Securing and/or updating old Android phones?

Discussion in 'all things UNIX' started by Gullible Jones, Oct 21, 2014.

  1. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    I'm currently stuck with an Android 4.0 smart phone. So far it has not received any security updates I know of. I would like to make sure that the SSL and other crypto libraries are up to date, and that the browser is configured to not use SSLv2 or v3. I figure this probably means updating Android to the latest version.

    It would also be nice to lock it down more generally. e.g. trusted path execution would make sense, to avoid the social engineering rubbish that passes for malware on Android.

    Is any of this doable without rooting the phone, or other tampering that might break it, violate the terms of contract, etc.? Note that I am a complete Android and smart phone newbie.

    Oh, another caveat: I don't want to do anything that might result in kernel panics or instability. For a phone I consider stability even more important than security, so I would decline things like GrSec kernels (if Android versions exist).
     
  2. Veeshush

    Veeshush Registered Member

    Joined:
    Mar 16, 2014
    Posts:
    643
    What's the model? Cause that's going to tell what you can even do with it. My personal opinion is you'll be waiting for hell to freeze up waiting for ANY kind of update from the manufacture, especially as they age (of course this depends on model and brand). If there's an available Cyanogenmod stable build for your phone, just stick it on. A lot of times it can even be more stable and more secure than the stock (depending on build and model) http://wiki.cyanogenmod.org/index.php?title=Devices

    Can also check the xda dev forums and see what they have for your model: http://forum.xda-developers.com/

    Again, if you can root it you're going to have a lot more freedom to do what you'll want with it. And if the model does show up on the xda dev forums, you'll be able to get a feel of how stable that'd be, or even just general ideas.

    Also look over: https://prism-break.org/en/categories/android/
     
  3. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    It's a Kyocera Rise... So not even unofficially supported by Cyanogen, I think. Unless it's actually a rebrand of someone else's phone, which I don't think is the case.

    Too bad, it has a rather nice physical keyboard.
     
  4. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    5,237
    Well you can go into your phone settings then about phone and check for updates. If there are none to be found, then I don't think you'll get any more updates for your phone, as it isn't even listed at needrom.com
     
    Last edited: Oct 21, 2014
  5. Veeshush

    Veeshush Registered Member

    Joined:
    Mar 16, 2014
    Posts:
    643
    Yeah, there's tons of devices that end up just dying (sadly) from lack of interest in both the manufacture or the community. I got really lucky with my first android device being fairly active with Cyanogenmod, else I would of never even played around with it. Now I'm in the habit of checking the xdadev forums and the Cyanogenmod device list before I buy anything new.

    Did find a root guide over on xdadev though: http://forum.xda-developers.com/showthread.php?t=2307306 Up to you if you want to mess with it.
     
    Last edited: Oct 21, 2014
  6. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Custom ROM, though I'm too lazy to go that route. Personally I'm using a different browser than Internet, updating all apps, Norton Halt, and was using ExynosAbuse until it broke my camera.
     
  7. Veeshush

    Veeshush Registered Member

    Joined:
    Mar 16, 2014
    Posts:
    643
    Right, I forgot about that part. Just disable the stock browser, and if nothing breaks- keep it disabled (if you can, you might have to be root). Then just install F-Droid and download Firefox, then just throw HTTPS Everywhere on it. IF you don't feel like waiting for the next Firefox update that disables SSL 3 (Now 25th), try the method in this post: https://www.wilderssecurity.com/thr...used-ssl-protocol-poodle.369247/#post-2417778

    edit

    I just tried the above method for my own android Firefox and it works. I also checked and I've had the stock android web browser disabled for a few months now, without any issues.
     
    Last edited: Oct 21, 2014
  8. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    So, it turns out that recent versions of Chrome are available for this phone. Boo ya! The kernel is probably still full of old zero-days though.
     
  9. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,709
Loading...