Guardian Rom - Secure Android OS

Discussion in 'privacy technology' started by x942, Jun 9, 2013.

  1. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,390
    Hi x942,

    mirimir asked a question about Guardian Rom over in the NSA thread in the privacy general forum (message #1429) that said:

    "With Guardian Rom, I might trust an Android. However, there's the problem that the user base might stay so small that merely using it would be a huge flag :(

    Will there be a stealth mode?"

    -- Tom
     
  2. x942

    x942 Guest

    With Guardian Rom there is hidden os. So you could run in the "decoy" os 90% of the time except for when you are doing something private/secure and then switch to hidden os. I guess I coud make the about phone display fake info but this may confuse some users.

    Once our kickstarter is done I will be hosting some Tor hidden services to help anonymize usage. So if you are afraid of being targeted due to using Guardian Rom then you could go through that. but There's no ETA on this yet though.

    As far as the samsung "backdoor" goes. Our hardened kernel blocks those calls in the same way that SeLinux does on stock samsung devices.

    Basically any device running SeLinux restricts what the "radio" user can access. Preventing the modem from accessing any user data. This means the radio can only access files it owns (/efs/root on samsung devices).

    I personal think this is not a "backdoor" as there is no evidence it can be remotely exploited and samsung themselves restricted it with SeLinux on their devices (why would they do this if it was a backdoor?). More likely its a debuging feature for their techs to fix/test the phone.

    Eitherway it is BLOCKED by our kernel. So if you are worried you can breath easier now. :thumb:

    I am also testing the Gnex with Replicant. If our changes work I will use replicant on the devices they support. :)
     
    Last edited by a moderator: Mar 14, 2014
  3. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    @x942

    Thanks :)

    Let's say that I can get and install Guardian Rom on my new Android with near-total anonymity. What I'm wondering is who could determine that my Android is using it.

    What can adversaries see when turning on the device, with full encryption? Would it be generic, or Guardian Rom specific?

    If an adversary get's the device while the decoy OS is running/unencrypted, do they see a Guardian decoy, or a generic decoy?

    If an adversary get's the device while the hidden OS is running/unencrypted, it doesn't matter much :(

    If I connect to a WiFi AP using the decoy OS, what could it see?

    If I connect to a WiFi AP using the hidden OS, what could it see?

    If I connect to a cellphone network using the decoy OS, what could it see?

    If I connect to a cellphone network using the hidden OS, what could it see?

    @lotuseclat79

    Thanks for mirroring the question here. I was lazy :(
     
  4. x942

    x942 Guest

    Only if the device was unlocked and they could look at the about device. The build ID shows Guardian Rom. Or if the looked at the build.prop file.


    It looks like native android encryption. Just like anyother normal android device. No visual difference. It just uses AES-256-XTS instead of AES-128-CBC.

    Nope. Like truecrypt, there is no way to prove the existence of the hidden OS. (except through data leakage like bruce Schneier showed a while ago - Don't move data from the hidden partition to an unencrypted device or the decoy partition and you are safe).

    A lock screen PIN would help here. Entering the PIN wrong 10 Times reboots the phone. Also the panic button app we are working on would allow you to reboot the phone instantly if needed.

    It would show as android. Now this is where it gets tricky. Based on what you have set to sync (email etc.) an adversary may be able to guess you are using a hidden OS. For example. If I have my email (example@example.com) setup on the decoy OS and I have secret@secret.com set up on the hidden OS an adversary who is monitoring the network may be able to infer that since they never sync at the same time Guardian Rom is in use and so is a Hidden OS.


    The same applies to Cellular. You telco will see any metadata and may be able to infer the use of the hidden OS. I would recommend the use of a VPN/Tor. This way its harder to tie the traffic to your device. At least in this case your Provider/adversary can't see what the data is so they can't infer the use of hidden OS as easily, if at all.

    You may also consider using a serperate SIM for hidden OS. But it probably isn't necessary as all calls should be going over encrypted VOIP (Ostel) not normal channels. Adding a VPN to this would hide the use of Ostel from your telco too.
     
  5. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    @x942

    Thank you very much for the detailed answers. I am greatly reassured :)

    I have a few other questions, though. For PCs, various parts of the OS handle networking. So with an open-source OS, networking is open-source too. There may be proprietary device drivers, of course. But if they're operating in an open-source environment, it's possible to see at least most of what they're doing.

