meta data for this page



These are goals based on Mobian becoming part of Debian:

Mobian Android[1] IOS
Peer/community reviewed software[3] Yes No No
All OS components built from source Yes No
All apps built from source[2] Yes No
Closed firmware blobs Many
Reproducible builds Mostly No
Secure boot
Usbguard TODO No

[1] Stock Android with Google Apps

[2] Built from publicly available sources in an automated and verifiable manner

[3] Reviewed by DDs and/or Debian FTP masters



By default, Mobian has services for SSH and MTP running. The default SSH config is insecure, so it should be either hardened, or disabled from starting automatically via sudo systemctl disable sshd. The MTP service currently has no security whatsoever; if the phone is plugged into a computer, even with disk encryption, the computer will have full R/W access to your /home dir, and full read access to /. Disable autostart via sudo systemctl disable umtp-responder. Both of these services, when disabled, can be started on-demand by sudo systemctl start {service}.

Security updates

Currently provided as package updates in Debian Testing

Randomizing MAC

To randomize your Wi-Fi MAC address each time you boot, perform the following steps:

1. Install macchanger with sudo apt update && sudo apt install macchanger

2. Bring down the wireless interface with sudo ip link set wlan0 down

3. Paste the following into /etc/systemd/system/macspoof@.service:

Description=macchanger on %I

ExecStart=/usr/bin/macchanger -r %I


4. Run sudo systemctl daemon-reload && sudo systemctl enable –now macspoof@wlan0.service

5. Bring the wireless interface back up with either sudo ip link set wlan0 up or sudo systemctl restart NetworkManager

Randomizing MAC using NetworkManager

Create and edit the file: /etc/NetworkManager/conf.d/wifi_rand_mac.conf

# "yes" is already the default for scanning

# Randomize MAC for every ethernet connection
# Generate a random MAC for each WiFi and associate the two permanently.

Restart NetworkManager:

 sudo systemctl restart NetworkManager.service

Check GNOME blog post for more details.

Always-On VPN

VPN functionality will be added to Gnome-Control-Center in the future, but for now you can configure this via nmcli. This guide will explain how to import an OpenVPN connection, and then configure other connections to require it as a “secondary”.

1. Add OpenVPN support for NetworkManager by running sudo apt install network-manager-openvpn.

2. Import your OpenVPN .ovpn file by running sudo nmcli connection import type openvpn file {yourovpnfile.ovpn}

3. Until this is integrated with gnome-keyring, you must store your username and password in the .nmconnection file (currently insecure due to lack of disk encryption, which is coming in the future as well). Edit your VPN config in /etc/NetworkManager/system-connections, where the file is {youropenvpnfilename}.nmconnection. Change the password-flags to 0. At the bottom of the [vpn] block, add username={your username}. Then, below the [vpn] block, add the following:

password={your vpn password}

4. Obtain the UUID of your VPN connection by running sudo nmcli con show {your vpn connection name}; the UUID is the second line.

5. In the same directory, you can now modify any connection, including your cellular one, to bring up and require the VPN connection by adding this to the end of the [connection] block: secondaries={UUID}; (dont forget the trailing semi-colon).

6. Restart NetworkManager with sudo systemctl restart NetworkManager for the changes to take effect.

Using SSH with a key instead of password

When you have SSH enabled on your phone, it is a good idea to use key-based authentication instead of password-based authentication. This is especially true in the case of numerical passwords only!

If you don't have already have a private/public key pair, you want to first generate one.

ssh-keygen -t ed25519

You should probably secure your key with a password. Now copy your public key to the device

ssh-copy-id mobian@mobian

Now you can log in via SSH. Search for PasswordAuthentication in /etc/ssh/sshd_config and change it to PasswordAuthentication no. Finally restart the sshd:

sudo systemctl restart sshd

Also it's good to use an uncommon port for SSH to reduce noise and battery usage caused by SSH scanners on the Internet.

Extra note:

If you have secured your SSH key with a password and don't want to bother retyping the password for every time you reconnect with SSH, you can run:

eval $(ssh-agent)

Now you should not be prompted to enter your password (as long as you are running ssh from the same environment/terminal).

Disk encryption

Disk encryption is currently available through the Mobian Installer. This image can be found in the installer directory of the download page for your device. For the PinePhone for example, this is

Encrypted /home partition

The following method uses a keyfile which will be stored on disk, so it is strongly recommended to only use in conjunction with an encrypted rootfs.

