android

利用 Sensor 校正資訊產生 Device Fingerprint 的隱私攻擊

看到「Fingerprinting iPhones」這篇提出的攻擊，標題雖然是提到 iPhone，但實際上攻擊包括了 Android 的手機：

You are affected by this fingerprinting attack if you are using any iOS devices with the iOS version below 12.2, including the latest iPhone XS, iPhone XS Max, and iPhone XR. You are also likely to be affected if you are using a Pixel 2/3 device, although we hypothesise the generated fingerprint has less entropy and is unlikely to be globally unique. A SensorID can be generated by both apps and mobile websites and requires no user interaction.

目前 iPhone 升級到 12.2 之後可以緩解這個問題，Android 看起來還不清楚...

攻擊的方式是透過手機在出場前會使用外部的校正工具，找出手機內 sensor 所偵測到的值與實際值的差異，然後把這些資訊燒到韌體裡，當呼叫 API 時就可以修正給出比較正確的值。

而因為這些校正資訊幾乎每一隻手機都不一樣，而且不會因為重裝而變更 (即使 factory reset)，加上還可以跨 app 與 web 追蹤，就成為這次攻擊的目標：

In the context of mobile devices, the main benefit of per-device calibration is that it allows more accurate attitude estimation.

資訊量其實相當大，透過 app 分析可以得到 67 bits entropy，透過網頁也有 42 bits entropy，而且不怎麼會變：

In general, it is difficult to create a unique fingerprint for iOS devices due to strict sandboxing and device homogeneity. However, we demonstrated that our approach can produce globally unique fingerprints for iOS devices from an installed app -- around 67 bits of entropy for the iPhone 6S. Calibration fingerprints generated by a website are less unique (~42 bits of entropy for the iPhone 6S), but they are orthogonal to existing fingerprinting techniques and together they are likely to form a globally unique fingerprint for iOS devices.

We have not observed any change in the SensorID of our test devices in the past half year. Our dataset includes devices running iOS 9/10/11/12. We have tested compass calibration, factory reset, and updating iOS (up until iOS 12.1); the SensorID always stays the same. We have also tried measuring the sensor data at different locations and under different temperatures; we confirm that these factors do not change the SensorID either.

目前提出來的解法是加入隨機值的噪音 (iOS 的作法)，不過作者有建議預設應該要關閉 js 存取 sensor 的權限：

To mitigate this calibration fingerprint attack, vendors can add uniformly distributed random noise to ADC outputs before calibration is applied. Alternatively, vendors could round the sensor outputs to the nearest multiple of the nominal gain. Please refer to our paper for more details. In addition, we recommend privacy-focused mobile browsers add an option to disable the access to motion sensors via JavaScript. This could help protect Android devices and iOS devices that no longer receive updates from Apple.

不過當初這群人怎麼會注意到的...

Cloudflare 打算再推出 VPN 服務

去年在四月一日推出 1.1.1.1 服務的 Cloudflare 打算更進一步保護連線內容，提供 Wrap 服務 (就是 VPN)：「Introducing Warp: Fixing Mobile Internet Performance and Security」。

不過這樣在 privacy 上的保護就變弱了，因為 Cloudflare 手上就拿到更多流量資訊可以交叉比對... 大概會申請起來放著在外面用，而不會平常就開著。

申請是透過 app 申請，Android 的在「1.1.1.1: Faster & Safer Internet」這邊，而 iOS 的在「1.1.1.1: Faster Internet」這邊。

目前申請後需看到排隊的編號，像是這樣：

Android 的 FIDO2

在「Android Gets FIDO2 Certification—Now Supports Secure Passwordless Logins」這邊看到 Android 7.0 支援 FIDO2 了：

If you have already installed the latest update of Google Play Services released earlier today, and your Android device is running Android version 7.0 Nougat or above—Congratulations! Your device is now FIDO2 Certified.

所以在 browser 有配合的情況下，可以用手機當作 MFA，而且 anti-phishing...

Facebook 花錢向使用者購買他們的行為記錄

這則從 Nuzzel 上看到的，國外討論得很凶：「Facebook pays teens to install VPN that spies on them」。

Facebook 付錢給使用者，要他們安裝 VPN (以及 Root CA，看起來是為了聽 HTTPS 內容)，然後從上面蒐集資料，這本身就不是什麼好聽的行為了，但更嚴重的問題在於包括了未成年人：

Since 2016, Facebook has been paying users ages 13 to 35 up to $20 per month plus referral fees to sell their privacy by installing the iOS or Android “Facebook Research” app. Facebook even asked users to screenshot their Amazon order history page. The program is administered through beta testing services Applause, BetaBound and uTest to cloak Facebook’s involvement, and is referred to in some documentation as “Project Atlas” — a fitting name for Facebook’s effort to map new trends and rivals around the globe.

