1
0
mirror of https://github.com/PrivSec-dev/privsec.dev synced 2024-12-22 12:51:34 -05:00

Update Android Tips

Signed-off-by: Tommy <contact@tommytran.io>
This commit is contained in:
Tommy 2022-11-14 00:33:13 -05:00
parent 0c8cc3a910
commit 9e82ae921c
No known key found for this signature in database
GPG Key ID: 060B29EB996BD9F2

View File

@ -54,6 +54,14 @@ If you trust the hardware enforced rate limiting features (typically done by the
Ideally, you should be using a 8-10 word [diceware passphrase](https://en.wikipedia.org/wiki/Diceware) to secure your phone. This would make your phone unlock practically impossible to bruteforce, regardless of whether there is proper rate limiting or not. Ideally, you should be using a 8-10 word [diceware passphrase](https://en.wikipedia.org/wiki/Diceware) to secure your phone. This would make your phone unlock practically impossible to bruteforce, regardless of whether there is proper rate limiting or not.
## Setup Auditor
[Auditor](https://github.com/GrapheneOS/Auditor) provides attestation for GrapheneOS phones and the stock operating systems on [a number of devices](https://attestation.app/about). It verifies the integrity of the system using hardware security features to make sure that the firmware and operating system have not been tampered with or downgraded.
Attestation can be done [locally](https://grapheneos.org/install/web#verifying-installation) by pairing with another Android 8+ device or remotely using [the remote attestation service](https://attestation.app/about). To make sure that your hardware and operating system is genuine, perform local attestation immediately after the device has been setup and prior to any internet connection.
## Use Global Toggles ## Use Global Toggles
Modern Android devices have global toggles for disabling Bluetooth and location services. Android 12 introduced toggles for the camera and microphone. When not in use, you should disable these features. Apps cannot use disabled features (even if granted individual permission) until re-enabled. Modern Android devices have global toggles for disabling Bluetooth and location services. Android 12 introduced toggles for the camera and microphone. When not in use, you should disable these features. Apps cannot use disabled features (even if granted individual permission) until re-enabled.
@ -76,7 +84,7 @@ On GrapheneOS, connectivity checks by default are done with GrapheneOS's own ser
If you want to, you can disable connectivity check altogether. Note that this will stop captive portal from working. If you want to, you can disable connectivity check altogether. Note that this will stop captive portal from working.
- On GrapheneOS, go to **Settings****Network & internet****Internet connectivity check** and select **Disabled** - On GrapheneOS and DivestOS, go to **Settings****Network & internet****Internet connectivity check** and select **Disabled**
- On other Android-based operating systems, you can [disable captive portal via ADB](https://gitlab.com/CalyxOS/calyxos/-/issues/1226#note_1130393164). - On other Android-based operating systems, you can [disable captive portal via ADB](https://gitlab.com/CalyxOS/calyxos/-/issues/1226#note_1130393164).
To disable: To disable:
@ -91,6 +99,20 @@ To re-enable:
adb shell settings delete global captive_portal_mode adb shell settings delete global captive_portal_mode
``` ```
## Enable Secure Exec Spawning
GrapheneOS and DivestOS have the option to spawn fresh processes when launching applications instead of using the traditional Zygote spawning model. You can read more about this [here](https://grapheneos.org/usage#exec-spawning).
On GrapheneOS, this feature is enabled by default. On DivestOS, it is not enabled by default, and you should enable it in **Settings****Security****Enable secure app spawning**.
## Restrict USB Peripherals
USB peripherals should be disabled or set to only be allowed when the device is unlocked if possible.
On GrapheneOS, you can adjust this settings in **Settings****Security****USB accessories**. The OS defaults to "Allow new USB peripherals when unlocked".
On DivestOS, you can adjust this settings in **Settings****Privacy****Trust****Restrict USB**. The OS defaults to "Always allow USB connections", and you should change it to one of the two other options as mentioned above.
## Media Access ## Media Access
Quite a few applications allow you to "share" a file with them for media upload. If you want to, for example, tweet a picture to Twitter, do not grant Twitter access to your "media and photos", because it will have access to all of your pictures then. Instead, go to your file manager (documentsUI), hold onto the picture, then share it with Twitter. Quite a few applications allow you to "share" a file with them for media upload. If you want to, for example, tweet a picture to Twitter, do not grant Twitter access to your "media and photos", because it will have access to all of your pictures then. Instead, go to your file manager (documentsUI), hold onto the picture, then share it with Twitter.