• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

[APP][GPL]SecDroid - Android Hardening [BETA] [Hiatus]

What should I add first?

  • Auto-Run

    Votes: 17 50.0%
  • Better UI

    Votes: 17 50.0%
  • Widget

    Votes: 0 0.0%
  • Other?

    Votes: 0 0.0%

  • Total voters
    34
Status
Not open for further replies.
Search This thread
X

x942

Guest
SecDroid V 1.1 Beta
Created by x942
Released under GPLV2


PROJECT IS ON HIATUS

New project over here

Introduction

SecDroid hardens the android kernel by disable certain binaries that have internet access or can be used as an attack vector. Some of these are:
SSH
SSHD
Telnet
NC (net cat)
Ping
PM (Package Manager - Can't install apps via CLI/ADB)
ADBD (ADB is disabled until reboot)

And by securing the TCP Stack using Systctl (Until Next boot).

More info

Why disable ADB and PM?

ADB and PM are both disabled to help prevent an attacker from being able to install apps via the command line or adb shell. Both of these are potential attack vectors. You can install apps via the playstore and GUI

What license is this released under?

All code is released under GPLV2 Unless otherwise noted.


Thanks/Credits

Many Thanks to Adam Outler for his Shell class that was used in this project (until V0.3 - See Changelog).
Many thanks to XDA-TV and XDA for their hard work!
And thanks to SANS for their Android Security whitepaper which inspired this project.
Downloads:


Please note this is my first android app. As such bugs may be present and the code may not be pretty. If anyone can help me make it look nicer and more efficient that would be great :)

UPDATE 2013-05-06:
Version 1.1 Beta

* Fixed script to properly handled errors on some devices
* Fixed layout issue
* Added disable bluetooth feature (Disabled bluetoothd )
* Added enable bluetooth feautre ( Reverses above action)
 
Last edited:

koz

Senior Member
Mar 11, 2006
195
10
x942 - Thanks for letting me know this is in the works - looks really promising. With things like SSH/SSHD being disabled, will apps (like Connectbot) still work, allowing for SSH/SSHD on a per app basis?
 

Richy19

Senior Member
Jan 9, 2012
77
8
Moto X4
Does this just disable these things during the current running session?
IE after rebooting it does everything go back to normal?
If not is there a way to enable them again?
 

fluxgfx

Senior Member
Jun 1, 2011
743
90
Ottawa
I have to assume that it's a good thing if the application wasn't able to find any of the noted application to harden.
 

PnoT

Senior Member
Jun 22, 2011
105
5
So the "hardening" is only applied after running the app and upon next boot everything should be back to normal correct?
 

fluxgfx

Senior Member
Jun 1, 2011
743
90
Ottawa
I assume it's not a good thing because the applications are missing (which is unlikely) or they are moved to a different location ;)

I agree with you. Although after a manual verification the application in questions aren't located on the device in any folders Internel, External or within any of the root folder.

Cheers,
 
Last edited:

bushako

Senior Member
Mar 16, 2007
1,359
327
Dubai
First of all thank you so much for the effort to keep our devices safe. Im using Droidwall to block certain programs and would like to install SecDroid but not sure if it would conflict in any way. Could you please confirm?
 
X

x942

Guest
x942 - Thanks for letting me know this is in the works - looks really promising. With things like SSH/SSHD being disabled, will apps (like Connectbot) still work, allowing for SSH/SSHD on a per app basis?

Sadly no. The apps are disabled by removing their permisions to execute (chmod 000). This means no one can run it. I suppose I could have it set to only allow Connectbot to run it based on UID or something. But something like Droidwall or AFWall+ is better suited for that. I am planning to add in a switch for each item. So you could for example leave ssh enabled but disabled everything else.

Does this just disable these things during the current running session?
IE after rebooting it does everything go back to normal?
If not is there a way to enable them again?

Yes at this time everything is reset on reboot. I am looking into having it auto-run every boot.

I have to assume that it's a good thing if the application wasn't able to find any of the noted application to harden.

Correct. I have tested on CM9/10/10.1 and AOKP on both of these if it can't find anything then they aren't present in the system. Stock roms may be different. All AOSP should all be the same though.


Nice! xD That is awesome!

So the "hardening" is only applied after running the app and upon next boot everything should be back to normal correct?

Yes. Everything is reset upon reboot. i will add an auto-run version shortly :)

First of all thank you so much for the effort to keep our devices safe. Im using Droidwall to block certain programs and would like to install SecDroid but not sure if it would conflict in any way. Could you please confirm?

No problem. I have no issues with Droidwall or AFWall+ :) SecDroid doesn't touch iptables so everything should be fine :)
 

electricpete1

Senior Member
Aug 12, 2012
477
188
Are these vulnerabilities dependent upon whether USB debugging is enabled or disabled?

...and will this interfere with Apps that require USB debuggin enabled such as Titanium Backup and Gemini Apps manager.
 