這個計畫在 iOS 平台下架了，但 Android 平台看起來還是會繼續：

[Update 11:20pm PT: Facebook now tells TechCrunch it will shut down the iOS version of its Research app in the wake of our report. The rest of this article has been updated to reflect this development.]
Facebook’s Research program will continue to run on Android. We’re still awaiting comment from Apple on whether Facebook officially violated its policy and if it asked Facebook to stop the program. As was the case with Facebook removing Onavo Protect from the App Store last year, Facebook may have been privately told by Apple to voluntarily remove it.

未成年人部份應該會是重點，拉板凳出來看...

在 Android 上支援 DNS over HTTPS 的 Intra

Intra 是 Alphabet (Google 母公司) 旗下 Jigsaw 所開發的 app (目前只有 Android 的，依照說明需要 4.0+)，透過 VPN 的架構換掉 DNS 設定，透過本機的 DNS Proxy 改走到外部的 DNS over HTTPS 服務上。

走 DNS over HTTPS 可以降低 DNS 被干擾 (security issue) 或是被監控 (privacy issue) 的風險。

在軟體內已經先內建了兩個 DNS over HTTPS 清單，一個是 Google 的 Google Public DNS，另外一個是 Cloudflare 的 1.1.1.1，除此之外也可以自己輸入。

由於是 Alphabet 家的軟體，預設是用 Google 的服務。

軟體本身是 open source 專案 (Apache-2.0)，程式碼在 Jigsaw-Code/intra 這邊可以取得。

Android 打算針對 Data Saver + 2G 網路的使用者關閉 JavaScript 功能

在「Chrome for Android may start disabling JavaScript on 2G connections」這邊看到的，引用的文章是 XDA 的「Google Chrome on Android to disable JavaScript automatically on 2G connections」。

在「Disable scripts for Data Saver users on slow connections」這邊可以看到 Android 的計畫，在打開 Data Saver 的情況下，Chrome 會停用 JavaScript，並且提示使用者：

If a Data Saver user is on a 2G-speed or slower network according to the NetInfo API, Chrome disables scripts and sends an intervention header on every resource request. Users are shown a UI at the bottom of the screen indicating the page has been modified to save data. Users can enable scripts on the page by tapping “Show original” in the UI.

在「Enabled NoScript Preview feature by default on Android」這邊可以看到對應的程式修改。

這樣反而可以少收到很多廣告耶，反倒希望是全域打開 XDDD

沒有 Google 專屬套件的 Android

剛剛在「How to Android without Google」這邊的文章裡看到「How to Android without Google [easy way]」這篇指南，說明如何弄出一個沒有 Google 專屬套件的 Android 環境。

主要是 LineageOS 當作底層基礎 (作業系統)，然後用 microG 提供 API 相容層，並且用 F-Droid 安裝 Open Source 軟體。

裡面有兩個方案以前沒看過，一個是 XPosedFramework，提供框架讓使用者有更強的控制力，更完整的說明可以參考「Xposed Framework + App Settings 為每個 App 設定不同的運行模式」這篇。

另外一個是 Yalp Store，當軟體只在 Google Play 平台上提供安裝的時候，就需要透過這個套件了 XD

非 Google 的 Android 手機環境

主要是記錄下來，完全不靠 Google 目前還是有點難度：「De-Googling my phone」。

主要是刷機成 LineageOS (還是 Android)，然後上面不裝 OpenGApps，而是靠其他軟體來補足... 在英文版維基百科的「List of free and open-source Android applications」也有不少資訊可以看。

另外一個蠻重要的應該是 microG Project，不過在文章裡沒提到...

Telegram 推出新的 Client：Telegram X

Telegram 推出新的 client，叫做 Telegram X：「Telegram X: Progress through Competition」。

全新打造：

The Telegram X project features apps written from scratch, with an entirely new code base and without all the legacy components that our older apps have accumulated through the years.

然後包括 iOS 版本與 Android 版本都有對應的版本：

The goal of Telegram X is to reinvent Telegram and explore new frontiers in speed, ease of use, quality of animations and all other aspects. Today we are glad to present two new official apps – Telegram X for Android and iOS.

就裝起來玩看看，不知道實際的感覺會有什麼差異...

拿來分析 Android APK 檔的 Droidefence

忘記在哪邊看到的，分析 Android APK 檔的軟體：「Droidefense: Advance Android Malware Analysis Framework」。

Droidefense (originally named atom: analysis through observation machine)* is the codename for android apps/malware analysis/reversing tool. It was built focused on security issues and tricks that malware researcher have on they every day work. For those situations on where the malware has anti-analysis routines, Droidefense attemps to bypass them in order to get to the code and 'bad boy' routine. Sometimes those techniques can be virtual machine detection, emulator detection, self certificate checking, pipes detection. tracer pid check, and so on.
Droidefense uses an innovative idea in where the code is not decompiled rather than viewed. This allow us to get the global view of the execution workflow of the code with a 100% accuracy on gathered information. With this situation, Droidefense generates a fancy html report with the results for an easy understanding.

看起來是輔助用的工具... 先記錄下來 XD