    But with smartphones, the firmware is basically a separate proprietary OS, right? It does far more than PC BIOS or device drivers do, right?

    So what can the firmware see and log, and what can it share with WiFi or cellular networks? Can the firmware report about what OS(s) are installed? And when they were used? Specifically, what does firmware know about the hidden OS?

    Thanks :)
     
  6. pharmakos

    pharmakos Registered Member

    Joined:
    Oct 26, 2013
    Posts:
    3
    Location:
    midwest
    Hi,
    I saw the March 16th announcements. When will there be a build that I can flash my Nexus 5 with? It is sitting there doing nothing :(

    If the GR is useful for me, I intend to be a kickstarter support at at least the CUSTOM VERSION level. (you ought to consider a level between that and the business level.)

    But I want to get something on my Nexus 5 first to look at.

    Thanks, Pharmakos
     
  7. x942

    x942 Guest


    No problem. As far as modems go. We no so little. They are very old and closed. Most of the firmware you see on these modems hasn't been updated in a long time. We are working to further isolate what the modem can do. Our kernel blocks a lot of the calls, like the samsung backdoor for example. In some phones though the modem can access parts of RAM and CPU, sometimes even camera or microphone. With that said replicant has made some progress to block this.

    It's also why we are aiming to support WiFi only devices to. Those have far less proprietary firmware's and none of this second OS that 3G modems have. My idea was at one point to have a phone that was secure and shipped with Guardian Rom. The phone would have a removable 3G modem so you could use it on demand but not be required to have it always on.


    Nexus 5 will be soon. After the kickstarter I can focus on porting Mobiflage over. Due to the changes in they encryption works we get some breakage currently. On the plus side once ported over all builds (except the GNex) can be brought up to 4.4.2 instead of 4.2.2.

    Any reccomendations on more perks? I don't want to do a lot of physical perks as it eats into our funds. I am open to sugestions though.:)
     
  8. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    @x942

    Thanks again :)

    I like the idea of a removable 3G modem. But that would be totally custom hardware, right?

    If the modem is discrete enough, maybe a physical switch (even an on/off transistor) would be possible. I wonder if there's anything on the "take it apart" sites.
     
  9. x942

    x942 Guest

    Yup. We do have some third-parties interested but I don't know how far they would take "security". I doubt we would get the 3G modem unless we made it ourselves.
     
  10. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    As we discussed, why not just have a "good" and "bad" radio.img on the phone? Then, when you want zero 2G/3G/LTE liability - you boot to recovery and destroy the radio.img When you want to allow, flash the "good" radio, back.

    Feasible?
     
  11. x942

    x942 Guest

    The bad images may or may not work, lot's of phones don't allow flashing the radio with an unsigned image. You can try it though. I have had luck on some models. But HTC with S-ON blocks this. LG with Secure Boot on blocks this. Even with unlocked bootloader.

    Also our Kickstarter was approved so we are launching on Monday. :thumb:
     
  12. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    :thumb:

    However, I see that they accept payments via Amazon. But I don't see that Amazon accepts Bitcoins :( Is there a workaround for that?
     
  13. x942

    x942 Guest

    There is no way Kickstarter can take bitcoin. If you want anonymous payments I reccomend:

    1) Pre-paid visa with cash (or bitcoin? ) and use that to pledge on kickstarter (This helps us the most as it pushes us closer to our goal. Litterally every dollar counts here).

    2) Send bitcoin to our wallet directly. We are willing to give any non-physical rewards to bitcoin backers at the level they donate. (I.E $10 gets thank you email, etc). We won't ship physical rewards as this breaks the anonmitity you get by using bitcoin anyways as you have to give us your physical address in the end. Also it's much harder to keep track of donations, espesically with the fluidity of the bitcoin market right now.

    I hope it helps. I wish Kickstarter accepted bitcoins but alas, they do not :(
     
  14. encryptdhs

    encryptdhs Registered Member

    Joined:
    Mar 29, 2014
    Posts:
    1
    Nexus 4 Mic Gain Too High

    I know this is a talked about and known issue that Nexus 4 mic gain is too high making voip very hard to use. Has this been resolved or helped in Guardian Rom? if so how do you fix and where can i find mic gain control in Guardian Rom or is there another app to use in Guardian Rom?
     
