An attempt to streamline the Android hardening process from the Tor Blog.
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.

README.md

MIA: Hardening Android for Security and Privacy

Build Status #guardianproject on Freenode IRC

This project is an attempt to streamline the process of following the guidelines from Mike Perry's post "Mission Impossible: Hardening Android for Security and Privacy" on the Tor Project Blog.

It is currently a collection of scripts that require developer tools, that will build and deploy an update.zip file to your connected device. It aspires for be the basis for an installer for a custom Android ROM based on CyanogenMod.

Please keep in mind that this is experimental, and may not be functional at any given moment. Also, it will likely wipe your Android device, and this is by design!

These tools come with absolutely no warranty. Test them on your own risk.

Requirements

  • A supported device - see the compatibility table bellow.
  • A linux/unix operating system - tested on: openSUSE and Ubuntu
  • Android SDK Tools - with adb working globally.
  • Team Win Recovery Project bootloader installed onto your device.
  • Developer Options enabled on your device.
  • USB debugging enabled on your device.
  • The MIA CLI tool - follow the setup instructions bellow.

MIA CLI Tool setup instructions:

  1. Install Python if not already installed. Test using: python --version

    NOTE: If you want to use Python 3 you will need to install the Python 3 versions of the dependencies.

  2. (optional) Install development files for libyaml and libpython if you want to use LibYAML bindings for pyyaml:

    • Using apt-get on Ubuntu: apt-get install libyaml-dev libpython-dev

    • Or using zypper on openSUSE: zypper install libyaml-devel python-devel

    NOTE: If you skip this step you'll see some warnings on the next step.

  3. Install the docopt and PyYAML modules:

    • Using Python Package Index pip: pip install docopt pyyaml

    • Or using apt-get on Ubuntu: apt-get install python-docopt python-yaml

    • Or using zypper on openSUSE: zypper install python-docopt python-PyYAML

  4. Clone the repository:

    git clone https://github.com/mission-impossible-android/mission-impossible-android.git
  5. (optional) Add the tools folder to the PATH environment variable. This will let you run the tool from any folder in your system. export PATH=$PATH:$HOME/mission-impossible-android/tools

    • Make sure to replace $HOME/mission-impossible-android/tools with the actual path of the tools folder.
    • If you skip this step you will need to use an absolute or relative path to the CLI Tool. Eg: ./tools/mia or ~/mission-impossible-android/tools/mia instead of mia
  6. (optional) Enable Bash or Zsh completion.

    • For Bash:
      • Either by copying the Bash/Zsh file to /etc/bash_completion.d/ cp ~/mission-impossible-android/tools/mia_completion.sh /etc/bash_completion.d/
      • Or by sourcing it from your your .bashrc: source ~/mission-impossible-android/tools/mia_completion.sh
    • For Zsh:
      • Copy this file into the site-functions folder as _mia: cp mia_completion.zsh /usr/share/zsh/site-functions/_mia
      • Or you can use a symbolic link: ln -s ~/mission-impossible-android/tools/mia_completion.zsh /usr/share/zsh/site-functions/_mia
  7. Test if the tool is working properly.

    mia --help

Usage

  1. Connect your device via USB, authorizing as necessary.

  2. Provide temporary root access via ADB, can be revoked later.

  3. Create a definition, customizing as necessary, see the template specific README.md, build a custom update.zip file and install onto the device:

    mia definition create my-phone
    mia build my-phone
    mia install my-phone
  4. After the installation completed open F-Droid and update the applications list.

  5. Open the My App List app, and install any desired applications from misc-apps.xml.

Compatibility

Devices currently available for testing:

Device Codename Testers Actively tested?
LG Nexus 4 mako patcon no
LG Nexus 4 mako SchnWalter yes
Asus Nexus 7 (wifi, 2012) grouper patcon yes
Asus Nexus 7 (wifi, 2013) flo mikeperry-tor yes
Motorola Moto G 4G peregrine mikeperry-tor no
Samsung Galaxy S II i9100 SchnWalter no
OnePlus One bacon SchnWalter no

NOTE: Other devices supported by CyanogenMod might also be compatible. If you test one, please report it in the issue queue.

Links