Android Tips

Android is a very secure and robust operating system out of the box. This post will be less of a “hardening guide”, but more of a non-exhaustive list of tips when it comes to buying and using Android phones. Android Devices Recommended Phones Google Pixel phones are the only devices I would recommend for purchase. Pixel phones have stronger hardware security than any other Android devices currently on the market, due to proper AVB support for third-party operating systems and Google’s custom Titan security chips acting as the Secure Element....

July 22, 2022 · 18 min · 3686 words · Tommy

Android VPN Leakage with Secondary User Profiles

Update: This is no longer reproducible on Android 13 QPR1 and Android 14 Developer Preview 1. Before We Start… I have been aware of this issue for awhile now (since at least Android 11), though I have not done enough testing to see what actually causes the leak nor do I have any workaround at the moment. My guess is that applications which launch early when you log into a secondary profile can bypass the VPN killswitch....

October 10, 2022 · 2 min · 327 words · Tommy

Choosing Your Android-Based Operating System

Android is a secure operating system that has strong app sandboxing, Verified Boot (AVB), and a robust permission control system. When you buy an Android phone, the device’s default operating system often comes with invasive integration with apps and services that are not part of the Android Open-Source Project. An example of such is Google Play Services, which has irrevocable privileges to access your files, contacts storage, call logs, SMS messages, location, camera, microphone, hardware identifiers, and so on....

July 18, 2022 · 9 min · 1723 words · Tommy

ChromeOS's Questionable Encryption

Premise ChromeOS encrypts user data on the disk by default. The implementation details are documented upstream but not relevant within the scope of this post. It is well-known that ChromeOS uses Google account passwords as the primary login credentials. This necessarily means that anyone with knowledge of the Google account password is able to unlock and therefore decrypt a ChromeOS user profile. Practical Implications The very same Google account passwords used for ChromeOS authentication are also used for logging in to various Google services in web browsers and other apps....

April 25, 2024 · 2 min · 279 words · Tommy

Desktop Linux Hardening

Linux is not a secure desktop operating system. However, there are steps you can take to harden it, reduce its attack surface, and improve its privacy. Before we start… Some of the sections will include mentions of unofficial builds of packages like linux‑hardened, akmod, hardened_malloc, and so on. These are not endorsements — they are merely to show that you have options to easily obtain and update these packages. Using unofficial builds of packages means adding more parties to trust, and you have to evaluate whether it is worth doing so for the potential privacy/security benefits or not....

August 17, 2022 · 25 min · 5320 words · Tommy

Firewalling with MirageOS on Qubes OS

MirageOS is a library operating system with which you can create a unikernel for the sole purpose of acting as Qubes OS’s firewall. In this post, I will walk you through how to set this up. Advantages Small attack surface. The unikernel only contains a minimal set of libraries to function, so it has a much smaller attack surface than a general purpose operating system like a Linux distribution or openBSD....

August 26, 2022 · 2 min · 339 words · Tommy

Installing Kali NetHunter Lite on DivestOS 20.0

This will turn your device into a purely penetration testing device, and it will be very insecure for any other purpose. Please do not do this on your daily driver. This procedure should work without modification on many devices using the standard Android bootloader (not Samsung). However, every device has unique quirks that may require special attention. Originally, I just needed a device to run packet capture on my other devices....

March 7, 2023 · 2 min · 407 words · Tommy

NetworkManager Trackability Reduction

MAC address randomization Note that Ethernet connections can still be tracked via switch ports, and WiFi connections can be broadly localized by access point. Furthermore, MAC address spoofing and randomization depends on firmware support from the interface. Most modern network interface cards support the feature. There are three different aspects of MAC address randomization in NetworkManager, each with their own configuration flag: WiFi scanning [device] wifi.scan-rand-mac-address=yes WiFi connections [connection] wifi.cloned-mac-address=<mode> Ethernet connections [connection] ethernet....

September 4, 2022 · 4 min · 772 words · WfKe9vLwSvv7rN

Using Native ZFS Encryption with Proxmox

Currently, the Proxmox installer does not support setting up encryption with ZFS. Thus, we have to set it up manually. This post will go over how to use the native ZFS encryption with Proxmox. The post also assumes that the Proxmox installation is new and does not have any virtual machines or containers yet. Encrypting the rpool/ROOT dataset Proxmox installs its system inside of the rpool/ROOT dataset. This is what we will encrypt first....

March 11, 2023 · 4 min · 681 words · Tommy

Using Split GPG and Split SSH on Qubes OS

This post will go over setting up Split GPG, then setting up Split SSH with the same PGP keys. Effectively, we are emulating what you can do with a PGP smartcard on Qubes OS. Split GPG Follow the official Qubes OS documentation to set this up. Note that if you already have a PGP key with a passphrase, you can remove it by installing pinentry-gtk to vault’s TemplateVM, then run gpg2 --edit-key <key_id> and passwd to set an empty passphrase....

August 13, 2022 · 3 min · 428 words · Tommy