X

x942

Guest
Are these vulnerabilities dependent upon whether USB debugging is enabled or disabled?

...and will this interfere with Apps that require USB debuggin enabled such as Titanium Backup and Gemini Apps manager.

The only vulnerabilities dependant on USB Debugging is Kos' p2p-adb. The rest prevent network (remote) attacks. Some of which could be used over ADB but don't depend on it (installing malware). I have not tested with TB but it may break it. I am trying to make individual on/off switches for each option so you can only disable what you want to and leave the rest alone :)

I have posted a Play Store link now too!
 

apatal

Senior Member
Feb 27, 2012
3,576
2,066
Manila

Attachments

  • uploadfromtaptalk1358005463257.jpg
    uploadfromtaptalk1358005463257.jpg
    26.2 KB · Views: 1,016

jas0nsg

Member
Jul 23, 2012
9
0
I'm having the same problem.

Sent from my INO_ONE using xda premium
 

Attachments

  • uploadfromtaptalk1358008783076.jpg
    uploadfromtaptalk1358008783076.jpg
    101.3 KB · Views: 885

Mika83AC

Senior Member
Apr 5, 2012
715
304
Same result here. Does that mean our devices are more secure since we don't have these files? I'm running pure AOSP, BTW.

No, you are not "safe". All the things are not located in system/xbin, but in system/bin! So the pathes which the app checks are wrong...

Under system/xbin are many many links, but the real "files" are located elsewhere! So the dev should chance his app so that it can check the right locations ;)

Sent from my GT-I9300 using xda app-developers app
 
Last edited:
  • Like
Reactions: apatal

WattB006

Senior Member
Sep 24, 2011
280
51
Nebraska
I checked and scp is located in the system/bin folder. All the other ones though I cannot find. Here is a screen shot of mine.

Sent from my SGH-I747 using xda premium
 

Attachments

  • uploadfromtaptalk1358016220611.jpg
    uploadfromtaptalk1358016220611.jpg
    42.4 KB · Views: 832

SkyandDirt

Senior Member
Jul 20, 2011
65
17
Can you also include in this app ARP, DOS,and MITM type of attack protection. That would be cool.
 
X

x942

Guest
Same result here. Does that mean our devices are more secure since we don't have these files? I'm running pure AOSP, BTW.

New version coming in a few days :) I will post a patched version today, it looks like I uploaded the wrong version by mistake.

I'm having the same problem.

Sent from my INO_ONE using xda premium

No, you are not "safe". All the things are not located in system/xbin, but in system/bin! So the pathes which the app checks are wrong...

Under system/xbin are many many links, but the real "files" are located elsewhere! So the dev should chance his app so that it can check the right locations ;)

Sent from my GT-I9300 using xda app-developers app

Oops looks like I messed up and uploaded the wrong version I will fix this. Originally it did use xbin and also disabled more things (bluetooth and NFC) but I corrected this as most users don't want those disabled. I will post the proper APK :) With the proper paths. It's alread compiled so expect it in a few min.

Can you also include in this app ARP, DOS,and MITM type of attack protection. That would be cool.

I can include these :) I will do so in a future update.
 
X

x942

Guest
Fixed the issue. It doesn't give any errors on CM10/10.1 on my N4. Path is now /system/bin for the binaries that are there and xbin is only used for a couple binaries that are only in that folder.

Also moved repo to github as google code is annoying. Update also pushed to Play Store.
 
Status
Not open for further replies.

Top Liked Posts

  • There are no posts matching your filters.
  • 2
    Will Cerberus, androidlost, airdroid or this kind of remote control apps continue to work if secdroid is used?

    Thanks for this great app and for releasing it gpl

    I just tried with Cerberus and it works great ;)

    Inviato dal mio GT-I9300 con Tapatalk 2
    2
    There is a disable button in the newest version (ENABLE ADB). Because adb is disabled, until you press that button, apps that need it like TB won't work.

    Thank you, works well now. Would be great to get some explanations as well, as mentioned earlier, so when you have some extra time, that'd be great.
    1
    Same result here. Does that mean our devices are more secure since we don't have these files? I'm running pure AOSP, BTW.

    No, you are not "safe". All the things are not located in system/xbin, but in system/bin! So the pathes which the app checks are wrong...

    Under system/xbin are many many links, but the real "files" are located elsewhere! So the dev should chance his app so that it can check the right locations ;)

    Sent from my GT-I9300 using xda app-developers app
    1
    Will Cerberus, androidlost, airdroid or this kind of remote control apps continue to work if secdroid is used?

    Thanks for this great app and for releasing it gpl
    1
    Re: [APP][GPL]SecDroid - Android Hardening [ALPHA]

    Anyway this app could be modified to test if any exploits are currently being used and by what before disabling the exploits altogether

    Sent from my SGH-T989 using xda premium