1. Copy the contents of your home directory with: sudo mkdir /tmp/mobian && sudo rsync -avz /home/mobian/ /tmp/mobian/

2. Ensure your sdcard has a single ext4 (or f2fs) partition

3. Encrypt your sdcard (WILL ERASE ALL DATA): sudo cryptsetup -h sha256 -c aes-xts-plain64 -s 512 luksFormat /dev/mmcblk0p1

4. Unlock the new encrypted partition: sudo cryptsetup luksOpen /dev/mmcblk0p1 home_crypt

5. Format the unlocked partition with ext4 (or f2fs): sudo mkfs.ext4 -m 0 /dev/mapper/home_crypt

6. Generate the keyfile which will automatically unlock the partition: sudo dd if=/dev/urandom of=/root/keyfile bs=1024 count=4 && sudo chmod 0400 /root/keyfile

7. Add the keyfile to the Luks partition: sudo cryptsetup luksAddKey /dev/mmcblk0p1 /root/keyfile

8. UUID is more specific than device block for fstab, so run sudo blkid /dev/mmcblk0p1 and copy the UUID

9. In /etc/crypttab add the following line: home_crypt /dev/disk/by-uuid/{PASTE UUID HERE} /root/keyfile luks,timeout=30

10. Add the line to /etc/fstab: /dev/mapper/home_crypt /home ext4 defaults 0 2 (If you formatted it as f2fs then replace ext4 with f2fs)

11. Mount the partition: sudo mount -t ext4 /dev/mapper/home_crypt /home

12. Copy the contents of /tmp/mobian (original home dir data): sudo rsync -avz /tmp/mobian /home/ (Trailing slashes must be exactly as written)

13. Reboot (Upon verified success, delete /tmp/mobian)

Secure boot


Daemon sandboxing

Implemented on some system daemons using unit files

Use `sudo systemd-analyze security` to check the current status

Application sandboxing

Provided optionally by firejail. Not enabled by default.


Protects from unauthorized USB devices being connected. Provided optionally by the usbguard package. Not enabled by default.

To install: sudo apt install usbguard

/etc/usbguard/usbguard-daemon.conf is used to to configure runtime parameters of the daemon.

/etc/usbguard/rules.conf is used to define policy rules for USB devices.

This example will apply policies for any connected USB device and would only allow to operate devices that are allowed in /etc/usbguard/rules.conf.

IPCAllowedGroups=root plugdev

After installation, rules will be auto generated for all currently connected USB devices. If you are occasionally using other devices like USB hub, keyboard or mouse you'll need to plug all required devices and re-generate policy rules using:

sudo usbguard generate-policy > /etc/usbguard/rules.conf

Edit /etc/usbguard/rules.conf and simplify rules for WLAN modem. Auto-generated rule doesn't always match the modem and it might be not be allowed to connect after return from a deep sleep. Leave only allow, id, serial, name, hash and parent-hash values. I.e:

allow id 2c7c:0125 serial “” name “EG25-G” hash “…” parent-hash “…”


  • Check active rules: usbguard list-rules
  • Examine /var/log/usbguard/usbguard-audit.log

Protect network services using iptables.

1. Install iptables-persistent package to make iptables rules persistent after reboot with sudo apt install iptables-persistent.

2. Answer “yes” to save existing IPv4 and IPv6 rules.

3. Edit /etc/iptables/rules.v4 and /etc/iptables/rules.v6.

4. Examples of firewall configs. Can be used as a starting point for your setup.

  • Uncomment lines that logs packets for troubleshooting.
  • Replace subnet with your LAN subnet or any other network from which you want to allow SSH access and ICMP.
  • To apply changes run: sudo iptables-restore /etc/iptables/rules.v4 for IPv4 rules and sudo ip6tables-restore /etc/iptables/rules.v6 for IPv6 rules.

/etc/iptables/rules.v6 - allows outbound connections only

# Generated by ip6tables-save v1.8.6 on Sun Dec 27 20:20:50 2020

# Block remote packets claiming to be from a loopback address.
-A INPUT -s ::1/128 ! -i lo -j DROP
-A INPUT -i lo -j ACCEPT
#-A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "ip6[IN]: "

# Completed on Sun Dec 27 20:20:50 2020

/etc/iptables/rules.v4 - allow outbound connections and inbound SSH connections from specified subnet.

# Generated by iptables-save v1.8.6 on Sun Dec 27 20:20:50 2020

-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
# Block remote packets claiming to be from a loopback address.
-A INPUT -s ! -i lo -j DROP

# Drop all packets that are going to broadcast, multicast or anycast address.
-A INPUT -m addrtype --dst-type BROADCAST -j DROP
-A INPUT -m addrtype --dst-type MULTICAST -j DROP
-A INPUT -m addrtype --dst-type ANYCAST -j DROP

# Accept access to SSH from network.
-A INPUT -p tcp -s --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT

# Accept pings from network.
-A INPUT -p icmp --icmp-type 0  -s -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p icmp --icmp-type 3  -s -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p icmp --icmp-type 11 -s -m conntrack --ctstate NEW -j ACCEPT

# Do not log packets that are going to ports used by SMB (Samba / Windows Sharing).
-A INPUT -p udp -m multiport --dports 135,445 -j DROP
-A INPUT -p udp --dport 137:139 -j DROP
-A INPUT -p udp --sport 137 --dport 1024:65535 -j DROP
-A INPUT -p tcp -m multiport --dports 135,139,445 -j DROP

# Do not log packets that are going to port used by UPnP protocol.
-A INPUT -p udp --dport 1900 -j DROP

# Do not log late replies from nameservers.
-A INPUT -p udp --sport 53 -j DROP

# Prevent DOS by filling log files.
#-A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "ip4[IN]: "

# Completed on Sun Dec 27 20:20:50 2020
Reproducible builds