to block everything
Is graphene built-in firewall capable of blocking system services from network access?

Categories

Resources