5,596,179 Members 34,329 Now Online
XDA Developers Android and Mobile Development Forum

Android custom ROM for security + minimal of Google?

Tip us?
 
.rootCoder.
Old
#11  
.rootCoder.'s Avatar
Senior Member
Thanks Meter 101
Posts: 189
Join Date: Nov 2013
Location: xda ;)

 
DONATE TO ME
Default Hello !

does it mean that any modded stock rom with GApps will be insecure ?
Thx
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
Don't Forget To Press The Thanks Button IF I Helped You IN AnyWay
My Devices : SG S DUOS (GT-S7562) / SG Grand Duos
Used ROMS : BeanStalk kk+ / BeanStalk kk+
Recoveries : TWRP(sorry for my mistake) / CWM
Kernel : jonypx09 3.0.11| Get BA2X here / OC 1.4Ghz
My Computer: Toshiba SatELLite
RAM: 4GiB + 2GiB
Host OS: Linux
CPU: Arch: x86 | Type: Core i7
 
ASVP_MSFT
Old
#12  
ASVP_MSFT's Avatar
Member
Thanks Meter 11
Posts: 91
Join Date: Jan 2014
Location: Kingston
just youtube some galaxy s2 roms you'll find reviews on some good roms
 
kenshin33
Old
#13  
Senior Member
Thanks Meter 56
Posts: 154
Join Date: Mar 2009
Location: Montreal
Quote:
Originally Posted by JamieFL View Post
How do you get your own private key and what does that do? Sorry, I have never heard of this, so I'm sure others are probably also wondering.

Sent from my Nexus 5 using XDA Premium 4 mobile app
http://www.kandroid.org/online-pdk/g...ease_keys.html

something like this

I think you can skip "make dist" part, just do a regular build as you would normally (CyanogenMod ==> brunch your_device

you can fine the need file under "out/target/product/hammerhead/obj/PACKAGING/target_files_intermediates/cm_hammerhead-target_files-")

for Cyanogenmod Nexus 5 for ex (hammerhead )

source build/envsetup.sh
brunch hammerhead


and you'll fine the target_files zip under
out/target/product/hammerhead/obj/PACKAGING/target_files_intermediates/


that the one you need to feed to build/tools/releasetools/sign_target_files_apks
 
fadedout
Old
(Last edited by fadedout; 13th February 2014 at 02:11 PM.)
#14  
Junior Member
Thanks Meter 3
Posts: 11
Join Date: Jan 2012
There are some really exciting Android security projects out there... For instance, one awesome function a-la-Truecrypt involves full disk encryption with plausible deniability. You are able to give out a first-layer passphrase if you are coerced - yet a truly private volume remains secure and disguised within the apparent unused portion of the storage disk.

Yet it's unlikely that any of this is relevant to you, otherwise you wouldn't be asking this sort of thing. When it comes to security leaks, try to barricade off the paths of least resistance from the ground up. For instance, even all of that wouldn't do much good if you had forensic evidence of your phone config on your computer, a lockscreen that could be bypassed, a phone seized whilst still turned with encryptions keys remaining in RAM, etc. Also keep in mind all of the data you are sending out in the clear via your cloud storage, SMS/IM, WiFi, etc.

So in the end, just pick a ROM that runs smoothly and you enjoy. Whatever you end up deciding, make absolutely certain to:
- encrypt with strong passphrase (then use cryptfs app to create a shorter lock screen key)
- disable USB debugging

---------- Post added at 06:06 AM ---------- Previous post was at 05:32 AM ----------

Quote:
Originally Posted by JamieFL View Post
How do you get your own private key and what does that do? Sorry, I have never heard of this, so I'm sure others are probably also wondering.

Sent from my Nexus 5 using XDA Premium 4 mobile app
This probably isn't exactly spot on, but here's a rough sysnopsis... When a ROM is built from source, the creator "signs" their creation (i.e. the ROM and the apps within). This way you can be sure that you're indeed getting an official ROM built by AOKP (or whomever) and not by some malicious 3rd party. Likewise, the Android OS uses signatures to ID which files are legitimate and given permission to run (i.e. official updates). However, there have been incidents with custom ROMs when this functionality has been exploited. This could allow an otherwise innocuous seeming app to deploy hidden malware and cloak itself as a legitimate app, gaining full rights to the phone.

