Integrity of SFOS?

David · 25 October 2020 16:49

There are degrees of security. Edward Snowden for example would never use a smart phone. Even if you managed to secure the 4G, you’ve still got towers tracking your position.

There are machines which can strip all the core data off all but the latest iPhones and all Android phones within minutes, even when locked. Do they work on Sailfish phones? Probably not.

From what I read, there are no vulnerabilities in LUKS. If the machines were updated to deal with Sailfish, an 8 digit code (minimum on XA2) will protect your phone for 2-3 days.

But that’s only if encrypted. I believe a Sailfish phone was hacked into at one of the hacking conventions in an hour.

It still won’t decrypt without the PIN, afaik.

flypig · 25 October 2020 18:18

Interesting that you should mention this, since there was a recent publication looking at just this (thanks to Fernando Lanero for highlighting it). There’s a time limited link to the full paper on one of the author’s LinkedIn feeds:

This is a little off-the-topic of malware though (still relevant in the broader context of security, so I hope you’ll forgive me).

remote · 25 October 2020 21:52

Numeric pins are brute-forced on GPU in a matter of minutes/hours.
So if you phone gets stolen/imaged, current state encryption on SFOS is useless.
And even worse, it gives people a false sense of security.

David · 25 October 2020 22:21

Unfortunately, no access here. Could you summarise or send me a copy?

apozaf · 25 October 2020 22:55

You can’t.
Also SFOS only runs as a slave OS on top of the closed baseband.
RAM is shared with the basebaand. It has full access and full rights on your GSM device. Your SIM provider can install code without anyone taking notice. Since everything is integrated in the SoC nowerdays, it could log your WiFi, BT, RAM… Everything. And it does.
Do never use a GSM device for critical things. Not that we have alternatives though.

David · 26 October 2020 02:58

If this is true, the default encryption of Sailfish leaves a lot to be desired.

4carlos · 26 October 2020 05:47

Under the term “malware”, I personally also understand apps that lead to an undesired data leak without informing the user. It is correct that an app is checked in the Google Store, but trackers are allowed. Almost every app these days sends to any server, regardless of whether it is paid software or not. There is no obligation to state that an app contains trackers from Google, Facebook, Amazon (only the largest listed), etc., or that frameworks from data analysts are integrated. A look at the manifest file of an APK shows what is also included. You might think that apps are only offered to collect data. You no longer need a particularly secure operating system if you give away your data to someone in this way.

At F-Droid, apps are also checked to see whether they comply with the rules (FOSS) and whether they are doing something undesirable. Apps that are FOSS but connect to other networks to offer a service are marked. So everyone can decide. There is at least a bit of transparency and the source code is available.

You can never be sure at all. I think F-Droid is the lesser evil and the better choice. Incidentally, I find the notes on encryption above from SFOS very interesting.

davidrasch · 26 October 2020 07:57

What you say about trackers in Play store apps is of course true. But if you access the Play store via Aurora, the apps are labeled if they contain trackers, ads, and if they need GSF.
Does anybody know if this is reliable?

4carlos · 26 October 2020 09:26

Sure, but people ignore warnings when they really want a popular app

Aurora uses parts from “ClassyShark3xodus” for the analysis, also downloadable from F-Droid.
Sometimes the standalone ClassyShark will find 1 or 2 more trackers than Aurora in one app. The version seems to be slightly different.

How it work:
ClassyShark analyzes the manifest file in the APK, compares the embedded foreign module list with a tracker list and shows the result. Hint: With the names and servers of the modules found, anyone can do their own research on the Internet and find out what exactly the module is doing.

New trackers are added or changed every day, so you can never really be sure that the result is always correct.

nephros · 26 October 2020 12:43

One method to verify what’s going on on a device is

rpm -Va

or

rpm -V <<packagename>>

which will use the RPM database to verify files on the system vs. what was contained in the original RPM package. It can be in certain cases used to detect tampering, but one must read the output wisely, as many files are okay to be different from the RPM checked version.

Seven.of.nine · 26 October 2020 12:47

Q: Is there a way to permanently remove/uninstall all this Android stuff (Android support) from the SFOS phone? and btw. save memory space and maybe gain speed or reduce processor load? I do not use any Android apps and don’t need the Android support. It’s always switched off, and for safety or to prevent starting it by error I would be happy if it was away forever.

nephros · 26 October 2020 13:00

You can uninstall Android support (and of course you can choose to never install it in the first place):

 # remove the package
 devel-su pkcon remove aliendalvik
 # disable the repo if you want
 ssu dr aliendalvik

You can also do the first part from the Store application from “My Applications”

You can not uninstall “all Android stuff” because parts of SFOS basically function as a wrapper around a base Android install so there is always a core Android environment running…

Seven.of.nine · 26 October 2020 14:05

@nephros: Now I did so and it worked fine. Now, on trying to start the Android support in the settings, the phone does nothing. (good so)

The first command did echo some system messages, the second command only taked a half of a second, then prompt appeared again.

Thanks very much!

HeinrichJolla · 12 November 2020 00:11

So many questions arouse from above …

Why not using apps from the android app support which comes from the jolla store? (btw your link points to nothing, you might wanted to give this link

Do you have any references about the stripping of the core data? What makes you think, these machines wont work on SFOS phones?

Again I would appreciate a reference to it.

Do you have any working example of this being done?

Highly interesting. Any reference about it?

Well, why not using RAM obfuscation etc. to avoid this case?

How to know if the found differences are acceptable or not?

apozaf · 12 November 2020 00:30

https://media.ccc.de/v/CC16_-109-__-sub_lounge-201605211815-your_baseband_is_watching_you-_dan

https://media.ccc.de/search/?q=baseband
3rd video

4carlos · 12 November 2020 04:53

“(2020) According to Forbes, the hacker who carried out the theft actually stole information of 39 million users and has published information of 20 million users on a Dark Web forum.”

“(2016) Malware-found-in-3rd-party-app-stores. Aptoide has informed us that the malicious apps hosted on their store have been removed…”

HeinrichJolla · 12 November 2020 09:09

Ok, but :

Apotoide said that the breach did not impact 97% of its users as they never signed up to use its services

Where do you download the Aurora store from? In F-Droid it is marked as incompatible, and is maintained by a single guy (not a team). The same mark incompatible also for

4carlos · 12 November 2020 09:53

Aptoide has something to do with trust. They didn’t deserve this in the past. My opinion.

I don’t have Aurora, sorry. What kind of device do you have?

davidrasch · 12 November 2020 09:56

For me Aurora Store in F-Droid is marked as “unwanted characteristics” because it advertises proprietary services - surprise.
But I can install and use it anyway.

David · 13 November 2020 06:14

I’m definitely not an expert but I’d guess they have to be programmed to deal with each specific model. (Minimal) security by obscurity.

I looked but couldn’t find the article. I just remember it was about five years ago. Whatever the hole was, it has probably been patched.