Is Android any less trustworthy than other Linux Distros ?

Usjes

Hi,

Thinking of getting a Tablet and was going to go for a Samsung with Android on it. Security is important to me though and in light of Google being implicated as one of the miscreants colluding with NSA and GCHQ I am wondering if Android should be avoided. So, is Android just as open source as any other distro? Will I be able to recompile Android from trusted source or do I just have to 'trust' Samsung/Google that the binary on the device corresponds to a particular version of the source code. Or would I easily be able to install the Linux of my choice on something like the Galaxy Note ?

Thanks,

Usjes.

srsly78

Android may be opensource, but the code for lots of device drivers and various system apps you may use is not.

So no, there is no practical way for you to personally audit what you are running. There are no good opensource alternatives for things like 3g radio etc, you are forced to use whatever the manufacturer provides. Clearly there could be lots of trojans hidden in these binary blobs, this is why many are reluctant to use Huawei stuff (backdoor for Chinese govt). No doubt american hardware is similarly supportive of their own spies.

There ARE some opensource mobile phone implementations around, but only for very old hardware. Will always be a few years behind the cutting edge. For tablets you may don't care about telephony, but the same limitations may apply to things like proper opensource wifi drivers, graphics drivers etc.

Usjes

srsly78 wrote: »

Android may be opensource, but the code for lots of device drivers and various system apps you may use is not.

So no, there is no practical way for you to personally audit what you are running. There are no good opensource alternatives for things like 3g radio etc, you are forced to use whatever the manufacturer provides. Clearly there could be lots of trojans hidden in these binary blobs, this is why many are reluctant to use Huawei stuff (backdoor for Chinese govt). No doubt american hardware is similarly supportive of their own spies.

There ARE some opensource mobile phone implementations around, but only for very old hardware. Will always be a few years behind the cutting edge. For tablets you may don't care about telephony, but the same limitations may apply to things like proper opensource wifi drivers, graphics drivers etc.

Agreed, specific drivers could also be compromised but my specific question is about the Linux kernel in Android, is it completely open source ? Can I re-compile it myself, what about putting other Linux distros on the Galaxy Note, or is Android locked down by Samsung.

My reasoning is that it is a lot easier of the US to strongarm a single US company (Google) to compromise the kernel than it is to try to force a plethora of hardware makers from all over the world to compromise each of their drivers.

syklops

Usjes wrote: »

Agreed, specific drivers could also be compromised but my specific question is about the Linux kernel in Android, is it completely open source ? Can I re-compile it myself, what about putting other Linux distros on the Galaxy Note, or is Android locked down by Samsung.

My reasoning is that it is a lot easier of the US to strongarm a single US company (Google) to compromise the kernel than it is to try to force a plethora of hardware makers from all over the world to compromise each of their drivers.

I have personally seen Fedora running on a Tablet. It might be what you are looking for. To single-handedly recompile the Android kernel, taking out all closed source drivers, and at the end of which you have a working install, would IMO be too much work for one person. While you are waiting for that to become mainstream, might be time to step through the source code of selinux, if you know what I mean.

Khannie

syklops wrote: »

might be time to step through the source code of selinux, if you know what I mean.

Capt'n Midnight

syklops wrote: »

I have personally seen Fedora running on a Tablet. It might be what you are looking for. To single-handedly recompile the Android kernel, taking out all closed source drivers, and at the end of which you have a working install, would IMO be too much work for one person. While you are waiting for that to become mainstream, might be time to step through the source code of selinux, if you know what I mean.

Compilers have been compromised too.

A very clever programmer could use some steganography or similar techniques to hide code within code. It's not like easter eggs don't exist, also you would have to be very careful about security updates.

Might be easier to use a separate device for the really private stuff. Or the old chestnut of OPENBSD with no additional drivers or services using a VPN from inside a VM (hoping that the VM doesn't leak)

syklops

Capt'n Midnight wrote: »

Compilers have been compromised too.

So you think the OP should write his own compiler and then compile everything with that?

A very clever programmer could use some steganography or similar techniques to hide code within code. It's not like easter eggs don't exist, also you would have to be very careful about security updates.

Steganography is hiding information within images, do you mean obfuscation?

Capt'n Midnight wrote: »

Might be easier to use a separate device for the really private stuff.

There is no such thing as really private stuff, there is just stuff and the OP doesn't want the NSA to be reading his stuff.

Or the old chestnut of OPENBSD with no additional drivers or services using a VPN from inside a VM (hoping that the VM doesn't leak)

First off, VMs have been compromised, secondly, the OP wants a Tablet. I've not seen OpenBSD running on a tablet.

Capt'n Midnight

syklops wrote: »

So you think the OP should write his own compiler and then compile everything with that?

no,
just pointing out that if you are going to be properly paranoid you have to take it deeper

Steganography is hiding information within images, do you mean obfuscation?

obfuscation is widely used to protect algorithms, steganography is "within every program there is another struggling to get out" It could be self modifying code or just playing with pointers and text strings.

There is no such thing as really private stuff, there is just stuff and the OP doesn't want the NSA to be reading his stuff.

Hide in the noise.
If you encrypt everything you may just attract attention and all the fancy tricks are no use if there's a keylogger in the firmware or an app that can figure out your key presses from accelerometer changes.