A self-built ROM with your own private key is presumably safer against such an attack. I don't think most people would need to be concerned about this, but still something to keep in mind. Unfortunately jcase is spot on about custom ROMs almost always creating or exposing more vulnerabilities than stock. For instance, features like ADB or USB-OTG are often enabled by default. If that wasn't bad enough, in the event that your phone is ever lost/stolen/seized, having a custom recovery installed is pretty much handing over your identity with a bow wrapped on top. It makes it easy for anyone to bypass PIN/password/face/gesture-lock or dump off the entire disk image. Not to mention analysis can reveal your account passwords, WiFi keys, SMS, phone records, photos. Most of these vulnerabilities can be safeguarded against with careful consideration, but you certainly won't get there by default.
The Following User Says Thank You to fadedout For This Useful Post: [ Click to Expand ]
 
Kohelet
Old
#15  
Kohelet's Avatar
Junior Member
Thanks Meter 5
Posts: 21
Join Date: Sep 2013
Location: New York
Quote:
Originally Posted by dj.houba View Post
Thanks, yes, I know about Cyanogen.
Oh you mean GingerBread from Google? This is exactly what I don't want. I want to separate from Google, coz we all know about NSA case. So I thought, there will be some developers, who will try to build some custom ROM and try to eliminate "Big brother" and focus mainly on security.
The only way to eliminate the ability of a nation-state interfering in your data would be to not generate any. If they're watching you, then stopping them from watching you isn't going to be possible. So it's better to ensure that when they watch you appear innocent.

Granted, I'm not saying you shouldn't take any precautions. But to truly get away from their snooping you're probably better of without a phone.

Quote:
Originally Posted by fadedout View Post
There are some really exciting Android security projects out there... For instance, one awesome function a-la-Truecrypt involves full disk encryption with plausible deniability. You are able to give out a first-layer passphrase if you are coerced - yet a truly private volume remains secure and disguised within the apparent unused portion of the storage disk.

Yet it's unlikely that any of this is relevant to you, otherwise you wouldn't be asking this sort of thing. When it comes to security leaks, try to barricade off the paths of least resistance from the ground up. For instance, even all of that wouldn't do much good if you had forensic evidence of your phone config on your computer, a lockscreen that could be bypassed, a phone seized whilst still turned with encryptions keys remaining in RAM, etc. Also keep in mind all of the data you are sending out in the clear via your cloud storage, SMS/IM, WiFi, etc.

So in the end, just pick a ROM that runs smoothly and you enjoy. Whatever you end up deciding, make absolutely certain to:
- encrypt with strong passphrase (then use cryptfs app to create a shorter lock screen key)
- disable USB debugging

---------- Post added at 06:06 AM ---------- Previous post was at 05:32 AM ----------

Excellent advice.
 
Liberr
Old
#16  
Junior Member
Thanks Meter 2
Posts: 11
Join Date: Mar 2014
Location: Amsterdam
I still wonder if AOSP or any of the bigger custom ROMs without Gapps is truly Google free. I have been browsing the forums for a while on that question but cant really find a good answer. Google free meaning: it doesn't communicate in any way on any moment with Google.

Anyone who can verify that? Has there ever been a XDA'er who researched this? For some it seems an assumption and some think since Android is developed by Google they surely try to analyze even AOSP roms or derivatives.
 
Ryccardo
Old
#17  
Senior Member
Thanks Meter 106
Posts: 368
Join Date: Nov 2013
Location: Imola

 
DONATE TO ME
Quote:
Originally Posted by Liberr View Post
I still wonder if AOSP or any of the bigger custom ROMs without Gapps is truly Google free. I have been browsing the forums for a while on that question but cant really find a good answer. Google free meaning: it doesn't communicate in any way on any moment with Google.

Anyone who can verify that? Has there ever been a XDA'er who researched this? For some it seems an assumption and some think since Android is developed by Google they surely try to analyze even AOSP roms or derivatives.
It only sends version statistics to Google, and there's a build.prop setting that allegedly disables it (ro.config.nocheckin=1) -- haven't tried it because I'd rather show my pride in Gingerbread
Motorola International 8700 (first phone sold in Italy to send SMS) [half bricked] > Acer ? [returned] > Siemens S35i [good] > Samsung SGH-? [stolen] > Nokia 3220 [mostly still OK] > Motorola RAZR [still OK] > iPhone 3G S [2 batteries worn out] > iPhone 4S [I gave up after iOS 7, still has 10 months of warranty] > Samsung Ace 2 i8160 [won at Samsung giveaway, still works fine, CM10.1] > Sony Xperia U [modified Sony 2.3.7]

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


XDA PORTAL POSTS

Force Translucent Status Bar in KitKat ROMs with Xposed

It’s been a while since Android 4.4KitKat wasreleased, and we’re slowly … more

Fix the Ambient Light Issues on Your Google Nexus 5 using Xposed

The Google Nexus 5 is a great and rather popular device. This LG-produced … more

Google Glass XE16 Update Factory Image and Rooted Bootloader Now Available

You may recall that early yesterday, we talked about the XE16 … more