meta data for this page

Security

Comparison

These are goals based on Mobian becoming part of Debian:

Mobian Android[1] IOS
Peer/community reviewed software[3] Yes No No
All OS components built from source Yes No
All apps built from source[2] Yes No
Closed firmware blobs Many
Reproducible builds Mostly No
Secure boot
Usbguard TODO No

[1] Stock Android with Google Apps

[2] Built from publicly available sources in an automated and verifiable manner

[3] Reviewed by DDs and/or Debian FTP masters

Features

Security updates

Currently provided as package updates in Debian Testing

Always-On VPN

VPN functionality will be added to Gnome-Control-Center in the future, but for now you can configure this via nmcli. This guide will explain how to import an OpenVPN connection, and then configure other connections to require it as a “secondary”.

1. Add OpenVPN support for NetworkManager by running sudo apt install network-manager-openvpn.

2. Import your OpenVPN .ovpn file by running sudo nmcli connection import type openvpn file {yourovpnfile.ovpn}

3. Until this is integrated with gnome-keyring, you must store your username and password in the .nmconnection file (currently insecure due to lack of disk encryption, which is coming in the future as well). Edit your VPN config in /etc/NetworkManager/system-connections, where the file is {youropenvpnfilename}.nmconnection. Change the password-flags to 0. At the bottom of the [vpn] block, add username={your username}. Then, below the [vpn] block, add the following:

[vpn-secrets]
password={your vpn password}

4. Obtain the UUID of your VPN connection by running sudo nmcli con show {your vpn connection name}; the UUID is the second line.

5. In the same directory, you can now modify any connection, including your cellular one, to bring up and require the VPN connection by adding this to the end of the [connection] block: secondaries={UUID}; (dont forget the trailing semi-colon).

6. Restart NetworkManager with sudo systemctl restart NetworkManager for the changes to take effect.

Using SSH with a key instead of password

When you have SSH enabled on your phone, it is a good idea to use key-based authentication instead of password-based authentication. This is especially true in the case of numerical passwords only!

If you don't have already have a private/public key pair, you want to first generate one.

ssh-keygen -t ed25519

You should probably secure your key with a password. Now copy your public key to the device

ssh-copy-id mobian@mobian

Now you can log in via SSH. Search for PasswordAuthentication in /etc/ssh/sshd_config and change it to PasswordAuthentication no. Finally restart the sshd:

sudo systemctl restart sshd

Also it's good to use an uncommon port for SSH to reduce noise and battery usage caused by SSH scanners on the Internet.

Extra note:

If you have secured your SSH key with a password and don't want to bother retyping the password for every time you reconnect with SSH, you can run:

eval $(ssh-agent)
ssh-add

Now you should not be prompted to enter your password (as long as you are running ssh from the same environment/terminal).

Disk encryption

Note: This is currently an alpha feature and requires considerable manual intervention.

Disk encryption can currently be configured manually. Steps to do this are as follows:

1. Obtain two copies of the same mobian image.

2. Mount both of them as loop devices with sudo losetup --partscan /dev/loop<x> <mobian image>.img.

3. Encrypt the root partition of the target using sudo cryptsetup luksFormat /dev/loop<x>p2 where <x> is the loop device of the target image.

4. Open and mount the encrypted target with sudo cryptsetup open /dev/loop<x>p2 phoneroot; sudo mount /dev/mapper/phoneroot /mnt.

5. Mount the untouched image root partition and copy its content to the new encrypted root with sudo mount /dev/loop<y> /media; sudo rsync -aAH /media/* /mnt/ where <y> is the untouched mobian image.

6. Chroot into the target system. This will require mounting “/dev/loop<x>p1” to /mnt/boot and bind mounting /dev, /sys and /proc.

7. Install cryptsetup and osk-sdl to allow decryption on boot.

8. Regenerate the initramfs with update-initramfs -u.

9. Reconfigure the kernel boot commandline with osk-sdl-root=<root device> osk-sdl-root-name=<decrypted root name> root=/dev/mapper/<decrypted root name> in /boot/boot.cmd.

10. Regenerate the boot script with sudo mkimage -T script -C none -A arm64 -d boot.cmd boot.scr.

11. Exit chroot and encryption with sudo umount -R /mnt; sudo cryptsetup close /dev/mapper/phoneroot.

12. Remove loop devices with sudo losetup -d /dev/loop<x> for both devices.

13. Flash the encrypted image as normal.

http://mobian.debian.net/ installs Mobian on the eMMC with F2FS, which supports encryption

Encrypted /home partition

The following method uses a keyfile which will be stored on disk, so it is strongly recommended to only use in conjunction with an encrypted rootfs.

1. Copy the contents of your home directory with: sudo mkdir /tmp/mobian && sudo rsync -avz /home/mobian/ /tmp/mobian/

2. Ensure your sdcard has a single ext4 (or f2fs) partition

3. Encrypt your sdcard (WILL ERASE ALL DATA): sudo cryptsetup -h sha256 -c aes-xts-plain64 -s 512 luksFormat /dev/mmcblk0p1

4. Unlock the new encrypted partition: sudo cryptsetup luksOpen /dev/mmcblk0p1 home_crypt

5. Format the unlocked partition with ext4 (or f2fs): sudo mkfs.ext4 -m 0 /dev/mapper/home_crypt

6. Generate the keyfile which will automatically unlock the partition: sudo dd if=/dev/urandom of=/root/keyfile bs=1024 count=4 && sudo chmod 0400 /root/keyfile

7. Add the keyfile to the Luks partition: sudo cryptsetup luksAddKey /dev/mmcblk0p1 /root/keyfile

8. UUID is more specific than device block for fstab, so run sudo blkid /dev/mmcblk0p1 and copy the UUID

9. In /etc/crypttab add the following line: home_crypt /dev/disk/by-uuid/{PASTE UUID HERE} /root/keyfile luks,timeout=30

10. Add the line to /etc/fstab: /dev/mapper/home_crypt /home ext4 defaults 0 2 (If you formatted it as f2fs then replace ext4 with f2fs)

11. Mount the partition: sudo mount -t ext4 /dev/mapper/home_crypt /home

12. Copy the contents of /tmp/mobian (original home dir data): sudo rsync -avz /tmp/mobian /home/ (Trailing slashes must be exactly as written)

13. Reboot (Upon verified success, delete /tmp/mobian)

Secure boot

TODO

Daemon sandboxing

Implemented on some system daemons using unit files

Use `sudo systemd-analyze security` to check the current status

Application sandboxing

Provided optionally by firejail. Not enabled by default.

Usbguard

Protects from unauthorized USB devices being connected. Provided optionally by the usbguard package. Not enabled by default.

Reproducible builds

Other