A Proposal for a Security Enhanced Android Smartphone

In the modern world the smartphone has evolved to become the main interface of citizens to interact with an increasingly digitised world. A smartphone, as a concept, is a deeply interconnected device with installable applications (from known or unknown sources) and network interfaces that link the device through multiple protocols to various networks.

More and more common tasks have been absorbed by these devices in our pockets, such as identification and authentication over the internet, payments and acquisitions through apps or marketplaces such as Amazon, social relationships through social networks such as TikTok or Instagram, as well as the information we consume and build our worldview upon. In addition to all of this, GPS is a primary feature of these devices to enable applications such as navigation and maps, which has become the established manner to obtain the past and present precise geolocation of its holder, plus all the information from the telephone system to route calls and data through modern cellular networks.

This makes the smartphone-and the sensitive data it stores-a highly attractive target for threat agents. Whether it is ad networks seeking to maximize engagement, or state actors aiming to undermine opposition within a particular jurisdiction, the security of smartphones has emerged as one of the most critical and impactful areas in cybersecurity.

Due to all this, we have developed this document with the purpose of proposing an approximation to what could be a more protected Android Smartphone, through the study and research of its security in more detail. We propose a configuration using a Pixel phone with GrapheneOS installed, including a set of security policies in addition to applications with specific purposes.

This will be presented in a layered approach from the bottom up.

Mobile Threat Model

We will use two sources to list the main threats: the ENSIA smartphone threat and the OWASP smartphone threat list. As well, we will bring up our own list of threats by state-sponsored agents TTPs. The existing countermeasures for each of them are also presented in the Android Security Model.

ENISA Smartphone Threat

• Data leakage resulting from the device lost or stolen.
• Unintentional disclosure of data.
• Attacks on decommissioned smartphones.
• Phishing attacks.
• Spyware attacks.
• Network spoofing.
• Surveillance attacks.
• Diallerware attacks.
• Financial malware attacks.
• Network congestion.

OWASP Smartphone Risk

• Weak server side controls.
• Insecure data storage.
• Insufficient transport layer protection.
• Unintended data leakage.
• Poor authorization and authentication.
• Broken cryptography.
• Client side injection.
• Security decisions via untrusted inputs.
• Improper session handling.
• Lack of binary protections.

State/Criminal Sponsored Threats

• Network traffic analysis.
• Malware
  • Cerberus Malware
  • Pegasus Spyware
• Forensic Investigations executed by an adversary
  • Cellebrite UFED
  • Magnet Forensics Inc.
  • GrayKey
  • MSAB Forensics
• Government Biometry Database Leaks

The Handheld Device

Secure Hardware

The Pixel hardware and beyond comes with a Google Tensor Processor and a Titan M2 Chip, which provide interfaces for the operating system and installed applications to implement a safe key data store within the device.

The threat model of this datastore is the same as the one present in other Smartcards; it can take its own decisions within a safe execution environment to defend itself against an attacker with physical access to the device.

The Pixel is also equipped with a fingerprint sensor of Class EAL 3, which is classified as methodically checked and tested in Common Criteria.

Regarding the CPU, the Google tensor processor is an arm64 processor developed by Google itself, which makes use of ARM64 Security Extensions, also known as ARM TrustZone to secure the device at the hardware level.

The processor itself provides:

• A dedicated Android Private Compute Core.
• TrustyOS ROM as open Source Trusted Execution Environment.
• One Time Programmable Memory.
• Processor Crypto Engine.
• Internal static RAM and protected dynamic RAM.

Secure Operating System

There are more security guarantees than the one Stock ROM provides, all of them under the umbrella and control of Google Inc. such as:

• Anti-Phishing Protections
• Malware detection via Google Play Protect.
• Android Private Compute Service
• Android binary transparency to detect supply-chain attacks.

The complete list can be found here.

However, our threat model includes the interests of any international corporation that sells their user data, specially highly valued targets such as government officials or business executive directors. If privacy is valued, then we need to consider the stock ROM an adversary and should substitute it with a privacy friendly ROM.

GrapheneOS is an Open Source ROM focused on guaranteeing privacy and security of its users via substantial improvements on the application sandbox, common exploit mitigations and patches on the permission model (allows users a more granular control of what installed applications are allowed to access within the system).

This way, the operating system is not a walled garden where responsibility for security resides on the manufacturer, but rather a transparent digital domain where the users have complete initiative and control over what goes into and out of the device.

This operating system is also open source, and users are encouraged to review it, study it, as well as installing it on their devices and submitting improvements.

Secure Apps

What each application can or cannot do is defined in the Android Permission Model which establishes the level of authorization to the Java API.

Late versions of Android allow granular permission selection at user level, in which we should only allow applications to do what they are supposed to do. However, exploitation of Android Custom Permissions might still be possible as well as system exploitation.

As a general rule, we trust audited Open Source applications first via F-Droid Store, plus applications distributed through the Google Play Store in order to provide a certain level of guarantee supply-chain security.

The F-Droid store is based on the same security model and update framework used in Linux Debian, which has successfully been able to keep this operating system secure up to a certain degree by cryptographically assuring the origin of the software to a certain authorized set of repositories.

Avoidance of installing unsigned or unknown APKs from the web should be seriously considered, as their origin and authenticity is impossible to audit except via reverse engineering techniques.