  15. x942

    x942 Guest

    Re: Nexus 4 Mic Gain Too High

    I will look into this for you. I haven't had any issues using OSTel but I will make sure everything works properly.

    For those who are interested the kickstarter is live:

    -https://www.kickstarter.com/projects/x942/guardianrom-secure-android-os-

    Every view counts so even if you are unable to back the project please follow our social media accounts and share the link with as many people as possible :)
     
  16. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,867
    Location:
    Outer space
    Re: Nexus 4 Mic Gain Too High

    Congratulations with Kickstarter :)

    Btw, is there a specific reason Gibberbot/ChatSecure is used as messaging app instead of TextSecure? Both are open-source, end to end encrypted, use forward secrecy, but it seems Gibberbot is less user friendly.
    EDIT: Oh and I think it might be a good idea to serve you website through HTTPS to migitate against MitM attacks on the downloads and GPG signatures.
     
    Last edited: Mar 31, 2014
  17. x942

    x942 Guest

    Re: Nexus 4 Mic Gain Too High

    Thanks! We use chatsecure because the Guardian Project let's us include their apps. Moxie on the other hand is pretty opposed to doing this. He asked us not to use textsecure as he only wants it in markets he can control. Why he opened sourced it in the first place I don't know. Until we can find a solution we won't be including it.

    As far as HTTPS goes, we will add it in after the kickstarter. Our current host doesn't support SSL (Squarespace). We are using them because it speed up the web design process and allowed us to keep focusing on the project. If you pull the GPG keys from a keyserver that would be more secure than using the site too.
     
  18. InconspicuosName

    InconspicuosName Registered Member

    Joined:
    Nov 9, 2013
    Posts:
    8
    Location:
    EU
  19. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
  20. gaiko

    gaiko Registered Member

    Joined:
    Jan 14, 2014
    Posts:
    9
    Location:
    moldova
    impressed. very impressed. Are you all planning to have GuardianRom audited at some point?
     
    Last edited: Jun 18, 2014
  21. happyyarou666

    happyyarou666 Registered Member

    Joined:
    Jan 29, 2012
    Posts:
    803
    good to see this project going strong , keep it up guys ill be waiting for the full release and if it takes another year take your time dont rush this and auditing guardianrom sounds like a

    great idea much like what Truecrypt is currently still going through , gives the users peace of mind and adds trust to the product, i like this idea alot this should be standard procedure for security products
     
  22. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,867
    Location:
    Outer space
    Very nice indeed :)

    I see the version for Nexus 4 is based on 4.2.2, are security fixes from newer versions backported?
     
  23. x942

    x942 Guest

    Sorry for the delay, Moving to a new place and have no internet right now, can only post when I have 3G access.

    Anyways - We will be getting an audit done as soon as we can afford it. We need to do a few things still. First we need the beta to be released (Soon I promise!), then we have some backers that are willing to fund us and match what we get from kickstarter when we relaunch - This means if Kickstarter gets $20,000 we get $40,000 total. After we get funding we can move on to getting the stable release out and getting our own hardware made.

    Why our own hardware? Because that way we can reduce most, if not all, closed-binary blobs that plague most phones. This will allow the phone to be better audited and even more FOSS.



    We will release GuardianRom on Kitkat 4.4.4 when it's done. 4.2.2 was just done for testing as porting everything to kitkat has taken quite a bit of time.


    Also if anyone here is a developer (Linux/Mac/Windows/Android) and would like to help, PM me and I can give access to the source code. I don't have a lot of bandwidth on my server so I can only allow a few people right now.
     
  24. Mailmaiden

    Mailmaiden Registered Member

    Joined:
    Jul 20, 2014
    Posts:
    14
    Will the yubikey option work for any NFC tag that is capable of challenge response? I'm interested in using a NFC ring for convenience and it's not as easily identified as a yubikey
     
  25. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,867
    Location:
    Outer space
    Update and a new project(Linux distro for airgapped system):

    http://shadowdcatconsulting.com/blog/2014/8/14/updates-guardianrom-new-project
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.