I'm currently stuck with an Android 4.0 smart phone. So far it has not received any security updates I know of. I would like to make sure that the SSL and other crypto libraries are up to date, and that the browser is configured to not use SSLv2 or v3. I figure this probably means updating Android to the latest version. It would also be nice to lock it down more generally. e.g. trusted path execution would make sense, to avoid the social engineering rubbish that passes for malware on Android. Is any of this doable without rooting the phone, or other tampering that might break it, violate the terms of contract, etc.? Note that I am a complete Android and smart phone newbie. Oh, another caveat: I don't want to do anything that might result in kernel panics or instability. For a phone I consider stability even more important than security, so I would decline things like GrSec kernels (if Android versions exist).
What's the model? Cause that's going to tell what you can even do with it. My personal opinion is you'll be waiting for hell to freeze up waiting for ANY kind of update from the manufacture, especially as they age (of course this depends on model and brand). If there's an available Cyanogenmod stable build for your phone, just stick it on. A lot of times it can even be more stable and more secure than the stock (depending on build and model) http://wiki.cyanogenmod.org/index.php?title=Devices Can also check the xda dev forums and see what they have for your model: http://forum.xda-developers.com/ Again, if you can root it you're going to have a lot more freedom to do what you'll want with it. And if the model does show up on the xda dev forums, you'll be able to get a feel of how stable that'd be, or even just general ideas. Also look over: https://prism-break.org/en/categories/android/
It's a Kyocera Rise... So not even unofficially supported by Cyanogen, I think. Unless it's actually a rebrand of someone else's phone, which I don't think is the case. Too bad, it has a rather nice physical keyboard.
Well you can go into your phone settings then about phone and check for updates. If there are none to be found, then I don't think you'll get any more updates for your phone, as it isn't even listed at needrom.com
Yeah, there's tons of devices that end up just dying (sadly) from lack of interest in both the manufacture or the community. I got really lucky with my first android device being fairly active with Cyanogenmod, else I would of never even played around with it. Now I'm in the habit of checking the xdadev forums and the Cyanogenmod device list before I buy anything new. Did find a root guide over on xdadev though: http://forum.xda-developers.com/showthread.php?t=2307306 Up to you if you want to mess with it.
Custom ROM, though I'm too lazy to go that route. Personally I'm using a different browser than Internet, updating all apps, Norton Halt, and was using ExynosAbuse until it broke my camera.
Right, I forgot about that part. Just disable the stock browser, and if nothing breaks- keep it disabled (if you can, you might have to be root). Then just install F-Droid and download Firefox, then just throw HTTPS Everywhere on it. IF you don't feel like waiting for the next Firefox update that disables SSL 3 (Now 25th), try the method in this post: https://www.wilderssecurity.com/thr...used-ssl-protocol-poodle.369247/#post-2417778 edit I just tried the above method for my own android Firefox and it works. I also checked and I've had the stock android web browser disabled for a few months now, without any issues.
So, it turns out that recent versions of Chrome are available for this phone. Boo ya! The kernel is probably still full of old zero-days though.
Well, the least you could do now: 1) Make sure Unknown sources are unchecked 2) Make use of Google's Verify Apps feature 3) Do not use stock browser. Preferably disable javascript 4) USSD vuln protection http://www.welivesecurity.com/2012/...lity-protection-from-eset-now-on-google-play/ http://www.avira.com/en/android-dirty-ussd-hack