First off, VMs have been compromised, secondly, the OP wants a Tablet. I've not seen OpenBSD running on a tablet.

It would run in the VM, of course VM's have been compromised but you are hoping the VM will insulate you from some of the stuff on the tablet's OS / Firmware / Drivers as you don't have to worry about model specific stuff.

The other reason for using a VM with a VPN is to try to separate the identity of the tablet from the VM, ( not much use but it's a layer )



Options would be to try to get an i386 compatible tablet pc thingy , more OS's to choose from. Perhaps the ubuntu tablet will have less crud on it ?


But putting on the tinfoil hat you have to remember a lot of graphics processing etc. is going on in the CPU esp, in "one chip" systems and while it's unlikely that there is a spy in there it would be quite a coup. (unlikely because of the number of people known to reverse engineer chips for fun)


Also don't forget your ISP will know everything too, so you better change to one that isn't owned/controlled by the UK, US , OZ , (NZ or Canada) and doesn't uses equipment from US, China, Israel, UK.



There was an event on in the US Embassy. All you needed to provide was your name and date of birth. :pac:

46 0s

Android "Back up my data" sends unencrypted plaintext private information (likely including your home wi-fi password) back to Google, who have to give it over if asked.

Khannie

I don't really consider Android to be a Linux distro tbh. It's basically a linux kernel with a Java distro.

The vast bulk of the software is closed source and it's running on a device that has access to my whereabouts. So yeah, I consider it less trustworthy.

syklops

Captain Midnight wrote:

just pointing out that if you are going to be properly paranoid you have to take it deeper

Paranoia is defined as an irrational or delusional belief that outside forces threaten your safety. In this case safety of privacy.

The OP is, in my opinion, neither irrational nor delusional in that we have hard evidence that the NSA in collusion with GCHQ have been reading our emails, and he is looking for a tablet which will make that more difficult.

OP, the technology which makes the NSA's job so much easier is cloud-based solutions. Backing up your devices content and configuration(including its passwords) to a server probably located in Palo Alto, which is basically just down the road from Fort Mead, Maryland. The NSA don't need to compromise compilers when most people via their smart phone or tablet opt in for a service like this. Disable cloud-backup type services and you will go a long way to protecting your data.

Not sure what you want the tablet for but one idea is to just not connect it to the internet and instead just sideload all the content onto it.

Capt'n Midnight

46 0s wrote: »

Android "Back up my data" sends unencrypted plaintext private information (likely including your home wi-fi password) back to Google, who have to give it over if asked.

actually it and the apps send a lot of stuff back and forth unencrypted all the time

Capt'n Midnight

syklops wrote: »

The OP is, in my opinion, neither irrational nor delusional in that we have hard evidence that the NSA in collusion with GCHQ have been reading our emails, and he is looking for a tablet which will make that more difficult.

of course

the point being that a little paranoia would only give a false sense of security, and that it's very difficult to block off all probably avenues

if they really, really, really wanted to they could delve deeper , in a modern OS it's impossible to plug all the holes it's just too much code to verify and you will never convince me there aren't spooks infiltrated into positions of trust in many of the big software houses , well snitches rather than spooks

and of course there are N types of zero day attacks in the wild, even if you could trust the code

Disable cloud-backup type services and you will go a long way to protecting your data.

Not sure what you want the tablet for but one idea is to just not connect it to the internet and instead just sideload all the content onto it.

With an android it's very difficult to disable all the cloud services without also disabling all the network connectivity, including wifi, gps, phone, and all the apps and setting up fake accounts and remembering the whole time it will phone home the first chance it gets


you pays your money and you takes your chances

Macumazan

Usjes wrote: »

Hi,

Thinking of getting a Tablet and was going to go for a Samsung with Android on it. Security is important to me though and in light of Google being implicated as one of the miscreants colluding with NSA and GCHQ I am wondering if Android should be avoided. So, is Android just as open source as any other distro? Will I be able to recompile Android from trusted source or do I just have to 'trust' Samsung/Google that the binary on the device corresponds to a particular version of the source code. Or would I easily be able to install the Linux of my choice on something like the Galaxy Note ?

Thanks,

Usjes.

Hi Usejes,

This is a really great question and it's something that weights on my mind too. You can of course encrypt the Android tablet and the encryption scheme is based on dm-crypt so in theory your device will be just as secure against being seized as a computer running a linux distro similarly encrypted.

If you want to be extra sure I would suggest you buy an Android tablet and replace the Android OS entirely with Cynaogen Mod, their page here shows this OS supports a number of tablets and there's been a real push, particularly recently to increase security both on the device itself and to encrypt communications.

The CM wiki has very easy to follow step by step instructions on installing this on your device and indeed that's what I've done with my own Android phone.

Cynaogen Mod however does still make use of some proprietary software, so if you're feeling ultra paranoid then you could install Replicant, for instance on the Samsung Galaxy Tab 2 (instructions here). In this case the bootloader is still proprietary, which is a big worry but I would say that's the highest level of protection you're going to get on an Android device in terms of data storage.

Of course even if the stormtroopers can't get in to your tablet, they may be able to snoop on your connection, so do make sure you're using WPA2-AES encryption on your wireless network, and use TOR or a VPN to connect to the internet.