In case a malicious APK has been successfully installed by an attacker, the compromised application will be inside the first line of defense of the device, which is the Application Sandbox.

The security will then depend on the strength of GrapheneOS in order to achieve further access beyond the permissions delivered upon installation by the user, as well as the direct or lateral access that the Java and C++ APIs can provide.

Secure Communications

Protecting Information Flows

Most applications nowadays use a modern version of TLS in order to encrypt the traffic going over the network.

However, the security model of TLS can be broken with law enforcement devices equipped with decoding keys for most of the SSL certificates on the internet, providing the capability of network traffic analysis to a sufficiently equipped adversary.

In order to mitigate against these threats, it is strongly recommended to use a VPN, which will establish a secure tunnel from the device to a trusted network where the probability of eavesdropping from an adversary is low.

This is particularly important in jurisdictions in which indiscriminate surveillance and internet censorship has been widely deployed in countries such as Iran, China, Russia, Belarus as well as being in an advanced state in the US and some European countries.

Secure Services

Although this goes beyond the scope of protecting an Android device and suits more into building secure distributed systems, it is necessary to mention it and for it to be understood in order to guarantee secure communications.

Next level security would be to use applications with Open Source backend, which means applications such as Telegram, WhatsApp and any other social media platform would be disqualified.

This is due to the use of a closed backend in which the management of user data is obscured, specially when those applications operate beyond the frontiers of the European Union and user data privacy laws such as GDPR are not enforceable.

This analysis leads to the conclusion that we need to assume all communications and data transmitted over these services are public or at the least partially undisclosed.

This category includes artificial intelligence applications such as ChatGPT as well as traditional search engines such as Google.

To provide strong security and privacy guarantees, end-to-end encryption needs to be used in messaging applications, in addition to control over the backend services our apps will connect to. Thus, the recommended applications are:

• Simplex App, which has a minimal backend which just forwards messages in an end-to-end encryption scheme and a system of identification decoupled from the phone number.
• Conversations App, which allows the setup of private XMPP Servers under the control of an organization or group.

Operational Security Policies

Even the most advanced and sophisticated security mechanisms can be breached by the incompetence or lack of awareness of its users.

A secure smartphone will not keep its user secure in the same way that a gun will not make its holder safe, you need to know how to use it as well as participate in simulated engagements.

Security as a concept is a multifaceted and multi-disciplinarian endeavour involving specific countermeasures such as a VPN, use of encryption, 2FA or antivirus apps, which are only effective to solve specific problems within the context of the threat model.

Therefore, the ultimate cyberdefense system is a trained and skilled security operator that knows how to use these mechanisms as well as understanding their limitations.

The majority of security issues come from authentication attacks and password management failures, as well as lack of data loss due to unexisting backups. Most attacks and breaches on services can be mitigated via two security mechanisms:

• Setup Two Factor authentication via OTP. An application that provides this is Aegis App, which is Open Source and can be saved in a secure backup.
• Use a password manager such as KeePassXC or Bitwarden password manager.

The next operational problem is DLP or Data Loss Prevention, which essentially implies doing periodic secure backups of all device data.

This secure backup will need to be encrypted and stored in a trusted location in order to guarantee security and recovery in case of device destruction or data loss with the purpose of the user being able to recover his or her credentials as well as the data encrypted with them.

Android provides an operating system mechanism to create such backups, which requires the generation of a recovery key that will need to either be memorized by the user or stored in a different trusted location other than the place where the secure backup will be stored.

Regarding communications, it is recommended to always have the VPN always enabled, as well as avoiding any untrusted public networks.

In Android devices, the best option might be to disable the WiFi interface unless truly necessary and just access the Internet through the mobile network via a data subscription, as well as avoiding the use of Bluetooth.

The reason for this is to reduce the number of actors that may be able to execute a Man-in-the-Middle Attack on the device communications by minimizing the level exposition.

It is also recommended to minimize the number of applications installed in the device as each new application installed increases the probability that an attacker will successfully install malware via the successful exploitation of that application.

The smaller the attack surface, the harder a potential attacker will need to work to reach its objectives without revealing itself. Any new app installed on the phone, new contacts, functions, inflows or outflows of information will open up new relationships, connections and risks.

Finally, Cybersecurity is not static, but rather a dynamic and multilayered environment with a variable level of risk, so adaptability is key as new requirements and use cases for both individual and organizational challenges arise.

This means that a skilled operator will need to be able to assess the capabilities of the threat it is defending against, as well as constantly participate in risk management activities to adapt its existing security posture.

Conclusion

As the digital dominance arises and drastically increases exponentially every year, security has leveled from being a simple ethereal thought to an obligation-a personal obligation. No one would even think about leaving insecurely their physical houses, so why be so passive on our data and digital security, where nowadays most of our belongings live?

The increasing integration of smartphones into nearly every facet of our lives has elevated these devices into prime targets for cyber threats. This work has outlined the significant challenges faced by current Android smartphones in securing sensitive data, while also proposing a robust framework for security enhancements. By integrating architectural changes and security protocols, our proposal aims to not only mitigate existing vulnerabilities but also to anticipate and counter emerging threats in the smartphone ecosystem.

This document and its contents were developed with the determination of being of practical use to the reader, along with the motivation for it to help bring existing problems of the digital world into the public eye in order to build a safe and free society. As Thomas Hobbes said, knowledge is power, and as in the movie Spiderman, with great power comes great responsibility.